May 17, 2012

You are here: Home / Archives for Apple

Address Bar Spoofing Vulnerability in Safari in iOS

March 21, 2012 By

(LiveHacking.Com) – David Vieira-Kurz of MajorSecurity has discovered an address bar spoofing vulnerability in the Safari web browser used in iOS. The vulnerability, which is actually in WebKit – the rendering engine used on mobile Safari, allows an attacker to manipulate the address bar in the browser and take the user to a malicious site with a fake (but genuine looking) URL showing.

The vulnerability is caused due to an error in the handling of URLs when using javascript’s window.open() method. This can be exploited to trick users into supplying sensitive information to a malicious web site, because the address bar shows the URL of a genuine and trusted site.

Proof of concept
David has created a special web page which demonstrates the vulnerability at http://majorsecurity.net/html5/ios51-demo.html

  1. Visit the POC site with an Apple iOS device
  2. Click the “demo” button
  3. Safari will open a new window with “http://www.apple.com” in the address bar, but in fact the Apple web site is being displayed inside an iframe and the actual site is http://www.majorsecurity.net
  4. Safari’s address bar is showing “http://www.apple.com” which makes the user believe they are currently visiting Apple.com but in fact they are on another website.

The advisory says the vulnerability is present in iOS 5.0 and iOS 5.1 and that Apple have been informed. Our internal testing here at LiveHacking.com has shown that the vulnerability also exists in iOS 4.3.1 which could mean that all iOS 4 and iOS 5 devices are vulnerable.


Filed Under: Apple, Apple, Safari, Vulnerability Tagged With: , , ,

iOS 5.1 Fixes Mammoth Amount of Security Issues – Many in WebKit

March 9, 2012 By

(LiveHacking.Com) – Apple has released iOS 5.1 for the iPhone 3GS, 4 and 4S, the 3rd and 4th generation iPod touch, and all of its iPad models. As well as a few new features, this point release update contains a slew of security related bug fixes. Over 90 individual identifiable vulnerabilities were fixed, the majority of which were in WebKit – the web browser rendering system used in Safari. These WebKit errors are ones mostly already fixed in Chrome with the credit for the discovery of the vulnerabilities going to the “Google Chrome Security Team.” However Apple haven’t been sitting around doing nothing, a healthy portion of the WebKit errors were also discovered by Apple themselves.

The WebKit errors are described by Apple, in its security advisory, as memory corruption issues that can be exploited if the user visits a specially crafted web page. Rendering the page may lead to an unexpected application termination or arbitrary code execution.

Besides WebKit, Apple fixed other bugs including a kernel logic issue in the handling of debug system calls that could allow a malicious program to gain code execution in other programs with the same user privileges, and a race condition in the handling of slide to dial gestures that could allow a person with physical access to the device to bypass the Passcode Lock screen.

Another lock screen issue fixed is related to Siri. If Siri was enabled for use on the lock screen, and Mail was open with a message selected behind the lock screen, a voice command could be used to send that message to an arbitrary recipient. This issue is addressed by disabling forwarding of active messages from the lock screen.

A non WebKit related error has been fixed in Safari’s Private Browsing mode. Safari’s Private Browsing is designed to prevent recording of a browsing session. Pages visited as a result of a site using the JavaScript methods pushState or replaceState were recorded in the browser history even when Private Browsing mode was active. This issue is addressed by not recording such visits when Private Browsing is active.

New Features

Besides support for the new iPad with the retina display, iOS 5.1 adds the following notable new features:

  • Images can now be removed manually from the Photo Stream in iCloud. Any photos deleted are now also removed from other iOS devices connected to iCloud.
  • Genius now available with iTunes Match.
  • Improved Location Services.
  • Support for Siri in Japanese.
  • New Lockscreen camera button – you no longer have to double tap home button, just swipe up to access the Camera app.
  • App Store download limit over 3G increased from 20 megabytes to 50 megabytes.
  • Face detection in Camera app now tags faces with green boxes.
Filed Under: Apple, Apple, Vulnerability Tagged With: , ,

Apple Releases Security Updates for OS X

February 7, 2012 By

(LiveHacking.Com) – Apple has released security updates for Apple OS X Lion 10.7 and Mac OS X Snow Leopard 10.6 to fix multiple vulnerabilities. These vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, and bypass security restrictions. The update is an amalgamation of recent security updates for several different components used by Apple (including Apache and PHP) along with fixes for Apple’s own code.

3rd Party

This release brings some of OS X’s third party components up to date including:

Apache: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. Apache disabled the ‘empty fragment’ countermeasure which prevented these attacks. This issue is addressed by providing a configuration parameter to control the countermeasure and enabling it by default.

PHP is updated to version 5.3.8 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. However, it is worth noting that PHP 5.3.10 has since been released to fix the hash table collisions problem that affected all the popular Web programming languages (including PHP, ASP.NET, Ruby and Python).

SquirrelMail is updated to version 1.4.22 to address several vulnerabilities, the most serious of which is a cross-site scripting issue. This issue does not affect OS X Lion systems.

Tomcat is updated to version 6.0.33 to address multiple vulnerabilities, the most serious of which may lead to the disclosure of sensitive information. Tomcat is only provided on Mac OS X Server systems.

X11: A memory corruption issue existed in FreeType’s handling of Type 1 fonts. This issue is addressed by updating FreeType to version 2.4.7.

The update also revokes the trust for root certificates issued by DigiCert Malaysia. Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. Back in November it was discovered that DigiCert Malaysia had issued certificates with weak keys that it was unable to revoke.

Apple

Apple components that are updated include:

Address Book supports Secure Sockets Layer (SSL) for accessing CardDAV. A downgrade issue caused Address Book to attempt an unencrypted connection if an encrypted connection failed. An attacker in a privileged network position could abuse this behavior to intercept CardDAV data. This issue is addressed by not downgrading to an unencrypted connection without user approval.

CoreAudio: Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of AAC encoded audio streams.

CoreMedia: A heap buffer overflow existed in CoreMedia’s handling of H.264 encoded movie files.

QuickTime has been updated to resolve several issues including:

  • Opening a maliciously crafted MP4 encoded file may lead to an unexpected application termination or arbitrary code execution. An uninitialized memory access issue existed in the handling of MP4 encoded files.
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. A signedness issue existed in the handling of font tables embedded in QuickTime movie files.
  • Viewing a maliciously crafted JPEG2000 image file may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of JPEG2000 files.
  • Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of PNG files.

Time Machine: The user may designate a remote AFP volume or Time Capsule to be used for Time Machine backups. Time Machine did not verify that the same device was being used for subsequent backup operations. An attacker who is able to spoof the remote volume could gain access to new backups created by the user’s system. This issue is addressed by verifying the unique identifier associated with a disk for backup operations.

Filed Under: Apple, Apple, Vulnerability Tagged With: , , , ,

Apple Releases iTunes 10.5.1 to Fix Man-in-the-middle Vulnerability

November 15, 2011 By

(LiveHacking.Com) - Apple has released iTunes 10.5.1 to fix a potentially dangerous man-in-the-middle vulnerability. According to the iTunes 10.5.1 security advisory a hacker using a man-in-the-middle attack could offer software to end users that appears to originate from Apple. This is course would be a way to infect a computer with malware. The vulnerability exists in iTunes for Windows and for OS X.

iTunes periodically checks for software updates using an HTTP request to Apple. This request may cause iTunes to indicate that an update is available. If Apple Software Update for Windows is not installed, clicking the Download iTunes button may open the URL from the HTTP response in the user’s default browser. This issue has been mitigated by using a secured connection when checking for available updates. For OS X systems, the user’s default browser is not used because Apple Software Update is included with OS X, however this change adds additional defense-in-depth.

The vulnerability was reported to Apple by Francisco Amato of Infobyte Security Research.

iTunes 10.5.1, which is available for Mac OS X v10.5 or later, Windows 7, Vista and XP SP2 or later also introduces iTunes Match. Announced earlier this year, this new service allows users to store their entire music library in iCloud, including music that has been imported from CDs.

 

Filed Under: Apple, Apple, Vulnerability Tagged With: , , ,

Apple Releases iOS 5.0.1 To Kill Code-signing Bug

November 11, 2011 By

Apple has released iOS 5.0.1 for the iPhone, iPad and iPod Touch to fix half a dozen security vulnerabilities including the code-signing bug that Charlie Miller discovered recently and the iPad 2 smart cover bug.

A few days ago Charlie exposed a flaw in Apple’s code signing system which ensures that only Apple-approved applications can run on an iPhone or iPad. If Apple hadn’t fixed this issue it would have been possible for developers to upload apps to iTunes that could run new code on your phone that Apple never had a chance to check. This in turn would let malware into Apple’s tightly controlled eco system.

According to the security note issued by Apple, Charlie’s flaw was due to a logic error that existed in the mmap system call’s checking of valid flag combinations. This issue does not affect devices running iOS prior to version 4.3.

The other important fix in iOS 5.0.1 is the iPad smart cover bug. The problem was that when a Smart Cover is opened while an iPad 2 is confirming power off in the locked state, the iPad does not request a passcode.

Other things fixed in this release include:

  • Visiting a maliciously crafted website may lead to the disclosure of sensitive information. An issue existed in CFNetwork’s handling of maliciously crafted URLs. When accessing a maliciously crafted HTTP or HTTPS URL, CFNetwork could navigate to an incorrect server.
  • Viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Multiple memory corruption issues existed in FreeType, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font.
  • An attacker with a privileged network position may intercept user credentials or other sensitive information. Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. DigiCert Malaysia has issued certificates with weak keys that it is unable to revoke. An attacker with a privileged network position could intercept user credentials or other sensitive information intended for a site with a certificate issued by DigiCert Malaysia. This issue is addressed by configuring default system trust settings so that DigiCert Malaysia’s certificates are not trusted. We would like to acknowledge Bruce Morton of Entrust, Inc. for reporting this issue.
  • Visiting a maliciously crafted website may lead to the disclosure of sensitive information. An issue existed in libinfo’s handling of DNS name lookups. When resolving a maliciously crafted hostname, libinfo could return an incorrect result.
Apple also fixed non-security related bugs in iOS 5.0.1 including tweaks to extend the battery life of devices running the OS.
Filed Under: Apple, Apple, Vulnerability Tagged With: , , ,

Researcher Finds iOS Vulnerability Then Loses his Developer Program Status

November 8, 2011 By

(LiveHacking.Com) -  Charlie Miller, a veteran at finding vulnerabilities in OS X and iOS has discovered a flaw in iOS that allows rogue apps to download and execute unapproved code on an iOS device. As a proof of concept Charlie successfully uploaded an app to Apple’s iTunes store, a trick which then cost him his rights as an iOS developer.

Charlie is no stranger to hacking Apple products. In 2008 he won a $10,000 prize at the hacker conference Pwn2Own for cracking a MacBook Air in under 2 minutes. In 2009, he won $5,000 for cracking Safari in under 10 seconds. And in the very same year he also demonstrated an SMS processing vulnerability that allowed for the complete compromise of an iPhone.

His latest discovery exposes a flaw in Apple’s restrictions on code signing, Apples largely successful way to ensure that only Apple-approved applications can run on an iPhone or iPad. Charlie plans to present his findings at the SysCan conference in Taiwan next week.

“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” says Miller. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

However once Apple discovered what Charlie had been up to,  it terminated his iOS Developer Program License:

“This letter serves as notice of termination of the iOS Developer Program License Agreement…between you and Apple,” the email read. “Effective immediately.”

Of course, Apple is well within its rights to terminate Charlie’s developer license. He has broken the terms of the license, however we are left wondering if Apple wouldn’t have done better to contact Charlie and get him to explain the flaw to them.

Charlie isn’t the only person trying to get around Apple’s security systems. Pod2g an iPhone hacker from Chronic Dev Team is reporting that he has found a bug in Apple’s iOS 5 that may allow for the development of an untethered jailbreak:

“Hey jailbreaking friends, I’ve found a bug that can untether iOS 5. Don’t expect a release soon, but I’m gonna work hard in it.”

Filed Under: Apple, Security Tagged With: , ,

Apple Releases QuickTime 7.7.1 for Windows to Fix Vulnerabilities

October 28, 2011 By

(LiveHacking.Com) - Apple has released QuickTime 7.7.1 for Windows to fix multiple vulnerabilities that if exploited could allow an attacker to execute arbitrary code, cause a denial-of-service condition, or obtain sensitive information.

According to the security advisory, QuickTime 7.7.1 for Windows 7, Vista and XP, fixes several issues which have either been fixed in OS X (with OS X Lion v10.7.2 or with Security Update 2011-006 for
OS X v10.6 systems) or don’t affect Mac OS X systems.

The problems fixed are:

  • A buffer overflow existed in QuickTime’s handling of H.264 encoded movie files.
  • An uninitialized memory access issue existed in QuickTime’s handling of URL data handlers within movie files.
  • An implementation issue existed in QuickTime’s handling of the atom hierarchy within a movie file.
  • A cross-site scripting issue existed in QuickTime Player’s “Save for Web” export. The template HTML files generated by this feature referenced a script file from a non-encrypted origin. An attacker in a privileged network position may be able to inject malicious scripts in the local domain if the user views a template file locally. This issue is addressed by removing the reference to an online script.
  • A buffer overflow existed in QuickTime’s handling of FlashPix files.
  • A buffer overflow existed in QuickTime’s handling of FLIC files.
  • Multiple memory corruption issues existed in QuickTime’s handling of movie files.
  • An integer overflow issue existed in the handling of PICT files.
  • A signedness issue existed in the handling of font tables embedded in QuickTime movie files.
  • A buffer overflow issue existed in the handling of FLC encoded movie files.
  • An integer overflow issue existed in the handling of JPEG2000 encoded movie files.
  • A memory corruption issue existed in the handling of TKHD atoms in QuickTime movie files.
To exploit most of the these vulnerabilities an attacker would need to create a special crafted movie file and get the victim to watch it on their PC.
Filed Under: Apple, Apple, Vulnerability, Windows Tagged With: , ,

Apple Releases Security Updates for Apple iOS, Safari 5.1.1, OS X Lion v10.7.2, iWork 09, and Apple TV 4.4

October 13, 2011 By

(LiveHacking.Com) - With the launch of the much anticipated iOS 5, Apple has also issued a significant number of patches for a range of it products including some of its iOS applications, its Safari web browser, OS X 10.7, OS X 10.6 (via Security Update 2011-006) and Apple TV.

The full list along with links to the Apple knowledge base is as follows:

  • HT4999 - iOS 5 Software Update
  • HT5000 - Safari 5.1.1
  • HT5001 - Apple TV 4.4
  • HT5002 - OS X Lion v10.7.2 and Security Update 2011-006
  • HT5003 - Pages for iOS v1.5
  • HT5004 - Numbers for iOS v1.5

iOS 5
Apple are emphasizing the 200 new features in iOS 5, but it also contained multiples security fixes. Most of these are found in WebKit the HTML rendering engine at the heart of iOS’s version of Safari. Many of the issues fixed in Safari 5.1.1 are common with those in iOS 5, however the Safari 5.1.1 list is shorter due to the more frequent releases of Safari for the desktop.

Other iOS 5 fixes of interesting include:

  • A user’s AppleID password and username were logged to a file that was readable by applications on the system. This is resolved by no longer logging these credentials.
  • Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in CoreFoundation’s handling of string tokenization.
  • Viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Multiple memory corruption existed in freetype, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font.
  • Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. A buffer overflow existed in libTIFF’s handling of CCITT Group 4 encoded TIFF images.

Safari 5.1.1
Along with the long list of WebKit fixes, some of which are common with the fixes in iOS 5 and iTunes 10.5, there are several fixes for bugs that allowed arbitrary code execution or a cross-site scripting attack if the user visited a maliciously crafted website.

Apple also say that JavaScript performance has been improved up to 13% over Safari 5.1.

OS X Lion v10.7.2 and Security Update 2011-006
The update to Lion and the release of Security Update 2011-006 (which is available for OS X 10.6.8) fixes a number of problems including:

  • Apache is updated to version 2.2.20 to address several vulnerabilities, the most serious of which may lead to a denial of service.
  • Executing a binary with a maliciously crafted name may lead to arbitrary code execution with elevated privileges. A format string vulnerability existed in Application Firewall’s debug logging.
  • Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. An out of bounds memory access issue existed in ATS’ handling of Type 1 fonts. This issue does not affect OS X Lion systems.
  • OS X 10.7: Multiple denial of service issues existed in BIND 9.7.3. These issues are addressed by updating BIND to version 9.7.3-P3.
  • OS X 10.6: Multiple denial of service issues existed in BIND. These issues are addressed by updating BIND to version 9.6-ESV-R4-P3.
  • Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.
  • Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in CoreFoundation’s handling of string tokenization. This issue does not affect OS X Lion systems. This update addresses the issue through improved bounds checking.
  • Several updates for PHP, python, postfix and QuickTime.

Pages and Numbers for iOS
Opening a maliciously crafted Microsoft Word or Excel document may lead to an unexpected application termination or arbitrary code execution

Due to buffer overflow and memory corruption issues, opening a maliciously crafted Microsoft Word or Excel document may lead to an unexpected application termination or arbitrary code execution.

Filed Under: Apple, Apple, Uncategorized, Vulnerability Tagged With: , , , , ,

Apple Releases iTunes 10.5 With Support for iOS 5 and Fixes for Multiple Vulnerabilities

October 12, 2011 By

(LiveHacking.Com) – Apple has released iTunes 10.5 in preparation for the imminent release of iOS5. Along with support for iCloud and wireless syncing, iTunes 10.5 contains a large number of security related fixes for the Windows version. The OS X version contains all the new features but not the security fixes as Apple is planning to release a separate system wide update for OS X to address these vulnerabilities, although some have already been addressed in previous security updates by Apple.

The update fixes 79 vulnerabilities of which 73 are within WebKit, the HTML rendering engine found in Safari and Google Chrome, which Apple also uses to power iTunes. Since fixes are also applied to WebKit via Google’s Vulnerability Rewards Program, names like Sergey Glazunov (famous for his work on Chrome) also appear in the list of contributors.

Other than the WebKit fixes, the following vulnerabilities were patched:

  • A memory corruption issue existed in the handling of string tokenization. This issue does not affect OS X Lion systems. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006.
  • An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This issue does not affect OS X Lion systems.
  • A buffer overflow existed in the handling of audio stream encoded with the advanced audio code. This issue does not affect OS X Lion systems.
  • A buffer overflow existed in the handling of H.264 encoded movie files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.2. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006.
  • A heap buffer overflow existed in ImageIO’s handling of TIFF images. This issue does not affect OS X Lion systems. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
  • A reentrancy issue existed in ImageIO’s handling of TIFF images. This issue does not affect Mac OS X systems.
Filed Under: Apple, Apple, Vulnerability Tagged With: , , , , ,

Apple Finally Revokes Trust for DigiNotar – But Only on OS X

September 12, 2011 By

(LiveHacking.Com) - Almost a week after Microsoft, Mozilla and Google revoked trust in all the certificates issued by DigiNotar, Apple has finally issued an update for OS X 10.6 and 10.7.

Security Update 2011-005 reads:

Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.

However the update leaves users of PowerPC Mac’s vulnerable as there is no update for OS X 10.4 and nothing yet for iOS devices including the iPhone, iPod Touch and iPad.

The update is available through Mac OS X’s built in Software Update or can be manually downloaded (for Lion or Snow Leopard) and installed.

Filed Under: Apple, Cryptography Tagged With: ,
« Older Posts
Newer Posts »