September 16, 2014

Safari 6.0 released with fixes for security vulnerabilities

(LiveHacking.Com) – Apple has released Safari 6.0 as part of the launch of OS X 10.8 Mountain Lion. The new version of the Mac OS includes an updated version of Apple’s web browser which has also been back ported to OS X 10.7 Lion. As well as new features, Safari 6.0 addresses multiple security issues.

The fixes included in version 6.0 include:

  • A cross-site scripting issue existed in the handling of feed:// URLs. This update removes handling of feed:// URLs.
  • An access control issue existed in the handling of feed:// URLs. This update removes handling of feed:// URLs.
  • Password input elements with the autocomplete attribute set to “off” were being autocompleted. This update addresses the issue by improved handling of the autocomplete attribute.
  • An issue existed in Safari’s support for the ‘attachment’ value for the HTTP Content-Disposition header. This header is used by many websites to serve files that were uploaded to the site by a third-party, such as attachments in web-based e-mail applications. Any script in files served with this header value would run as if the file had been served inline, with full access to other resources on the origin server. This issue is addressed by downloading resources served with this header, rather than displaying them inline.

Safari 6.0 uses the open source WebKit (which Apple created) as its rendering engine. WebKit contained multiple memory corruption issues which, if exploited, means that a user visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. These issues are addressed through improved memory handling inside WebKit.

Many of the WebKit vulnerabilities have been previously fixed in Google’s Chrome web browser (which also uses WebKit) with many of the vulnerabilities being credited to  the “Google Chrome Security Team” or to security researchers who receive rewards from Google for finding bugs like Miaubiz. However Apple did do its fair share of the work with a good number of the WebKit vulnerabilities being discovered by Apple itself.

Safari 6.0 isn’t available for OS X 10.5 Snow Leopard which has now been abandoned by Apple (leaving users with a 32 bit Intel Mac vulnerable). Also at this time there is no news about Safari 6.0 for Windows.

Apple Updates Safari and Lion, Blocks Old Versions of Flash

(LiveHacking.Com) – Following the recent update of iOS, Apple has now applied a similar set of fixes to the desktop version of Safari as well as adding a new security measure which disables Adobe Flash Player if it is older than 10.1.102.64. At the same time Apple has also released an update to OS X Lion to fix the logging of passwords for FileVault and has updated a few key components like PHP and Samba.

Safari

Apple’s web browser is built around the WebKit layout engine which Apple started (as a fork of KHTML) back in 2001. It is now used as the layout engine for Safari and for Google’s Chrome. As a result when Google find security vulneravilities in Chrome, due to WebKit, they often need fixing in Safari as well. The fixes in Safari 5.1.7 are all related to WebKit:

  • The first fix is for the cross site scripting issues that were used by Sergey Glazunov during Google’s Pwnium contest. Apple fixed the same issues recently in iOS 5.1.1. Details of the exact nature of Sergey’s exploit are still unavailable but it is known that WebKit doesn’t properly handle history navigation, which allows remote attackers to execute arbitrary code by leveraging a “Universal XSS (UXSS)” issue.
  • The second fix, which also comes via Google, is a memory corruption issue. According to Apple visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • The third flaw to be repaired is a state tracking issue that existed in WebKit’s handling of forms. Due to this bug a maliciously crafted website may be able to populate form inputs on another website with arbitrary values.

As well as fixing these Critial errors Apple also added a new security feature which disables Adobe Flash Player if it is older than 10.1.102.64. It does this by moving the Flash files to a new directory. However all is not lost, as the users is presented with option to install an updated version of Flash Player from the Adobe website.

OS X Lion

Along side the Safari release, Apple also released OS X Lion v10.7.4 and Security Update 2012-002 (for OS X Snow Leopard). The big ticket item on this update is the disabling of the debugging switch which meant that FileVault passwords were being written to a debug log in plain text. According to Apple, this issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. They also have a web page (http://support.apple.com/kb/TS4272) for more information about how to securely remove any remaining records.

Apple also fixed another FileVault issue where due to an bug in the kernel’s handling of the sleep image (used for hibernation), some unencrypted data remains on the disk even when FileVault was enabled. This issue is addressed through improved handling of the sleep image. This issue does not affect systems prior to OS X Lion.

The update also upgrades (and/or fixes) different compoents of OS X including curl, HFS, ImageIO (where viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution), libpng, libarchive, libsecurity, libxml (multiple vulnerabilities existed in libxml, the most serious of which may lead to an unexpected application termination or arbitrary code execution), PHP and QuickTime, Ruby and Samba.

PHP for OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 has been updated to version 5.3.10 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. While Samba has been updated to remove the nine year old vulnerability which allowed an unauthenticated remote attacker to cause a denial of service or execute arbitrary code with system privileges.

Address Bar Spoofing Vulnerability in Safari in iOS

(LiveHacking.Com) – David Vieira-Kurz of MajorSecurity has discovered an address bar spoofing vulnerability in the Safari web browser used in iOS. The vulnerability, which is actually in WebKit – the rendering engine used on mobile Safari, allows an attacker to manipulate the address bar in the browser and take the user to a malicious site with a fake (but genuine looking) URL showing.

The vulnerability is caused due to an error in the handling of URLs when using javascript’s window.open() method. This can be exploited to trick users into supplying sensitive information to a malicious web site, because the address bar shows the URL of a genuine and trusted site.

Proof of concept
David has created a special web page which demonstrates the vulnerability at http://majorsecurity.net/html5/ios51-demo.html

  1. Visit the POC site with an Apple iOS device
  2. Click the “demo” button
  3. Safari will open a new window with “http://www.apple.com” in the address bar, but in fact the Apple web site is being displayed inside an iframe and the actual site is http://www.majorsecurity.net
  4. Safari’s address bar is showing “http://www.apple.com” which makes the user believe they are currently visiting Apple.com but in fact they are on another website.

The advisory says the vulnerability is present in iOS 5.0 and iOS 5.1 and that Apple have been informed. Our internal testing here at LiveHacking.com has shown that the vulnerability also exists in iOS 4.3.1 which could mean that all iOS 4 and iOS 5 devices are vulnerable.


Apple Includes iOS 5.1 WebKit Fixes in Safari

(LiveHacking.Com) – Apple recently released iOS 5.1 with over 60 fixes to WebKit, the web rendering engine used by the iPhone’s operating system. Now Apple has released and update to Safari (its web browser for Windows and Mac) with many an almost identical set of fixes. One thing made very clear from this is that Apple are truly using the same code across its mobile and desktop versions of it Safari browser and that vulnerabilities found by Google in its web browser often apply to Safari in iOS and on the desktop.

As with the iOS update, most (if not all) of these WebKit errors have been previously fixed in Google’s Chrome web browser with many of the vulnerabilities being credited to  the “Google Chrome Security Team” or to security researchers who receive rewards from Google for finding bugs like Sergey Glazunov. However Apple did do its fair share of the work with a good portion of the WebKit vulnerabilities being discovered by Apple themselves.

The majority of the WebKit errors are described by Apple, in its security advisory, as memory corruption issues that can be exploited if the user visits a specially crafted web page. Rendering the page may lead to an unexpected application termination or arbitrary code execution. Other fixes included in Safari 5.1.4 include:

  • Look-alike characters in a URL could be used to masquerade a website. The International Domain Name (IDN) support in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This issue is addressed through an improved domain name validity check. This issue does not affect OS X systems.
  • Visiting a maliciously crafted website may lead to the disclosure of cookies. A cross-origin issue existed in WebKit, which may allow cookies to be disclosed across origins.
  • Visiting a maliciously crafted website and dragging content with the mouse may lead to a cross-site scripting attack. A cross-origin issue existed in WebKit, which may allow content to be dragged and dropped across origins.
  • Cookies may be set by third-party sites, even when Safari is configured to block them. An issue existed in the enforcement of its cookie policy. Third-party websites could set cookies if the “Block Cookies” preference in Safari was set to the default setting of “From third parties and advertisers”.
  • HTTP authentication credentials may be inadvertently disclosed to another site. If a site uses HTTP authentication and redirects to another site, the authentication credentials may be sent to the other site.

Still Vulnerable?

What is currently unknown is if Safari is vulnerable to the two critical vulnerabilities found in Chrome last week during the CanSecWest security conference for which Google paid out over $120,000 to Sergey Glazunov and a researcher known as PinkiePie (aka PwniePie).

Download

Safari 5.1.4 is available to download, for Mac and Winodws, from Apple’s Safari page.

New “Highly Critical” Windows 7 Vulnerability

(LiveHacking.Com) – Microsoft are investigating a new vulnerability in Windows 7 which causes a blue screen of death (BSoD). A “researcher” named webDEVIL posted to twitter that “<iframe height=’18082563′></iframe> causes a BSoD on win 7 x64 via Safari. Lol!”  Security company Secunia then posted an advisory rating the issue as “Highly critical” as the fault can lead to system compromise and successful exploitation does not require any user interaction.

The vulnerability is due to an error in win32k.sys and can be used to corrupt memory via a specially crafted web page. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges. It isn’t clear yet if an actual exploit exists or if this is just a potential hole to launch an attack.

“We are currently examining the issue and will take appropriate action to help ensure customers are protected,” Jerry Bryant, group manager of response communications for Microsoft’s Trustworthy Computing Group, said in a statement to SecurityWeek. The vulnerability is confirmed on a fully patched Windows 7 Professional 64-bit. Other versions may also be affected.

Security Updates for Safari

Apple has released versions 5.0.3 and 4.1.3 of its Internet browser Safari. The updates address several security vulnerabilities in the WebKit-based browser. The Safari updates fix more than 25 security holes in the browser’s open source WebKit rendering engine, most of them rated as critical.

Safari 5.0.3 & Safari 5.0.3 Windows update highlights:

  • More accurate Top Hit results in the Address Field
  • More accurate results in Top Sites
  • Fixes an issue that could cause content delivered with the Flash 10.1 plug-in to overlap web page content
  • More reliable pop-up blocking
  • Fixes an issue that affected playback of some videos shot or edited to include rotations and flips
  • Improved stability when typing into search and text input fields on www.netflix.com and www.facebook.com
  • Improved stability when using JavaScript-intensive extensions
  • Improved stability when using VoiceOver with Safari
[ad code=6 align=left]

For detailed information on the security content of this update, please visit this site:http://support.apple.com/kb/HT1222

Safari 5.0.3 is available to download for Mac OS X 10.5.8 Leopard, 10.6.2 Snow Leopard and Windows XP SP2 or later. Alternatively, Safari 4.1.3 is provided for users running Mac OS X 10.4.11 Tiger. Mac OS X users can upgrade to the latest release via the built-in Software Update function. All users are advised to upgrade to the latest release as soon as possible.