September 26, 2016

Apple Updates Safari and Lion, Blocks Old Versions of Flash

(LiveHacking.Com) – Following the recent update of iOS, Apple has now applied a similar set of fixes to the desktop version of Safari as well as adding a new security measure which disables Adobe Flash Player if it is older than 10.1.102.64. At the same time Apple has also released an update to OS X Lion to fix the logging of passwords for FileVault and has updated a few key components like PHP and Samba.

Safari

Apple’s web browser is built around the WebKit layout engine which Apple started (as a fork of KHTML) back in 2001. It is now used as the layout engine for Safari and for Google’s Chrome. As a result when Google find security vulneravilities in Chrome, due to WebKit, they often need fixing in Safari as well. The fixes in Safari 5.1.7 are all related to WebKit:

  • The first fix is for the cross site scripting issues that were used by Sergey Glazunov during Google’s Pwnium contest. Apple fixed the same issues recently in iOS 5.1.1. Details of the exact nature of Sergey’s exploit are still unavailable but it is known that WebKit doesn’t properly handle history navigation, which allows remote attackers to execute arbitrary code by leveraging a “Universal XSS (UXSS)” issue.
  • The second fix, which also comes via Google, is a memory corruption issue. According to Apple visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • The third flaw to be repaired is a state tracking issue that existed in WebKit’s handling of forms. Due to this bug a maliciously crafted website may be able to populate form inputs on another website with arbitrary values.

As well as fixing these Critial errors Apple also added a new security feature which disables Adobe Flash Player if it is older than 10.1.102.64. It does this by moving the Flash files to a new directory. However all is not lost, as the users is presented with option to install an updated version of Flash Player from the Adobe website.

OS X Lion

Along side the Safari release, Apple also released OS X Lion v10.7.4 and Security Update 2012-002 (for OS X Snow Leopard). The big ticket item on this update is the disabling of the debugging switch which meant that FileVault passwords were being written to a debug log in plain text. According to Apple, this issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. They also have a web page (http://support.apple.com/kb/TS4272) for more information about how to securely remove any remaining records.

Apple also fixed another FileVault issue where due to an bug in the kernel’s handling of the sleep image (used for hibernation), some unencrypted data remains on the disk even when FileVault was enabled. This issue is addressed through improved handling of the sleep image. This issue does not affect systems prior to OS X Lion.

The update also upgrades (and/or fixes) different compoents of OS X including curl, HFS, ImageIO (where viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution), libpng, libarchive, libsecurity, libxml (multiple vulnerabilities existed in libxml, the most serious of which may lead to an unexpected application termination or arbitrary code execution), PHP and QuickTime, Ruby and Samba.

PHP for OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 has been updated to version 5.3.10 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. While Samba has been updated to remove the nine year old vulnerability which allowed an unauthenticated remote attacker to cause a denial of service or execute arbitrary code with system privileges.

OS X Lion FileVault Passwords Written to Debug Log in Plain Text

(LiveHacking.Com) – It has been discovered that the latest OS X Lion 10.7.3 update now logs the FileVault password in a system wide logfile readable by anyone with root or admin access. The problem is that the .3 update left a debugging option switched on which logs, in clear text, the FileVault passwords for every user who logged in since the update was applied.

According to David I. Emery who disclosed his find on the  the Cryptome mailing list, “the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file.” The result is that an attacker could now break into an encrypted partitions without any prior knowledge of the passwords used.

“One wonders why such a debug switch exists in shipped production code… clearly it could be invoked covertly in specific situations, this seems to be an example of someone turning it on for the entire release by accident,” he added. “Nobody breaks encryption by climbing the high walls in front … when the garden gate is open for millions of machines.”

ZDNet has found a post on the Apple Support Communities, where a user noticed the flaw three months ago:

I’ve tried it on another Mac as well, same result: The login of a normal network user writes this log line as his homedir gets mounted. This poses a security risk. We have some users who are local admins, they could ask another user to login on their Mac and look for the password afterwards. Extration in single user mode would be possible as well. Is this a “speciality” of our environment or is this a known bug? Can I turn this behavior off?

Nobody got back to him.

 

Opera 11.51 Released – Closes Security hole & Adds OS X Lion Fullscreen Support

(LiveHacking.Com) – Opera has released version 11.51 of its web browser to fix a security hole and add support for full screen support on OS X Lion. The security related problem fixed in this release is that unsecured web content may appear to be secure or trusted.

According to the security advisory: “When certain content is loaded and manipulated in a specific sequence, it can cause Opera to display the security information from the loaded resources in the address field and page information dialog. This allows a malicious page to display the security information from a secure or trusted third party, instead of its own security information.”

11.51 also fixes a low severity issue, as reported by Thai Duong and Juliano Rizzo; details of which will be disclosed at a later date.

More details can be found in the WindowsMac and Unix change logs. Opera 11.51 is available to download for Windows, Mac OS X, Linux (including a PowerPC version), Solaris and FreeBSD.