November 24, 2014

Apple patches security flaws in iOS 8, OS X 10.10 and Apple TV 7

Apple-logo(LiveHacking.Com) – Apple has released new versions of three of its major software products. The new versions of iOS, OS X and Apple TV address multiple security vulnerabilities. iOS 8.1.1, which is available for the iPhone 4s and later; the iPod touch (5th generation) and later; and the iPad 2 and later; addresses nine separate vulnerabilities. Apple TV 7.0.2, which is available for Apple TV 3rd generation and later, addresses four vulnerabilities, all of which are common with the iOS release. OS X 10.10.1 patches four flaws, two of which are common with the iOS release and two which are specific to OS X.

The common fixes are as follows:

  • iOS and OS X: A privacy issue existed where browsing data could remain in the cache after leaving private browsing. (CVE-2014-4460)
  • iOS and OS X: The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user’s approximate location before a user entered a query. (CVE-2014-4453)
  • iOS and Apple TV: A state management issue existed in the handling of Mach-O executable files with overlapping segments. (CVE-2014-4455)
  • iOS and Apple TV: A malicious application may be able to execute arbitrary code with system privileges due to a validation issue that existed in the handling of certain metadata fields in IOSharedDataQueue objects. (CVE-2014-4461)
  • iOS and Apple TV: Due to multiple memory corruption issues in WebKit, visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. (CVE-2014-4452 and CVE-2014-4462)

The iOS specific fixes are:

  • In some circumstances, the failed passcode attempt limit was not enforced. (CVE-2014-4451)
  • The Leave a Message option in FaceTime may have allowed viewing and sending photos from the device. (CVE-2014-4463)
  • A permissions issue existed with the debugging functionality for iOS that allowed the spawning of applications on trusted devices that were not being debugged. (CVE-2014-4457)

The OS X only patches are:

  • The request made by About This Mac to determine the model of the system and direct users to the correct help resources included unnecessary cookies. (CVE-2014-4458)
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution due to a use after free issue existed in the handling of page objects. (CVE-2014-4459)

More information about all these patches can be found on Apple’s Security Updates web site: http://support.apple.com/kb/HT1222

Apple release iOS 8.1 and Apple TV 7.0.1 with new security patches

Apple-logo(LiveHacking.Com) – Apple has released iOS 8.1, primarily to activate Apple Pay, but also to patch five CVE-listed vulnerabilities including fixes for a Bluetooth flaw and  a fix for the infamous SSL 3.0 POODLE security vulnerability.

POODLE (Padding Oracle On Downgraded Legacy Encryption) is the moniker given to a flaw in the SSL 3.0 protocol. SSL 3.0 is considered old and obsolete. It has been replaced by its successors TLS 1.0, TLS 1.1, and TLS 1.2. However many system still support SSL 3.0 for compatibility reasons. Many systems retry failed secure connections with older protocol versions, including SSL 3.0. This means that a hacker can trigger the use of SSL 3.0 and try to exploit POODLE.

The vulnerability only exists when the SSL 3.0 cipher suite uses a block cipher in CBC mode. As a result, Apple has disabled CBC cipher suites when TLS connection attempts fail in iOS 8.1.

Apple also fixed a flaw would could allow a malicious Bluetooth device to bypass pairing. According to Apple, “unencrypted connections were permitted from Human Interface Device-class Bluetooth Low Energy accessories. If an iOS device had paired with such an accessory, an attacker could spoof the legitimate accessory to establish a connection. The issue was addressed by denying unencrypted HID connections.”

With the recent spate of leaked celebrity photos, Apple’s iCloud service has remained under the spotlight. According to Apple a flaw has been fixed which could allow an attacker in a privileged network position to force iCloud data access clients to leak sensitive information. The problem is connected with a TLS certificate validation vulnerability that existed in the iCloud data access clients on previous versions of iOS.

Apple TV 7.0.1

The update to Apple TV is smaller than the changes to iOS, however just as significant. Like the iOS 8.1 release, Apple TV 7.0.1 denies unencrypted HID connections to block malicious Bluetooth input devices that try to bypass pairing. iOS 8.1 also disables CBC cipher suites when TLS connection attempts fail, this is needed to stop hackers trying to exploit the POODLE flaw in SSL 3.0.

Apple TV will periodically check for software updates and will install the update on the next check. However if you want to manually check for software updates go to “Settings -> General -> Update Software”.

Apple fixes 44 security bugs in iOS

Apple-logo(LiveHacking.Com) – Apple has released a new point release of iOS 7 to address 44 different security issues with Apple’s mobile operating system. Among the patches are bug fixes for vulnerabilities in the iOS kernel, and fixes for errors in “launchd,” which could allow a malicious application to execute arbitrary code with system privileges. There are also lots of fixes for WebKit, the HTML rendering engine used by Safari.

The kernel vulnerability, which could cause an iOS device to unexpectedly restart, exists because of a null pointer de-reference in the handling of IOKit API arguments. This problem was addressed through additional validation of IOKit API arguments.

launchd has been patched quite extensively in this release. The program is responsible for starting, stopping and managing back ground processes and apps on iOS. According to Apple’s security notice for iOS 7.1.2, launchd has several different vulnerabilities including a heap buffer overflow in the handling of IPC messages, a heap buffer overflow in the handling of log messages, and some unspecified integer overflow/underflow issues. All of these could possibly allow a malicious application to execute arbitrary code with system privileges.

The WebKit HTML rendering engine was also heavily patched with 28 unique bugs being squashed. Many of the bugs were discovered either by Google’s Chrome Security Team or by renowned security researchers like “miaubiz” who were participating in Google’s Vulnerability Rewards Program for Chromium. However Apple did find several bugs on its own. In total, the discovery of 12 of the 28 vulnerabilities is attributed (or co-attributed) to Apple. The result of the “multiple memory corruption issues” in WebKit was that a user visiting a maliciously crafted website could lead to an unexpected application termination or arbitrary code execution.

Two other WebKit vulnerabilities were also found by Erling Ellingsen of Facebook. The first was an encoding issue that existed in the handling of unicode characters in URLs. The result was that a malicious site could send messages to a connected frame or window in a way that might circumvent the receiver’s origin check. The other problem was a spoofing issue that existed in the handling of URLs.

Another interesting issue fixed in this version of iOS was a problem with Siri and lock codes. If a Siri request referred to one of several possible contacts, Siri displayed a list of choices and the option ‘More…’ for a complete contact list. When used at the lock screen, Siri did not require the passcode before viewing the complete contact list.

iOS 7.1.2 is available now for the iPhone 4 and later, the iPod touch (5th generation) and later, and the iPad 2 and later.

Apple updates OS X, iOS, Apple TV and AirPort

Apple-logoApple has released a slew of updates for several of its key platforms to fix a range of security issues including some related to the OpenSSL HeartBleed bug. According to the release notes for AirPort Base Station Firmware Update 7.7.3, the new software contains a fix for an out-of-bounds memory issue in the OpenSSL library when handling TLS heartbeat extension packets (i.e. the HeartBleed bug). Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected.

For iOS, Apple TV and OS X, Apple also released a set of patches one of which also applies to sessions protected by SSL. Known as a “triple handshake” attack, it was possible for an attacker to create two connections using the same keys and handshake. As a result an attacker could insert data into one connection and renegotiate so that the connections are forwarded to each other. To work around this scenario Apple has changed the SSL renegotiation code so that  the same server certificate needs to be presented as in the original connection.

The update to OS X is called Security Update 2014-002 and has various changes for  OS X 10.7 Lion, OS X 10.8 Mountain Lion and OS X 10.9 Mavericks. The changes are as follows:

  • Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie.
  • A format string issue existed in the CoreServicesUIAgent’s handling of URLs.
  • A buffer underflow existed in the handling of fonts in PDF files.
  • A reachable abort existed in the Heimdal Kerberos’ handling of ASN.1 data. This meant that a remote attacker could cause a denial of service.
  • A buffer overflow issue existed in ImageIO’s handling of JPEG images.
  • A validation issue existed in the Intel Graphics Driver’s handling of a pointer from userspace. As a result a malicious application could take control of the system.
  • A set of kernel pointers stored in an IOKit object could be retrieved from userland.
  • A kernel pointer stored in a XNU object could be retrieved from userland.
  • If a key was pressed or the trackpad touched just after the lid was closed, the system might have tried to wake up while going to sleep, which would have caused the screen to be unlocked. This issue was addressed by ignoring keypresses while going to sleep.
  • An integer overflow issue existed in LibYAML’s handling of YAML tags as used by Ruby.
  • A heap-based buffer overflow issue existed in Ruby when converting a string to a floating point value.
  • WindowServer sessions could be created by sandboxed applications.

Apple has also updated iOS 7 with the release of iOS 7.1.1. It patches the same Set-Cookie HTTP headers bug as found in OS X plus it updates WebKit (the HTML rendering engine used by mobile Safari) to fix a number of issues, many of which were found by Google (for its Chrome browser). The new Apple TV 6.1.1 firmware has the same changes as iOS 7.1.1 and addresses the Set-Cookie HTTP headers bug and also patches WebKit.

You can get more information on Apple’s security updates here: http://support.apple.com/kb/HT1222

Apple fixes security vulnerabilities with release of iOS 7.1 and Apple TV 6.1

iosApple has released a new version of its popular iOS platform for the iPhone 4 and later, the iPod touch (5th generation) and later, and iPad 2 and later. It has also released a new version of the Apple TV platform for Apple TV 2nd generation units and later.

iOS 7.1 adds a range of new features  but crucially it also fixes a wide variety of security issues including fixes to the WebKit HTML rendering engine used by Safari. In a ironic twist Apple has credited four of the fixes to the evad3rs jailbreak team. According to Apple the following fixes were made to tackle the jailbreakers techniques:

  • A symbolic link in a backup would be restored, allowing subsequent operations during the restore to write to the rest of the filesystem. This issue was addressed by checking for symbolic links during the restore process. CVE-2013-5133 : evad3rs
  • CrashHouseKeeping followed symbolic links while changing permissions on files. This issue was addressed by not following symbolic links when changing permissions on files. CVE-2014-1272 : evad3rs
  • Text relocation instructions in dynamic libraries may be loaded by dyld without code signature validation. This issue was addressed by ignoring text relocation instructions. CVE-2014-1273 : evad3rs
  • An out of bounds memory access issue existed in the ARM ptmx_get_ioctl function. This issue was addressed through improved bounds checking. CVE-2014-1278 : evad3rs

The oldest bug fixed was CVE-2012-2088 which was fixed in OS X in March 2013. Because of a buffer overflow in libtiff’s handling of TIFF images, viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution. This issue was fix through additional validation of TIFF images. Other fixed bugs which could lead to arbitrary code execution include: a buffer overflow that existed in the handling of JPEG2000 images in PDF files, CVE-2014-1275 : Felix Groebert of the Google Security Team; a double free issue that existed in the handling of Microsoft Word documents, CVE-2014-1252 : Felix Groebert of the Google Security Team; and a memory corruption issue that existed in the handling of USB messages, CVE-2014-1287 : Andy Davis of NCC Group.

Apple has posted a document online describing the full security content of iOS 7.1.

Apple TV

Simultaneously with the iOS 7.1 release, Apple also released Apple TV 6.1. Many of the same bugs are addressed including three by the evad3rs jailbreak team along with the other arbitrary code execution vulnerabilities. One specific Apple TV vulnerability allowed an attacker with access to an Apple TV to access sensitive user information from the log files. The problem was that this sensitive user information was being logged by the system. This issue was fixed by altering the logging output.

Apple’s website contains more information about the security content of Apple TV 6.1.

iOS 6.1 released by Apple with dozens of security fixes

ios6(LiveHacking.Com) – Apple has released an upgrade for the iOS firmware running on its range of smartphones and tablets. iOS 6.1 adds some new features, including LTE support for extra carriers and the ability for iTunes Match subscribers to download individual songs from iCloud, and to fix dozens of security vulnerabilities.

The fixes come  in two categories, iOS specific fixes and WebKit fixes. Since various parts of iOS rely heavily on WebKit including the iTunes stores and the Safari web browser these WebKit fixes impact the whole of iOS.

First the iOS specific fixes. Apple lists several crucial fixes including:

  • An error handling issue existed in Identity Services. If the user’s AppleID certificate failed to validate, the user’s AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust.
  • Visiting a maliciously crafted website may lead to a cross-site scripting attack.
  • JavaScript may be enabled in Mobile Safari without user interaction. If a user disabled JavaScript in Safari Preferences, visiting a site which displayed a Smart App Banner would re-enable JavaScript without warning the user.

There are also two fixes which are shared with the recent Apple TV 5.2 release:

  • A user-mode process may be able to access the first page of kernel memory.
  • A remote attacker on the same WiFi network may be able to temporarily disable WiFi because of an out of bounds read issue exists in Broadcom’s BCM4325 and BCM4329 firmware’s handling of 802.11i information elements.

The WebKit changes fix vulnerabilities where visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution because of different  memory corruption issues in WebKit. Many of these problem where previously fixed by Google in its Chrome web browser. There is also a WebKit fix for and issue where copying and pasting content on a malicious website may lead to a cross-site scripting attack.

Finally, the update also deals with the intermediate CA certificates that were issued by TURKTRUST.

iOS 6.1 is available for iPhone 3GS and later, iPod touch (4th generation) and later and iPad 2 and later.

Apple releases iOS 6.0.1 and Safari 6.0.2

(LiveHacking.Com) – Apple has released updates for it mobile device operating system iOS and its OS X web browser Safari. Both releases fix a number of security bugs.

The WebKit related fixes are both the same for iOS and Safari. The first and biggest bug fixed is the use after free issue in the handling of SVG images which was used by Pinkie Pie to win $60,000 at Google’s Pwnium 2 contest. The other WebKit error is with the handling of JavaScript arrays. Both errors can lead to an unexpected application termination or arbitrary code execution.

The iOS 6.0.1 also contains two additional fixes: an information disclosure issue in the handling of APIs related to kernel extensions and a problem where a person with physical access to an iOS device may be able to access Passbook passes without entering a passcode.

The kernel API problem meant that maliciously crafted or compromised iOS applications may be able to determine addresses in the kernel and so possibly bypass address space layout randomization protection.

iOS 6.0.1 is now available iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later. Safari 6.0.2 is now available OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.2.

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222.

Will Apple fix SMS spoofing flaw before iOS 6 is released?

(LiveHacking.Com) – As demonstrated many times, social engineering is a key method used by hackers to solicit personal information from victims and now, due to a new SMS spoofing flaw which has been discovered on the iPhone, users need to be extra careful about trusting text messages they receive on their phones.

Security researcher “pod2g” has found a serious flaw in the way iOS processes SMS messages that leaves iPhone users open to spoofing.

This means that an attacker can spoof messages from a victim’s bank asking them for some private information, or linking to phishing website and, because of the flaw, the message look genuine. Also false messages can be sent to a device and used as false evidence. In fact, pod2g writes that the spoofing can be use to do “anything you can imagine that could be utilized to manipulate people, letting them trust somebody or some organization [that] texted them.”

This flaw has existed since 2007, when the first iPhone was released, and still hasn’t been addressed with iOS 6  beta 4.

SMS messages are converted to complex PDU (Protocol Description Unit) packets  for delivery. As part of the payload, a section called UDH (User Data Header) allows the sender to add a reply-to number. If included, any replies written by the receiver will be sent to that number rather than the original number.

The problem with the iPhone SMS app is that the reply-to address is displayed rather than the genuine originator number. This means a message can be sent from one device and made to look like it came from another. What should happen is that if the reply-to and originator numbers are different both should be shown or a warning displayed.

Tools exist for smartphones and even online for sending raw PDU messages meaning that these fake messages are relatively easy to generate.

“Apple takes security very seriously,” representatives from the Cupertino, Calif.-based company told The Verge on Saturday. “When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks.”

“Now you are alerted. Never trust any SMS you received on your iPhone at first sight,” wrote pod2g.

The question now remains, will Apple fix this before iOS 6 is released?

iOS 5.1.1 Fixes Address Bar Spoofing Vulnerability and WebKit Bugs

(LiveHacking.Com) – Apple have released iOS 5.1.1 for the iPhone, iPad and iPod Touch to add improvements and bug fixes while fixing a number of critical security vulnerabilities.

The first vulnerability fixed is the address bar spoofing bug which we reported on back in March. David Vieira-Kurz of MajorSecurity discovered an address bar spoofing vulnerability in WebKit  that allows an attacker to manipulate the address bar in the browser and take the user to a malicious site with a fake (but genuine looking) URL showing. The vulnerability is caused due to an error in the handling of URLs when using javascript’s window.open() method.

The next vulnerability fixed by Apple is the cross-site scripting issue found by Sergey Glazunov that earned him $60,000 from Google under its Pwnium: rewards for exploits contest. Details of the exact nature of Sergey’s exploit are still unavailable but it is known that WebKit doesn’t properly handle history navigation, which allows remote attackers to execute arbitrary code by leveraging a “Universal XSS (UXSS)” issue.

The final fix is also shrouded in mystery. CVE-2012-0672, which was found by Adam Barth and Abhishek Arya of the Google Chrome Security Team, is a memory corruption issue in WebKit that, if exploited, would allow an attacker to create a malicious website that could crash Safari or execute arbitrary code. However that is all that is known!

iOS 5.1.1 is available for the  iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad and iPad 2.

Address Bar Spoofing Vulnerability in Safari in iOS

(LiveHacking.Com) – David Vieira-Kurz of MajorSecurity has discovered an address bar spoofing vulnerability in the Safari web browser used in iOS. The vulnerability, which is actually in WebKit – the rendering engine used on mobile Safari, allows an attacker to manipulate the address bar in the browser and take the user to a malicious site with a fake (but genuine looking) URL showing.

The vulnerability is caused due to an error in the handling of URLs when using javascript’s window.open() method. This can be exploited to trick users into supplying sensitive information to a malicious web site, because the address bar shows the URL of a genuine and trusted site.

Proof of concept
David has created a special web page which demonstrates the vulnerability at http://majorsecurity.net/html5/ios51-demo.html

  1. Visit the POC site with an Apple iOS device
  2. Click the “demo” button
  3. Safari will open a new window with “http://www.apple.com” in the address bar, but in fact the Apple web site is being displayed inside an iframe and the actual site is http://www.majorsecurity.net
  4. Safari’s address bar is showing “http://www.apple.com” which makes the user believe they are currently visiting Apple.com but in fact they are on another website.

The advisory says the vulnerability is present in iOS 5.0 and iOS 5.1 and that Apple have been informed. Our internal testing here at LiveHacking.com has shown that the vulnerability also exists in iOS 4.3.1 which could mean that all iOS 4 and iOS 5 devices are vulnerable.