October 2, 2014

Apple Updates Safari and Lion, Blocks Old Versions of Flash

(LiveHacking.Com) – Following the recent update of iOS, Apple has now applied a similar set of fixes to the desktop version of Safari as well as adding a new security measure which disables Adobe Flash Player if it is older than 10.1.102.64. At the same time Apple has also released an update to OS X Lion to fix the logging of passwords for FileVault and has updated a few key components like PHP and Samba.

Safari

Apple’s web browser is built around the WebKit layout engine which Apple started (as a fork of KHTML) back in 2001. It is now used as the layout engine for Safari and for Google’s Chrome. As a result when Google find security vulneravilities in Chrome, due to WebKit, they often need fixing in Safari as well. The fixes in Safari 5.1.7 are all related to WebKit:

  • The first fix is for the cross site scripting issues that were used by Sergey Glazunov during Google’s Pwnium contest. Apple fixed the same issues recently in iOS 5.1.1. Details of the exact nature of Sergey’s exploit are still unavailable but it is known that WebKit doesn’t properly handle history navigation, which allows remote attackers to execute arbitrary code by leveraging a “Universal XSS (UXSS)” issue.
  • The second fix, which also comes via Google, is a memory corruption issue. According to Apple visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • The third flaw to be repaired is a state tracking issue that existed in WebKit’s handling of forms. Due to this bug a maliciously crafted website may be able to populate form inputs on another website with arbitrary values.

As well as fixing these Critial errors Apple also added a new security feature which disables Adobe Flash Player if it is older than 10.1.102.64. It does this by moving the Flash files to a new directory. However all is not lost, as the users is presented with option to install an updated version of Flash Player from the Adobe website.

OS X Lion

Along side the Safari release, Apple also released OS X Lion v10.7.4 and Security Update 2012-002 (for OS X Snow Leopard). The big ticket item on this update is the disabling of the debugging switch which meant that FileVault passwords were being written to a debug log in plain text. According to Apple, this issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. They also have a web page (http://support.apple.com/kb/TS4272) for more information about how to securely remove any remaining records.

Apple also fixed another FileVault issue where due to an bug in the kernel’s handling of the sleep image (used for hibernation), some unencrypted data remains on the disk even when FileVault was enabled. This issue is addressed through improved handling of the sleep image. This issue does not affect systems prior to OS X Lion.

The update also upgrades (and/or fixes) different compoents of OS X including curl, HFS, ImageIO (where viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution), libpng, libarchive, libsecurity, libxml (multiple vulnerabilities existed in libxml, the most serious of which may lead to an unexpected application termination or arbitrary code execution), PHP and QuickTime, Ruby and Samba.

PHP for OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 has been updated to version 5.3.10 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. While Samba has been updated to remove the nine year old vulnerability which allowed an unauthenticated remote attacker to cause a denial of service or execute arbitrary code with system privileges.

iOS 5.1.1 Fixes Address Bar Spoofing Vulnerability and WebKit Bugs

(LiveHacking.Com) – Apple have released iOS 5.1.1 for the iPhone, iPad and iPod Touch to add improvements and bug fixes while fixing a number of critical security vulnerabilities.

The first vulnerability fixed is the address bar spoofing bug which we reported on back in March. David Vieira-Kurz of MajorSecurity discovered an address bar spoofing vulnerability in WebKit  that allows an attacker to manipulate the address bar in the browser and take the user to a malicious site with a fake (but genuine looking) URL showing. The vulnerability is caused due to an error in the handling of URLs when using javascript’s window.open() method.

The next vulnerability fixed by Apple is the cross-site scripting issue found by Sergey Glazunov that earned him $60,000 from Google under its Pwnium: rewards for exploits contest. Details of the exact nature of Sergey’s exploit are still unavailable but it is known that WebKit doesn’t properly handle history navigation, which allows remote attackers to execute arbitrary code by leveraging a “Universal XSS (UXSS)” issue.

The final fix is also shrouded in mystery. CVE-2012-0672, which was found by Adam Barth and Abhishek Arya of the Google Chrome Security Team, is a memory corruption issue in WebKit that, if exploited, would allow an attacker to create a malicious website that could crash Safari or execute arbitrary code. However that is all that is known!

iOS 5.1.1 is available for the  iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad and iPad 2.

OS X Lion FileVault Passwords Written to Debug Log in Plain Text

(LiveHacking.Com) – It has been discovered that the latest OS X Lion 10.7.3 update now logs the FileVault password in a system wide logfile readable by anyone with root or admin access. The problem is that the .3 update left a debugging option switched on which logs, in clear text, the FileVault passwords for every user who logged in since the update was applied.

According to David I. Emery who disclosed his find on the  the Cryptome mailing list, “the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file.” The result is that an attacker could now break into an encrypted partitions without any prior knowledge of the passwords used.

“One wonders why such a debug switch exists in shipped production code… clearly it could be invoked covertly in specific situations, this seems to be an example of someone turning it on for the entire release by accident,” he added. “Nobody breaks encryption by climbing the high walls in front … when the garden gate is open for millions of machines.”

ZDNet has found a post on the Apple Support Communities, where a user noticed the flaw three months ago:

I’ve tried it on another Mac as well, same result: The login of a normal network user writes this log line as his homedir gets mounted. This poses a security risk. We have some users who are local admins, they could ask another user to login on their Mac and look for the password afterwards. Extration in single user mode would be possible as well. Is this a “speciality” of our environment or is this a known bug? Can I turn this behavior off?

Nobody got back to him.

 

Apples Releases Flashback Malware Removal Tool as Another Mac Trojan is Discovered

(LiveHacking.Com) – Apple has released a malware removal tool to seek out and remove common variants of the Flashback malware. The tool will look for the malware and if it is found it presents a dialog notifying the user that malware was removed. In some cases, the user will need to restart in order to completely remove the malware. The tool can be downloaded separately for users of OS X Lion who do not have Java installed or as part of a security update.

The security update provides the removal tool for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3 and OS X Lion Server v10.7.3. It also adds functionality to automatically deactivated the Java browser plugin and Java Web Start on OS X Lion systems that have not used Java for a period of 35 days or more. The update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

Meanwhile Sophos has discovered a new piece of malware, which it is calling Sabpab, that exploits the same Java vulnerability used by Flashback. Sabpab is a backdoor Trojan which connects to a command and control server to receive commands from the attackers. Sabpab can be commanded to make screenshots of the infected Mac, upload and download files, and execute commands remotely.

It looks like the Sabpab Trojan is not as widespread as Flashback and the release of the latest Java updates should thwart its spread – as long as Mac users update promptly!

“It’s time for Mac users to wake up and smell the coffee. Mac malware is becoming a genuine issue, and cannot be ignored any longer” said Sophos on its blog.

Apple Updates Java to Stop Mac Flashback Malware Which Exploits Java Concurrency Vulnerability

(LiveHacking.Com) – Almost six weeks after Oracle updated Java for the Windows platform, Apple has released the same Java fixes for Mac OS X 10.7 and 10.6. According to the security advisory the update includes a fix for  a serious vulnerability which “which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.” This is of course referring to the Java concurrency vulnerability which is being used by the  BlackHole exploit kit on Windows and the Flashback malware on OS X.

According to Apple, Macs can become infected with malware which exploit this bug just by visiting a web page containing a maliciously crafted untrusted Java applet. Since the vulnerability allows hackers to break out of the sandbox Apple note that this “may lead to arbitrary code execution with the privileges of the current user.”

Thankfully the update is available for OS X 10.6 Snow Leopard as well as 10.7 Lion. There were concerns that Apple would silently drop supporting 10.6 as it has done for 10.5. OS X Leopard as it was known runs on Intel Macs but Apple insist on users upgrading. Recently Apple dropped 10.6 as a viable platform for developing iOS applications when it didn’t release the iPad 3 SDK for that version. The full list of OS X versions supported with the update are: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, Lion Server v10.7.3.

Once you have updated open Terminal and type “java -version” to check the Java version number, you should see “java version 1.6.0_31″ if the upgrade was successful.

Since OS X 10.5 Leopard isn’t updates, users should disable Java immediately. You can find instructions on how to do this here or how to disable Java browser plugins can been in this short video.

This release updates Java to Java version 1.6.0 31 and Apple are recommending that users read the Java website at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html for more information.

Mac Flashback Malware Updated to Exploit Java Concurrency Vulnerability

(LiveHacking.Com) – Following the news that various exploit kits for Windows (including BlackHole) have been updated to integrate exploits for the Java concurrency vulnerability (CVE-20120-0507), it is now being reported that the OS X specific malware known as Flashback has also been updated to exploit the same vulnerability. The vulnerability was fixed in Java Version 6 Update 31, or Java 7 Update 3 on Feb. 15, 2012 but only on the Windows platform. This left Mac users vulnerable.

The latest version of OS X (10.7 – Lion) doesn’t include Java by default however it can be downloaded and installed when needed. The last update Apple released for Java was in November 2011. Secondly there is a portion of Mac users who have remained on OS X 10.6 Snow Leopard (which included Java by default). Apple has been quietly dropping support for 10.6 and it remains to be seen if any eventual Java updates include the older platform.

The exploit used by Flashback is based on a vulnerability in AtomicReferenceArray which allows the malware to disable the Java runtime sandbox mechanism. This is done by creating a special serialized object data which due to a logic error (and not a memory corruption) allows the attacker to run arbitrary code on the victim’s Mac. The exploit is very reliable.

Flashback, which is so named as the first variant was distributed as a fake Flash Player installer, uses Java vulnerabilities dating back to 2009 through 2011. But all the vulnerabilities have been previously patched, up until now that is. Now this latest variant can install itself on any Mac – even those with all the latest updates installed.

Although Oracle released the fix for the concurrency vulnerability back in February,  Apple distributes its own self-compiled version of Java for Macs from Oracle’s source code and subsequent patches. However its release schedule is behind that of the Oracle builds for Java in Windows. It has long been said that this delay in shipping security related patches for Java  on Mac OS could be used by malware writers to their advantage, and the new Flashback.K malware confirms exactly that.

The best advice right now is for Mac users to disable Java completely unless it is absolutely necessary. You can find instructions on how to do this here.

Address Bar Spoofing Vulnerability in Safari in iOS

(LiveHacking.Com) – David Vieira-Kurz of MajorSecurity has discovered an address bar spoofing vulnerability in the Safari web browser used in iOS. The vulnerability, which is actually in WebKit – the rendering engine used on mobile Safari, allows an attacker to manipulate the address bar in the browser and take the user to a malicious site with a fake (but genuine looking) URL showing.

The vulnerability is caused due to an error in the handling of URLs when using javascript’s window.open() method. This can be exploited to trick users into supplying sensitive information to a malicious web site, because the address bar shows the URL of a genuine and trusted site.

Proof of concept
David has created a special web page which demonstrates the vulnerability at http://majorsecurity.net/html5/ios51-demo.html

  1. Visit the POC site with an Apple iOS device
  2. Click the “demo” button
  3. Safari will open a new window with “http://www.apple.com” in the address bar, but in fact the Apple web site is being displayed inside an iframe and the actual site is http://www.majorsecurity.net
  4. Safari’s address bar is showing “http://www.apple.com” which makes the user believe they are currently visiting Apple.com but in fact they are on another website.

The advisory says the vulnerability is present in iOS 5.0 and iOS 5.1 and that Apple have been informed. Our internal testing here at LiveHacking.com has shown that the vulnerability also exists in iOS 4.3.1 which could mean that all iOS 4 and iOS 5 devices are vulnerable.


Apple Includes iOS 5.1 WebKit Fixes in Safari

(LiveHacking.Com) – Apple recently released iOS 5.1 with over 60 fixes to WebKit, the web rendering engine used by the iPhone’s operating system. Now Apple has released and update to Safari (its web browser for Windows and Mac) with many an almost identical set of fixes. One thing made very clear from this is that Apple are truly using the same code across its mobile and desktop versions of it Safari browser and that vulnerabilities found by Google in its web browser often apply to Safari in iOS and on the desktop.

As with the iOS update, most (if not all) of these WebKit errors have been previously fixed in Google’s Chrome web browser with many of the vulnerabilities being credited to  the “Google Chrome Security Team” or to security researchers who receive rewards from Google for finding bugs like Sergey Glazunov. However Apple did do its fair share of the work with a good portion of the WebKit vulnerabilities being discovered by Apple themselves.

The majority of the WebKit errors are described by Apple, in its security advisory, as memory corruption issues that can be exploited if the user visits a specially crafted web page. Rendering the page may lead to an unexpected application termination or arbitrary code execution. Other fixes included in Safari 5.1.4 include:

  • Look-alike characters in a URL could be used to masquerade a website. The International Domain Name (IDN) support in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This issue is addressed through an improved domain name validity check. This issue does not affect OS X systems.
  • Visiting a maliciously crafted website may lead to the disclosure of cookies. A cross-origin issue existed in WebKit, which may allow cookies to be disclosed across origins.
  • Visiting a maliciously crafted website and dragging content with the mouse may lead to a cross-site scripting attack. A cross-origin issue existed in WebKit, which may allow content to be dragged and dropped across origins.
  • Cookies may be set by third-party sites, even when Safari is configured to block them. An issue existed in the enforcement of its cookie policy. Third-party websites could set cookies if the “Block Cookies” preference in Safari was set to the default setting of “From third parties and advertisers”.
  • HTTP authentication credentials may be inadvertently disclosed to another site. If a site uses HTTP authentication and redirects to another site, the authentication credentials may be sent to the other site.

Still Vulnerable?

What is currently unknown is if Safari is vulnerable to the two critical vulnerabilities found in Chrome last week during the CanSecWest security conference for which Google paid out over $120,000 to Sergey Glazunov and a researcher known as PinkiePie (aka PwniePie).

Download

Safari 5.1.4 is available to download, for Mac and Winodws, from Apple’s Safari page.

iOS 5.1 Fixes Mammoth Amount of Security Issues – Many in WebKit

(LiveHacking.Com) – Apple has released iOS 5.1 for the iPhone 3GS, 4 and 4S, the 3rd and 4th generation iPod touch, and all of its iPad models. As well as a few new features, this point release update contains a slew of security related bug fixes. Over 90 individual identifiable vulnerabilities were fixed, the majority of which were in WebKit – the web browser rendering system used in Safari. These WebKit errors are ones mostly already fixed in Chrome with the credit for the discovery of the vulnerabilities going to the “Google Chrome Security Team.” However Apple haven’t been sitting around doing nothing, a healthy portion of the WebKit errors were also discovered by Apple themselves.

The WebKit errors are described by Apple, in its security advisory, as memory corruption issues that can be exploited if the user visits a specially crafted web page. Rendering the page may lead to an unexpected application termination or arbitrary code execution.

Besides WebKit, Apple fixed other bugs including a kernel logic issue in the handling of debug system calls that could allow a malicious program to gain code execution in other programs with the same user privileges, and a race condition in the handling of slide to dial gestures that could allow a person with physical access to the device to bypass the Passcode Lock screen.

Another lock screen issue fixed is related to Siri. If Siri was enabled for use on the lock screen, and Mail was open with a message selected behind the lock screen, a voice command could be used to send that message to an arbitrary recipient. This issue is addressed by disabling forwarding of active messages from the lock screen.

A non WebKit related error has been fixed in Safari’s Private Browsing mode. Safari’s Private Browsing is designed to prevent recording of a browsing session. Pages visited as a result of a site using the JavaScript methods pushState or replaceState were recorded in the browser history even when Private Browsing mode was active. This issue is addressed by not recording such visits when Private Browsing is active.

New Features

Besides support for the new iPad with the retina display, iOS 5.1 adds the following notable new features:

  • Images can now be removed manually from the Photo Stream in iCloud. Any photos deleted are now also removed from other iOS devices connected to iCloud.
  • Genius now available with iTunes Match.
  • Improved Location Services.
  • Support for Siri in Japanese.
  • New Lockscreen camera button – you no longer have to double tap home button, just swipe up to access the Camera app.
  • App Store download limit over 3G increased from 20 megabytes to 50 megabytes.
  • Face detection in Camera app now tags faces with green boxes.

Apple Releases Security Updates for OS X

(LiveHacking.Com) – Apple has released security updates for Apple OS X Lion 10.7 and Mac OS X Snow Leopard 10.6 to fix multiple vulnerabilities. These vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, and bypass security restrictions. The update is an amalgamation of recent security updates for several different components used by Apple (including Apache and PHP) along with fixes for Apple’s own code.

3rd Party

This release brings some of OS X’s third party components up to date including:

Apache: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. Apache disabled the ‘empty fragment’ countermeasure which prevented these attacks. This issue is addressed by providing a configuration parameter to control the countermeasure and enabling it by default.

PHP is updated to version 5.3.8 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. However, it is worth noting that PHP 5.3.10 has since been released to fix the hash table collisions problem that affected all the popular Web programming languages (including PHP, ASP.NET, Ruby and Python).

SquirrelMail is updated to version 1.4.22 to address several vulnerabilities, the most serious of which is a cross-site scripting issue. This issue does not affect OS X Lion systems.

Tomcat is updated to version 6.0.33 to address multiple vulnerabilities, the most serious of which may lead to the disclosure of sensitive information. Tomcat is only provided on Mac OS X Server systems.

X11: A memory corruption issue existed in FreeType’s handling of Type 1 fonts. This issue is addressed by updating FreeType to version 2.4.7.

The update also revokes the trust for root certificates issued by DigiCert Malaysia. Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. Back in November it was discovered that DigiCert Malaysia had issued certificates with weak keys that it was unable to revoke.

Apple

Apple components that are updated include:

Address Book supports Secure Sockets Layer (SSL) for accessing CardDAV. A downgrade issue caused Address Book to attempt an unencrypted connection if an encrypted connection failed. An attacker in a privileged network position could abuse this behavior to intercept CardDAV data. This issue is addressed by not downgrading to an unencrypted connection without user approval.

CoreAudio: Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of AAC encoded audio streams.

CoreMedia: A heap buffer overflow existed in CoreMedia’s handling of H.264 encoded movie files.

QuickTime has been updated to resolve several issues including:

  • Opening a maliciously crafted MP4 encoded file may lead to an unexpected application termination or arbitrary code execution. An uninitialized memory access issue existed in the handling of MP4 encoded files.
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. A signedness issue existed in the handling of font tables embedded in QuickTime movie files.
  • Viewing a maliciously crafted JPEG2000 image file may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of JPEG2000 files.
  • Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of PNG files.

Time Machine: The user may designate a remote AFP volume or Time Capsule to be used for Time Machine backups. Time Machine did not verify that the same device was being used for subsequent backup operations. An attacker who is able to spoof the remote volume could gain access to new backups created by the user’s system. This issue is addressed by verifying the unique identifier associated with a disk for backup operations.