April 19, 2014

New digitally signed malware targets Mac users

os x mavericks desktopA new piece of digitally signed malware that targets Mac users has been discovered. The new malware, which has been dubbed OSX/LaoShu-A by Sophos and is considered as bot, is being used in an “undelivered courier item” email campaign which tries to trick users into downloading the malware as they try to see the description of an alleged undelivered parcel.

In this particular case the email explains that the undelivered item contained some documents which have been scanned and are waiting for the user to inspect them. A link is provided which takes the unsuspecting user to a fake courier website (often a clone of a real courier website like FedEx or DHL) and then proceeds to download an attachment. If the malicious website detects that the web browser is running on Windows then a piece of malware called Mal/VBCheMan-C is downloaded.

However for Mac users a .zip file is downloaded containing an application that looks like a PDF document. OS X will automatically unzip the file and leave the application in the Downloads folder. The app icon has been intentionally given the PDF icon to trick users into thinking it is a PDF document. However when clicked it will install the malware. Because the application is digitally signed OS X won’t produce a warning about the application coming from an unknown source, but rather it will only warn the user that it has been downloaded from the Internet. Although the warning does actually say “application” rather than “document” the dialog offers the user two possibilities to Cancel or to Open. The use  of the word Open by Apple rather than Run can leave the user with the impression that they are opening a document.

According to Sophos OSX/LaoShu-A is a bot and takes commands from a C&C server, however its main function appear to be data stealing as it will search for files with extensions such as DOC, DOCX, XLS, XLSX, PPT and PPTX and try to upload them to the C&C server. However it can also download new program files and execute shell commands which means it will basically be able to do whatever the attackers tell it to do.

In conclusion, don’t click on random links in unsolicited emails especially those with good link bait like the undelivered courier item emails.

Apple releases new versions of Safari to fix critical vulnerabilities

safari-logoApple has released new versions of Safari 6.1 and Safari 7.0 for Mac OS X to fix critical vulnerabilities. If exploited these vulnerabilities could lead to arbitrary code execution. The bugs fixed fall into two categories, those with Safari itself and those in the WebKit HTML rendering engine.

In Safari itself Apple has fixed one vulnerability which allowed hackers to create a site where Safari autofilled various user credentials unexpectedly. This could have led to unwanted information disclosure. According to Apple, ” Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking.”

The other fixes where for WebKit. Because of the vulnerabilities, a visit to a maliciously crafted website could lead to an unexpected application termination or arbitrary code execution. This was due to multiple memory corruption issues which were addressed through improved memory handling.

More details of the security content of Safari 6.1.1 and Safari 7.0.1 can be found here. Safari 6.1.1 and Safari 7.0.1 are available for OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.

Apple has also released an update to its latest iteration of OS X.

Apple recommends that all 10.9 users apply the OS X Mavericks v10.9.1 update. The update includes Safari 7.0.1 but doesn’t fix any other security issues in OS X. There are other bug fixes and enhancements which include:

  • Improved support for Gmail in OS X Mail, and fixes for users with custom Gmail settings Improves the reliability of Smart Mailboxes and search in Mail
  • Fixes an issue that prevented contact groups from working properly in Mail
  • Fixes an issue that prevented iLife and iWork apps from updating on non-English systems
  • Addresses an issue that may cause multiple prompts to unlock “Local items” keychain

More details about the security content of OS X Mavericks v10.9.1 can be found here.

Apple releases huge set of updates on back of new iPad announcements

Apple-logoApple has released a new slew of products in the run up to the holiday season including the new iPad Air, the iPad mini with a Retina display, the radically designed Mac Pro and an updated MacBook Pro. Along with these products Apple also released OS X 10.9 Mavericks which addresses some significant security vulnerabilities in OS X. Apple also released updates for iOS, OS X Server, Safari and iTunes.

OS X

Over 50 different security related bugs (with individual CVE designations) have been fixed. The most interesting of these include:

  • A fix to enable TLS 1.2 for CIFS networking as SSLv3 and TLS 1.0 are subject to a protocol weakness when using block ciphers. According to Apple, a man-in-the-middle attacker could have injected invalid data, causing the connection to close but revealing some information about the previous data. If the same connection was attempted repeatedly the attacker may eventually have been able to decrypt the data being sent, such as a password.
  • Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This was due to a buffer underflow in the handling of PDF files.
  • A malicious local application could cause a crash in the Bluetooth subsystem which could potentially be exploited. The problem was that the Bluetooth USB host controller was deleting interfaces too early.
  •  By registering for a hotkey event, an unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled.

The Darwin kernel was also updated to fix a variety of problems that in some cases could force a kernel panic. These included:

  • Use of SHA-2 digest functions in the kernel may result in an unexpected system termination. This bug revolved around an incorrect output length that was used for the SHA-2 family of digest functions. It resulted in a kernel panic when these functions were used, primarily during IPSec connections.
  • The kernel random number generator would hold a lock while satisfying a request from userspace, allowing a local user to make a large request and hold the lock for long periods of time, denying service to other users of the random number generator. This issue was addressed by releasing and reacquiring the lock for large requests more frequently.
  • The kernel would panic when an invalid user-supplied iovec structure was detected. This issue was addressed through improved validation of iovec structures.
  • Unprivileged processes may be able to cause an unexpected system termination or arbitrary code execution in the kernel.
  • Source specific multicast program may cause an unexpected system termination when using Wi-Fi network
  • An attacker on a local network can send specially crafted IPv6 ICMP packets and cause high CPU load. The issue was addressed by rate limiting ICMP packets before verifying their
  • checksum.
  • An integer truncation issue existed in the kernel socket interface, which could be leveraged to force the CPU into an infinite loop. The issue was addressed by using a larger sized variable.

Lots of third party applications where also updated including Curl, dyld, OpenLDAP, Perl, Python and Ruby.

iOS 7

iOS 7.0.3 is also now available and addresses more passcode and lock screen related problems:

  • A NULL dereference existed in the lock screen which would cause it to restart if the emergency call button was tapped while a notification was being swiped and while the camera pane was partly visible. While the lock screen was restarting, the call dialer could not get the lock screen state and assumed the device was unlocked, and so allowed non-emergency numbers to be dialed.
  • When returning to the passcode lock from the Phone app, the passcode entry view is sometimes visible when it should not be, and so may be accessed even if the iPhone has been disabled due to many incorrect passcode attempts.
  • A person with physical access to the device may be able to call arbitrary contacts because of a race conditions in the Phone app at the lock screen. Under various circumstances, the Phone app may allow access to the Contacts pane.

Safari 6.1

While OS X 10.9 includes the latest iteration of Apple’s web browser (Safari 7), Apple has also updated Safari 6 for OS X Lion v10.7.5, OS X Lion Server v10.7.5, and OS X Mountain Lion v10.8.5. Safari 6.1 fixes a number of problems most of them within WebKit, the rendering engine used by Apple and Google. Many of the bugs listed were previously fixed by Google in Chrome.

  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This was due to a memory corruption in the handling of
  • XML files.
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution, this time due to multiple memory corruption in WebKit.
  • An information disclosure issue existed in XSSAuditor. This issue was addressed through improved handling of URLs.
  • Dragging or pasting a selection may lead to a cross-site scripting attack. By dragging or pasting a selection from one site to another a user could allow scripts contained in the selection to be executed in the context of the new site. This issue is addressed through additional validation of content before a paste or a drag and drop operation.
  • Using the Web Inspector disabled Private Browsing.
  • A cross-site scripting issue existed in the handling of URLs. This issue was addressed through improved origin tracking.

OS X Server 3.0, iTunes and Apple Remote Desktop

Apple also released OS X Server 3.0 which addressed a number of security vulnerabilities including  a buffer overflow that existed in FreeRADIUS when parsing the ‘not after’ timestamp in a client certificate, when using TLS-based EAP methods. As a result of this, a remote attacker may have been able to cause a denial of service or arbitrary code execution.

Apple released two new versions of it Remote Desktop software, v3.7 and v3.5.4. Both versions fix the same security related bugs, the most severe of which could allow a remote attacker to execute arbitrary code because of a format string vulnerability in the handling of the VNC username.

Windows users also get an update in the form of iTunes 11.1.2. Several different errors are fixed, most are related to WebKit and are similar to the ones fixed in Safari 6.1.

More information about all of Apple’s security related updates can be found at http://support.apple.com/kb/HT1222

Oracles releases critical security update for Java, Apple follows suit

java-square(LiveHacking.Com) – Oracle has released a critical patch update for Java that address at least 40 security vulnerabilities, 37 of which may be remotely exploitable without authentication, meaning they can be exploited over a network without the need for a username and password.

The new version of Java is Java 7 update 25 and it is the recommend upgrade for all users using Java 7 Update 21 and earlier; Java 6 Update 45 and earlier; and Java 5.0 Update 45 and earlier. It seems that Oracle has is no longer shipping updates for Java 6, however Apple has released a security advisory about Java for OS X 2013-004 and Mac OS X v10.6 Update 16.

In its advisory Apple recommend that OS X 10.6 users update to Java version 1.6 update 51 to address multiple vulnerabilities in Java 1.6 update 45. According to Apple Java 6 update 45 has bugs which allow “an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.” This means that Java 6 has been updates but is only available for OS X 10.6 users.

It is important that you apply this Java updates as soon as possible. Research from Websense has revealed that over 90% of users don’t update their Java versions in a timely manner.

Java is prone to security vulnerabilities and it is recommended, even after applying the latest patches, that users disable Java in the browser completely. If you don’t need Java (which you likely don’t), you should strongly consider removing Java completely from your machines.

Apple updates OS X and Safari to fix critical security issues

(LiveHacking.Com) – Apple has released updates for Mac OS X 10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.3 to fix a range of Apple-logoCritical security vulnerabilities including a fix for an error that could allow a remote attacker to execute arbitrary code with system privileges on Macs with Directory Service enabled. At the same time Apple has also released Safari 6.0.5. The new release of the web browser, which is also included in OS X Mountain Lion v10.8.4, fixes a range of WebKit errors many of which have been previously fixed in Google Chrome.

Mac OS X

Several different security related bugs gave been fixed in OS X. Among them was an unbounded stack allocation issue that existed in the handling of text glyphs. It could be exploited by visiting a maliciously crafted site and may lead to an unexpected application termination or arbitrary code execution. The Directory Services vulnerability only applies to OS X 10.6. A remote attacker could execute arbitrary code with system privileges on Macs with Directory Service enabled due to an error with the way the directory server handled certain messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges.

There were also several fixes for OpenSSL. There are known attacks on the confidentiality of TLS 1.0 when compression was enabled. To address this Apple has disabled compression in OpenSSL. Also OpenSSL was updated to version 0.9.8x to address multiple vulnerabilities, which may lead to denial of service or disclosure of a private key.

Other fixes include:

  • An attacker with access to a user’s session may be able to log into previously accessed sites, even if Private Browsing was used
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
  • A local user in the lpadmin group may be able to read or write arbitrary files with system privileges
  • A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication.
  • Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted QTIF file may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted FPX file may lead to an unexpected application termination or arbitrary code execution
  • Playing a maliciously crafted MP3 file may lead to an unexpected application termination or arbitrary code execution

Also Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. These issues were addressed by updating Ruby on Rails to version 2.3.18.

It is worth noting that starting with OS X 10.8.4, Java Web Start (i.e. JNLP) applications downloaded from the Internet need to be signed with
a Developer ID certificate.

Safari

All the fixes in the new release of Safari are related to WebKit as follows:

  • Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • A cross-site scripting issue existed in the handling of iframes. This issue was addressed through improved origin tracking.
  • A cross-site scripting issue existed in the handling of copied and pasted data in HTML documents. This issue was addressed through additional validation of pasted content.
  • XSS Auditor may rewrite URLs to prevent cross-site scripting attacks. This may lead to a malicious alteration of the behavior of a form submission. This issue was addressed through improved validation of URLs.

More information about the security content of Safari 6.0.5 can be found here.

Oracle updates Java, as does Apple

java-square(LiveHacking.Com) – Oracle has released a Critical Patch Update (CPU) for Java SE. The update, which affects Java 5, Java 6 and Java 7,  fixes 42 vulnerabilities within Java, the vast majority of which have been rated as the Critical.

Besides the fixes, the biggest change is to the Java security dialogs. Now JavaScript code that calls code within a privileged applet triggers warning dialogs if the signed JAR files are not tagged with the Trusted-Library attribute.

“The JDK 7u21 release enables users to make more informed decisions before running Rich Internet Applications (RIAs) by prompting users for permissions before an RIA is run. These permission dialogs include information on the certificate used to sign the application, the location of the application, and the level of access that the application requests,” said Oracle.

According to Oracle Executive Vice President Hasan Rizvi not all the known Java problems have been fixed, but there are no unpatched vulnerabilities that are being actively exploited in the wild.

Java has been prone to security vulnerabilities in the last few years and earlier this year a global hacking campaign managed to infected computers inside hundreds of companies, including Facebook, Apple and Twitter. In light of these threat the US Department of Homeland Security has previously recommended that users disable Java in the browser completely.

Apple

Gone are the days when Apple’s Java update would come several months after Oracle’s fixes. As is now becoming the norm, Apple released its updates on the same day as Oracle. Java for OS X 2013-003 and Mac OS X v10.6 Update 15 addresses multiple vulnerabilities Java, some of which could allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. To exploit this a hacker need only convince a user to visit a specially crafted web page with an untrusted Java applet. For more information Apple recommend reading the Java 6 update 45 release notes.

Apple also released a new version of its Safari web browser for OS X Lion v10.7.5, OS X Lion Server v10.7.5 and OS X Mountain Lion v10.8.3. It fixes problems where visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. The problem was an invalid cast that existed in the handling of SVG files. For more information see the Safari 6.0.4 page on Apple’s website.

Oracle patches Java vulnerabilities being exploited in the wild

java-square(LiveHacking.Com) – Oracle has rushed out an emergency patch to address two Java vulnerabilities, one of which is being actively exploited by attackers to maliciously install the McRat malware onto victim’s PCs.  Both vulnerabilities affect the 2D component of Java SE.  Targeting Java running in the browser, these vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.

Security Alert CVE-2013-1493 patches Java to fix the vulnerabilities, which although were reported to Oracle on February 1st 2013, came too late to be included in February’s Critical Patch Update for Java SE. The fix had originally been planned for the April Critical Patch Update for Java SE, but since the vulnerabilities are being exploited in the wild, the company decided to release this out-of-band fix. The Java run-time environment (JRE) and the development kit (JDK) are affected for Java 5, Java 6 and Java 7.

“These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system,” said Oracle in a statement.

Apple simultaneously released an update for Java on OS X. OS X 2013-002 and Java for Mac OS X v10.6 Update 14 are availble for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7, OS X Lion Server v10.7, OS X Mountain Lion 10.8 or later.

According to Apple, “Multiple vulnerabilities existed in Java, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.”

All users who don’t need to run Java in the browser should disable all Java plugins in all of the browsers on their PC or Mac. Also you should strongly considering removing Java completely from your machines.

Apple releases fixes after its computers got hacked

Apple-logo(LiveHacking.Com) – Apple has revealed that a small number of its computers where hacked by the same group who recently targeted Facebook. The iPhone-maker said it has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. As a result Apple has released some updates for Java and Mac OS X 10.6.

Java for OS X 2013-001 and Mac OS X v10.6 Update 13 are now available and addresses the following:

  • Multiple vulnerabilities existed in Java 1.6.0_37, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
  • Multiple vulnerabilities existed in Java, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.

The Java updates are available for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.x, OS X Lion Server v10.7.x, OS X Mountain Lion 10.8.x.

Apple also released a update to its malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed.

Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days

iOS 6.1 released by Apple with dozens of security fixes

ios6(LiveHacking.Com) – Apple has released an upgrade for the iOS firmware running on its range of smartphones and tablets. iOS 6.1 adds some new features, including LTE support for extra carriers and the ability for iTunes Match subscribers to download individual songs from iCloud, and to fix dozens of security vulnerabilities.

The fixes come  in two categories, iOS specific fixes and WebKit fixes. Since various parts of iOS rely heavily on WebKit including the iTunes stores and the Safari web browser these WebKit fixes impact the whole of iOS.

First the iOS specific fixes. Apple lists several crucial fixes including:

  • An error handling issue existed in Identity Services. If the user’s AppleID certificate failed to validate, the user’s AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust.
  • Visiting a maliciously crafted website may lead to a cross-site scripting attack.
  • JavaScript may be enabled in Mobile Safari without user interaction. If a user disabled JavaScript in Safari Preferences, visiting a site which displayed a Smart App Banner would re-enable JavaScript without warning the user.

There are also two fixes which are shared with the recent Apple TV 5.2 release:

  • A user-mode process may be able to access the first page of kernel memory.
  • A remote attacker on the same WiFi network may be able to temporarily disable WiFi because of an out of bounds read issue exists in Broadcom’s BCM4325 and BCM4329 firmware’s handling of 802.11i information elements.

The WebKit changes fix vulnerabilities where visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution because of different  memory corruption issues in WebKit. Many of these problem where previously fixed by Google in its Chrome web browser. There is also a WebKit fix for and issue where copying and pasting content on a malicious website may lead to a cross-site scripting attack.

Finally, the update also deals with the intermediate CA certificates that were issued by TURKTRUST.

iOS 6.1 is available for iPhone 3GS and later, iPod touch (4th generation) and later and iPad 2 and later.

Apple closes two security vulnerabilities with release of Apple TV 5.2

Apple_TV_2nd_Generation(LiveHacking.Com) – Apple has released the a new firmware for its TV media box which adds the ability to play purchased iTunes music directly from iCloud along with Bluetooth keyboard support. The update also allows Apple TV users to send media from an Apple TV to AirPlay-enabled speakers and devices (including AirPort Express and other Apple TVs). At the same time as adding new functionality Apple has also closed two serious security holes.

The first vulnerability fixed is a issue which allowed user-mode process to access the first page of kernel memory. Nomrally the kernel has code to check that user-processes are not accessing kernel memory. However The checks were not being used if the length was smaller than one page. This issue was addressed through additional validation of the arguments to copyin and copyout.

The second securuiy flaw could allow a remote attacker on the same WiFi network to to cause an unexpected system termination. An out of bounds read issue exists in Broadcom’s BCM4325 and BCM4329 firmware’s handling of 802.11i information elements. This issue was addressed through additional validation of 802.11i information elements.

To check the version of the firmware on your device, select ”Settings -> General -> About”. Most users won’t need to do anything as Apple TV will regularly check for software updates. Alternatively, you may manually check for software updates by selecting ”Settings -> General -> Update Software”.