February 5, 2012

You are here: Home / Archives for Vulnerability / Apple

Apple Releases iTunes 10.5.1 to Fix Man-in-the-middle Vulnerability

November 15, 2011 By

(LiveHacking.Com) - Apple has released iTunes 10.5.1 to fix a potentially dangerous man-in-the-middle vulnerability. According to the iTunes 10.5.1 security advisory a hacker using a man-in-the-middle attack could offer software to end users that appears to originate from Apple. This is course would be a way to infect a computer with malware. The vulnerability exists in iTunes for Windows and for OS X.

iTunes periodically checks for software updates using an HTTP request to Apple. This request may cause iTunes to indicate that an update is available. If Apple Software Update for Windows is not installed, clicking the Download iTunes button may open the URL from the HTTP response in the user’s default browser. This issue has been mitigated by using a secured connection when checking for available updates. For OS X systems, the user’s default browser is not used because Apple Software Update is included with OS X, however this change adds additional defense-in-depth.

The vulnerability was reported to Apple by Francisco Amato of Infobyte Security Research.

iTunes 10.5.1, which is available for Mac OS X v10.5 or later, Windows 7, Vista and XP SP2 or later also introduces iTunes Match. Announced earlier this year, this new service allows users to store their entire music library in iCloud, including music that has been imported from CDs.

 

Filed Under: Apple, Apple, Vulnerability Tagged With: , , ,

Apple Releases iOS 5.0.1 To Kill Code-signing Bug

November 11, 2011 By

Apple has released iOS 5.0.1 for the iPhone, iPad and iPod Touch to fix half a dozen security vulnerabilities including the code-signing bug that Charlie Miller discovered recently and the iPad 2 smart cover bug.

A few days ago Charlie exposed a flaw in Apple’s code signing system which ensures that only Apple-approved applications can run on an iPhone or iPad. If Apple hadn’t fixed this issue it would have been possible for developers to upload apps to iTunes that could run new code on your phone that Apple never had a chance to check. This in turn would let malware into Apple’s tightly controlled eco system.

According to the security note issued by Apple, Charlie’s flaw was due to a logic error that existed in the mmap system call’s checking of valid flag combinations. This issue does not affect devices running iOS prior to version 4.3.

The other important fix in iOS 5.0.1 is the iPad smart cover bug. The problem was that when a Smart Cover is opened while an iPad 2 is confirming power off in the locked state, the iPad does not request a passcode.

Other things fixed in this release include:

  • Visiting a maliciously crafted website may lead to the disclosure of sensitive information. An issue existed in CFNetwork’s handling of maliciously crafted URLs. When accessing a maliciously crafted HTTP or HTTPS URL, CFNetwork could navigate to an incorrect server.
  • Viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Multiple memory corruption issues existed in FreeType, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font.
  • An attacker with a privileged network position may intercept user credentials or other sensitive information. Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. DigiCert Malaysia has issued certificates with weak keys that it is unable to revoke. An attacker with a privileged network position could intercept user credentials or other sensitive information intended for a site with a certificate issued by DigiCert Malaysia. This issue is addressed by configuring default system trust settings so that DigiCert Malaysia’s certificates are not trusted. We would like to acknowledge Bruce Morton of Entrust, Inc. for reporting this issue.
  • Visiting a maliciously crafted website may lead to the disclosure of sensitive information. An issue existed in libinfo’s handling of DNS name lookups. When resolving a maliciously crafted hostname, libinfo could return an incorrect result.
Apple also fixed non-security related bugs in iOS 5.0.1 including tweaks to extend the battery life of devices running the OS.
Filed Under: Apple, Apple, Vulnerability Tagged With: , , ,

Apple Releases QuickTime 7.7.1 for Windows to Fix Vulnerabilities

October 28, 2011 By

(LiveHacking.Com) - Apple has released QuickTime 7.7.1 for Windows to fix multiple vulnerabilities that if exploited could allow an attacker to execute arbitrary code, cause a denial-of-service condition, or obtain sensitive information.

According to the security advisory, QuickTime 7.7.1 for Windows 7, Vista and XP, fixes several issues which have either been fixed in OS X (with OS X Lion v10.7.2 or with Security Update 2011-006 for
OS X v10.6 systems) or don’t affect Mac OS X systems.

The problems fixed are:

  • A buffer overflow existed in QuickTime’s handling of H.264 encoded movie files.
  • An uninitialized memory access issue existed in QuickTime’s handling of URL data handlers within movie files.
  • An implementation issue existed in QuickTime’s handling of the atom hierarchy within a movie file.
  • A cross-site scripting issue existed in QuickTime Player’s “Save for Web” export. The template HTML files generated by this feature referenced a script file from a non-encrypted origin. An attacker in a privileged network position may be able to inject malicious scripts in the local domain if the user views a template file locally. This issue is addressed by removing the reference to an online script.
  • A buffer overflow existed in QuickTime’s handling of FlashPix files.
  • A buffer overflow existed in QuickTime’s handling of FLIC files.
  • Multiple memory corruption issues existed in QuickTime’s handling of movie files.
  • An integer overflow issue existed in the handling of PICT files.
  • A signedness issue existed in the handling of font tables embedded in QuickTime movie files.
  • A buffer overflow issue existed in the handling of FLC encoded movie files.
  • An integer overflow issue existed in the handling of JPEG2000 encoded movie files.
  • A memory corruption issue existed in the handling of TKHD atoms in QuickTime movie files.
To exploit most of the these vulnerabilities an attacker would need to create a special crafted movie file and get the victim to watch it on their PC.
Filed Under: Apple, Apple, Vulnerability, Windows Tagged With: , ,

Apple Releases Security Updates for Apple iOS, Safari 5.1.1, OS X Lion v10.7.2, iWork 09, and Apple TV 4.4

October 13, 2011 By

(LiveHacking.Com) - With the launch of the much anticipated iOS 5, Apple has also issued a significant number of patches for a range of it products including some of its iOS applications, its Safari web browser, OS X 10.7, OS X 10.6 (via Security Update 2011-006) and Apple TV.

The full list along with links to the Apple knowledge base is as follows:

  • HT4999 - iOS 5 Software Update
  • HT5000 - Safari 5.1.1
  • HT5001 - Apple TV 4.4
  • HT5002 - OS X Lion v10.7.2 and Security Update 2011-006
  • HT5003 - Pages for iOS v1.5
  • HT5004 - Numbers for iOS v1.5

iOS 5
Apple are emphasizing the 200 new features in iOS 5, but it also contained multiples security fixes. Most of these are found in WebKit the HTML rendering engine at the heart of iOS’s version of Safari. Many of the issues fixed in Safari 5.1.1 are common with those in iOS 5, however the Safari 5.1.1 list is shorter due to the more frequent releases of Safari for the desktop.

Other iOS 5 fixes of interesting include:

  • A user’s AppleID password and username were logged to a file that was readable by applications on the system. This is resolved by no longer logging these credentials.
  • Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in CoreFoundation’s handling of string tokenization.
  • Viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Multiple memory corruption existed in freetype, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font.
  • Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. A buffer overflow existed in libTIFF’s handling of CCITT Group 4 encoded TIFF images.

Safari 5.1.1
Along with the long list of WebKit fixes, some of which are common with the fixes in iOS 5 and iTunes 10.5, there are several fixes for bugs that allowed arbitrary code execution or a cross-site scripting attack if the user visited a maliciously crafted website.

Apple also say that JavaScript performance has been improved up to 13% over Safari 5.1.

OS X Lion v10.7.2 and Security Update 2011-006
The update to Lion and the release of Security Update 2011-006 (which is available for OS X 10.6.8) fixes a number of problems including:

  • Apache is updated to version 2.2.20 to address several vulnerabilities, the most serious of which may lead to a denial of service.
  • Executing a binary with a maliciously crafted name may lead to arbitrary code execution with elevated privileges. A format string vulnerability existed in Application Firewall’s debug logging.
  • Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. An out of bounds memory access issue existed in ATS’ handling of Type 1 fonts. This issue does not affect OS X Lion systems.
  • OS X 10.7: Multiple denial of service issues existed in BIND 9.7.3. These issues are addressed by updating BIND to version 9.7.3-P3.
  • OS X 10.6: Multiple denial of service issues existed in BIND. These issues are addressed by updating BIND to version 9.6-ESV-R4-P3.
  • Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.
  • Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in CoreFoundation’s handling of string tokenization. This issue does not affect OS X Lion systems. This update addresses the issue through improved bounds checking.
  • Several updates for PHP, python, postfix and QuickTime.

Pages and Numbers for iOS
Opening a maliciously crafted Microsoft Word or Excel document may lead to an unexpected application termination or arbitrary code execution

Due to buffer overflow and memory corruption issues, opening a maliciously crafted Microsoft Word or Excel document may lead to an unexpected application termination or arbitrary code execution.

Filed Under: Apple, Apple, Uncategorized, Vulnerability Tagged With: , , , , ,

Apple Releases iTunes 10.5 With Support for iOS 5 and Fixes for Multiple Vulnerabilities

October 12, 2011 By

(LiveHacking.Com) – Apple has released iTunes 10.5 in preparation for the imminent release of iOS5. Along with support for iCloud and wireless syncing, iTunes 10.5 contains a large number of security related fixes for the Windows version. The OS X version contains all the new features but not the security fixes as Apple is planning to release a separate system wide update for OS X to address these vulnerabilities, although some have already been addressed in previous security updates by Apple.

The update fixes 79 vulnerabilities of which 73 are within WebKit, the HTML rendering engine found in Safari and Google Chrome, which Apple also uses to power iTunes. Since fixes are also applied to WebKit via Google’s Vulnerability Rewards Program, names like Sergey Glazunov (famous for his work on Chrome) also appear in the list of contributors.

Other than the WebKit fixes, the following vulnerabilities were patched:

  • A memory corruption issue existed in the handling of string tokenization. This issue does not affect OS X Lion systems. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006.
  • An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This issue does not affect OS X Lion systems.
  • A buffer overflow existed in the handling of audio stream encoded with the advanced audio code. This issue does not affect OS X Lion systems.
  • A buffer overflow existed in the handling of H.264 encoded movie files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.2. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006.
  • A heap buffer overflow existed in ImageIO’s handling of TIFF images. This issue does not affect OS X Lion systems. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
  • A reentrancy issue existed in ImageIO’s handling of TIFF images. This issue does not affect Mac OS X systems.
Filed Under: Apple, Apple, Vulnerability Tagged With: , , , , ,

Apple Releases QuickTime 7.7 to Address Multiple Vulnerabilities

August 4, 2011 By

(LiveHacking.Com) – Apple has released QuickTime 7.7 for Mac OS X v10.5.8, Windows 7, Vista and XP SP2 or later. QuickTime 7.7 closes several holes that could allow maliciously crafted images, audio files and movies to crash the program or execute unauthorized code.

According to a Apple’s knowledge base article the problems resolved are:

  • A buffer overflow existed in QuickTime’s handling of pict files. Viewing a maliciously crafted pict file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect OS X Lion systems.
  • Multiple memory corruption issues existed in QuickTime’s handling of JPEG2000 images. Viewing a maliciously crafted JPEG2000 image with QuickTime may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.7. This issue does not affect OS X Lion systems.
  • A cross-origin issue existed in QuickTime plug-in’s handling of cross-site redirects. Visiting a maliciously crafted website may lead to the disclosure of video data from another site. This issue is addressed by preventing QuickTime from following cross-site redirects. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.7. This issue does not affect OS X Lion systems.
  • An integer overflow existed in QuickTime’s handling of RIFF WAV files. Playing a maliciously crafted WAV file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect OS X Lion systems.
  • A memory corruption issue existed in QuickTime’s handling of sample tables in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect OS X Lion systems.
  • An integer overflow existed in QuickTime’s handling of audio channels in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect OS X Lion systems.
  • A buffer overflow existed in QuickTime’s handling of JPEG files. Viewing a maliciously crafted JPEG file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect OS X Lion systems.
  • A heap buffer overflow existed in QuickTime’s handling of GIF images. Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X systems.
  • Multiple stack buffer overflows existed in the handling of H.264 encoded movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. These issues do not affect Mac OS X systems.
  • A stack buffer overflow existed in the QuickTime ActiveX control’s handling of QTL files. Visiting a maliciously crafted website using Internet Explorer may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X systems.
  • A heap buffer overflow existed in the handling of STSC atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect OS X Lion systems.
  • A heap buffer overflow existed in the handling of STSS atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect OS X Lion systems.
  • A heap buffer overflow existed in the handling of STSZ atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect OS X Lion systems.
  • A heap buffer overflow existed in the handling of STTS atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect OS X Lion systems.
Filed Under: Apple, Apple, Vulnerability Tagged With: ,

Apple Updates OS X, Safari and iOS

April 15, 2011 By

Microsoft released a bumper set of security fixes on Tuesday and today it was Apple’s turn with fixes for OS X, Safari and iOS. The update for OS X was to block the fraudulent SSL certificates stolen from Comodo (better late than never), Safari 5.0.5 fixes two vulnerabilities in WebKit and iOS has been updated to 4.3.2 to block the stolen Comodo certificates and to fix other vulnerabilities.

Security Update 2011-002 applies to Mac OS X v10.5.8 and Mac OS X v10.6.7 and does nothing else other than to blacklist the fraudulent Comodo certificates.

Safari has been updated to 5.0.5 for Mac OS X v10.5.8, Mac OS X v10.6.5 or later, Windows 7, Vista and XP. Two vulnerabilities have been fixed in WebKit:

  • An integer overflow issue existed in the handling of nodesets. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
  • A use after free issue existed in the handling of text nodes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

iOS 4.3.2 fixed the same to flaws listed above (as Safari on the desktop shares a lot of the same code as Safari that is built into iOS, blocked the Comodo certificates and fixed a vulnerability in libxslt and one in QuickLook:

  • libxslt’s implementation of the generate-id() XPath function disclosed the address of a heap buffer. Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap, which may aid in bypassing address space layout randomization protection. This issue is addressed by generating an ID based on the difference between the addresses of two heap buffers.
  • A memory corruption issue existed in QuickLook’s handling of Microsoft Office files. Viewing a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution.

The latter problem is likely to be the one used by Charlie Miller at this years Pwn20wn contest.

Filed Under: Apple, Apple, Vulnerability Tagged With: , , , ,

Apple Releases OS X 10.6.7 And Fixes Pwn2Own Vulnerability

March 23, 2011 By

Apple has released OS X 10.6.7 a maintenance release of the “Snow Leopard” Mac operating system and a security update for OS X Leopard (10.5). On the security front 10.6.7 and Security Update 2011-001 for 10.5 essentially deal with the same issues. OS X 10.6.7 also adds some minor new functionality to OS X Snow Leopard.

At the heart of these updates are patches for the vulnerabilities recently demonstrated at Pwn2Own the annual hacking contest where the winners receive the device/computer that they successfully hacked and a cash prize. During this years contest (held in early March) Charlie Miller used an exploit in the iPhone 4’s built-in Safari browser to surf to a specially created Web site hosting a Microsoft PowerPoint document. Opening the document allowed Miller to hijack the iPhone. However it has now been revealed that this vulnerability was not limited to iOS but also exists in OS X.

The full list of security fixes in 10.6.7 is quite long but the highlights are:

  • AirPort – When connected to Wi-Fi, an attacker on the same network may be able to cause a system reset
  • Apache is updated to version 2.2.17 to address several vulnerabilities, the most serious of which may lead to a denial of service
  • CoreText – Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution
  • HFS – A local user may be able to read arbitrary files from an HFS, HFS+, or HFS+J filesystem
  • ImageIO – Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • ImageIO – Viewing a maliciously crafted image may result in an unexpected application termination or arbitrary code execution
  • Kernel – A local user may be able to execute arbitrary code with system privileges
  • PHP is updated to version 5.3.4 (5.2.14 on OS X 10.5) to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution
  • QuickLook – Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution

10.6.7 also adds some minor improvements / features including:

  • Includes Safari 5.0.4.
  • Includes RAW image compatibility for additional digital cameras.
  • Improves brightness on external displays and projectors.
  • Includes the ability to repair certain issues that may prevent hardware RAID volumes from mounting.
Filed Under: Apple, Apple Tagged With: , ,

Apple Releases Safari 5.0.4 – Fixes Multiple Vulnerabilities

March 14, 2011 By

Apple has released Safari 5.0.4 to address multiple vulnerabilities in the ImageIO, libxml, and WebKit packages. These vulnerabilities could allow hackers to make malicious web pages which in turn could lead to an unexpected application termination or arbitrary code execution.

According to the update information provided by Apple via their software update tool, the following things have also fixed/improved in 5.0.4:

  • Improved stability for web pages with multiple instances of plug-in content
  • Improved compatibility with web pages with image reflections and transition effects
  • A fix for an issue that could cause some web pages to print with incorrect layouts
  • A fix for an issue that could cause content to display incorrectly on web pages with plug-ins
  • A fix for an issue that could cause a Screen Saver to appear while video is playing in Safari
  • Improved compatibility with VoiceOver on web pages with text input areas and lists with selectable items
  • Improved stability when using VoiceOver

Safari 5.0.4 is available across all supported platforms: OS X 10.6 Snow Leopard, OS X 10.5 Leopard and Windows (XP, Vista and 7). The update is available via the Apple Software update tool and Apple’s Safari page.

Apple have released further information about the security fixes in 5.0.4 here.

Filed Under: Apple, Apple, Vulnerability

Apple updates Java for OS X 10.5 and 10.6

March 10, 2011 By

Apple has released Java for Mac OS X 10.5 Update 9 and Java for Mac OS X 10.6 Update 4. The updates effectively upgrades J2SE 5.0 to update 28 (Java 1.5.0_28) and Java SE 6 to update 24 (Java 1.6.0_24).

Multiple vulnerabilities exist in J2SE 5.0 update 26 (Java 1.5.0_26) and Java SE 6 update 22 (Java 1.6.0_22), the most serious of which may allow an untrusted Java applet to execute arbitrary code outside of the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are fixed in Java version 1.5.0_28 and 1.6.0_24.

Oracle previously released these updates for Java in February and these Apple updates are a result of these fixes trickling down to the official OS X release.

Apple have officially deprecated the Apple port of Java to OS X and it told developers to “not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X”.

However they have (together with Oracle) announced the OpenJDK project for Mac OS X and that “Apple will contribute most of the key components, tools and technology required for a Java SE 7 implementation on Mac OS X, including a 32-bit and 64-bit HotSpot-based Java virtual machine, class libraries, a networking stack and the foundation for a new graphical client.”

Filed Under: Apple, Apple, Java, Vulnerability Tagged With: , , ,
« Older Posts