November 23, 2014

Apple patches security flaws in iOS 8, OS X 10.10 and Apple TV 7

Apple-logo(LiveHacking.Com) – Apple has released new versions of three of its major software products. The new versions of iOS, OS X and Apple TV address multiple security vulnerabilities. iOS 8.1.1, which is available for the iPhone 4s and later; the iPod touch (5th generation) and later; and the iPad 2 and later; addresses nine separate vulnerabilities. Apple TV 7.0.2, which is available for Apple TV 3rd generation and later, addresses four vulnerabilities, all of which are common with the iOS release. OS X 10.10.1 patches four flaws, two of which are common with the iOS release and two which are specific to OS X.

The common fixes are as follows:

  • iOS and OS X: A privacy issue existed where browsing data could remain in the cache after leaving private browsing. (CVE-2014-4460)
  • iOS and OS X: The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user’s approximate location before a user entered a query. (CVE-2014-4453)
  • iOS and Apple TV: A state management issue existed in the handling of Mach-O executable files with overlapping segments. (CVE-2014-4455)
  • iOS and Apple TV: A malicious application may be able to execute arbitrary code with system privileges due to a validation issue that existed in the handling of certain metadata fields in IOSharedDataQueue objects. (CVE-2014-4461)
  • iOS and Apple TV: Due to multiple memory corruption issues in WebKit, visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. (CVE-2014-4452 and CVE-2014-4462)

The iOS specific fixes are:

  • In some circumstances, the failed passcode attempt limit was not enforced. (CVE-2014-4451)
  • The Leave a Message option in FaceTime may have allowed viewing and sending photos from the device. (CVE-2014-4463)
  • A permissions issue existed with the debugging functionality for iOS that allowed the spawning of applications on trusted devices that were not being debugged. (CVE-2014-4457)

The OS X only patches are:

  • The request made by About This Mac to determine the model of the system and direct users to the correct help resources included unnecessary cookies. (CVE-2014-4458)
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution due to a use after free issue existed in the handling of page objects. (CVE-2014-4459)

More information about all these patches can be found on Apple’s Security Updates web site: http://support.apple.com/kb/HT1222

Shellshock: Code injection vulnerability found in Bash

bash-man-page(LiveHacking.Com) – A code injection vulnerability in the Bourne again shell (Bash) has been disclosed on the internet. If exploited then arbitrary commands can be executed, and where Bash is used in relation to a network service, for example in CGI scripts on a web server, then the vulnerability will allow remote code execution.

The problem resolves about the way that Bash processes environment variables used to export shell functions to other bash instances. Bash uses environment variables named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the process environment. The problem is that Bash does not stop after processing the function definition; it continues to parse and execute any shell commands following the function definition.

This means that shell commands can be tagged onto the end of environment variables and they will be executed by the shell. The vulnerability is deemed as critical because Bash is used widely on many types of UNIX-like operating systems including Linux, BSD, and Mac OS X.

The most prominent attack vector is via HTTP requests sent to CGI scripts executed by Bash. Also, if SSH has been configured to allow remote users to run a set of restricted commands, like rsync or git, this bug means that an attacker can use SSH to execute any command and not just the restricted command.

The initial bug was designated as CVE-2014-6271, and a patch was subsequently issued. However it was later discovered that the patch had an issue in the parser and did not fully address the problem. As a result a second CVE was assigned, CVE-2014-7169, to cover the remaining problems after the application of the first patch.

To test your system to see if your version of bash is vulnerable, run these two commands:

env X="() { :;} ; echo vulnerable" /bin/sh -c "echo completed"
env X="() { :;} ; echo vulnerable" `which bash` -c "echo completed"

In either case, if the word “vulnerable” is displayed then your shell needs patching.

The United States Computer Emergency Readiness Team (US-CERT) has issued a statement: Bourne Again Shell (Bash) Remote Code Execution Vulnerability, along with the following alert: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169).

Red Hat has posted a special report on its security blog: Bash specially-crafted environment variables code injection attack. Akamai, a provider of cloud services, has also posted a blog post called Environment Bashing.

 

Apple updates OS X, iOS, Apple TV and AirPort

Apple-logoApple has released a slew of updates for several of its key platforms to fix a range of security issues including some related to the OpenSSL HeartBleed bug. According to the release notes for AirPort Base Station Firmware Update 7.7.3, the new software contains a fix for an out-of-bounds memory issue in the OpenSSL library when handling TLS heartbeat extension packets (i.e. the HeartBleed bug). Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected.

For iOS, Apple TV and OS X, Apple also released a set of patches one of which also applies to sessions protected by SSL. Known as a “triple handshake” attack, it was possible for an attacker to create two connections using the same keys and handshake. As a result an attacker could insert data into one connection and renegotiate so that the connections are forwarded to each other. To work around this scenario Apple has changed the SSL renegotiation code so that  the same server certificate needs to be presented as in the original connection.

The update to OS X is called Security Update 2014-002 and has various changes for  OS X 10.7 Lion, OS X 10.8 Mountain Lion and OS X 10.9 Mavericks. The changes are as follows:

  • Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie.
  • A format string issue existed in the CoreServicesUIAgent’s handling of URLs.
  • A buffer underflow existed in the handling of fonts in PDF files.
  • A reachable abort existed in the Heimdal Kerberos’ handling of ASN.1 data. This meant that a remote attacker could cause a denial of service.
  • A buffer overflow issue existed in ImageIO’s handling of JPEG images.
  • A validation issue existed in the Intel Graphics Driver’s handling of a pointer from userspace. As a result a malicious application could take control of the system.
  • A set of kernel pointers stored in an IOKit object could be retrieved from userland.
  • A kernel pointer stored in a XNU object could be retrieved from userland.
  • If a key was pressed or the trackpad touched just after the lid was closed, the system might have tried to wake up while going to sleep, which would have caused the screen to be unlocked. This issue was addressed by ignoring keypresses while going to sleep.
  • An integer overflow issue existed in LibYAML’s handling of YAML tags as used by Ruby.
  • A heap-based buffer overflow issue existed in Ruby when converting a string to a floating point value.
  • WindowServer sessions could be created by sandboxed applications.

Apple has also updated iOS 7 with the release of iOS 7.1.1. It patches the same Set-Cookie HTTP headers bug as found in OS X plus it updates WebKit (the HTML rendering engine used by mobile Safari) to fix a number of issues, many of which were found by Google (for its Chrome browser). The new Apple TV 6.1.1 firmware has the same changes as iOS 7.1.1 and addresses the Set-Cookie HTTP headers bug and also patches WebKit.

You can get more information on Apple’s security updates here: http://support.apple.com/kb/HT1222

New digitally signed malware targets Mac users

os x mavericks desktopA new piece of digitally signed malware that targets Mac users has been discovered. The new malware, which has been dubbed OSX/LaoShu-A by Sophos and is considered as bot, is being used in an “undelivered courier item” email campaign which tries to trick users into downloading the malware as they try to see the description of an alleged undelivered parcel.

In this particular case the email explains that the undelivered item contained some documents which have been scanned and are waiting for the user to inspect them. A link is provided which takes the unsuspecting user to a fake courier website (often a clone of a real courier website like FedEx or DHL) and then proceeds to download an attachment. If the malicious website detects that the web browser is running on Windows then a piece of malware called Mal/VBCheMan-C is downloaded.

However for Mac users a .zip file is downloaded containing an application that looks like a PDF document. OS X will automatically unzip the file and leave the application in the Downloads folder. The app icon has been intentionally given the PDF icon to trick users into thinking it is a PDF document. However when clicked it will install the malware. Because the application is digitally signed OS X won’t produce a warning about the application coming from an unknown source, but rather it will only warn the user that it has been downloaded from the Internet. Although the warning does actually say “application” rather than “document” the dialog offers the user two possibilities to Cancel or to Open. The use  of the word Open by Apple rather than Run can leave the user with the impression that they are opening a document.

According to Sophos OSX/LaoShu-A is a bot and takes commands from a C&C server, however its main function appear to be data stealing as it will search for files with extensions such as DOC, DOCX, XLS, XLSX, PPT and PPTX and try to upload them to the C&C server. However it can also download new program files and execute shell commands which means it will basically be able to do whatever the attackers tell it to do.

In conclusion, don’t click on random links in unsolicited emails especially those with good link bait like the undelivered courier item emails.

Apple releases new versions of Safari to fix critical vulnerabilities

safari-logoApple has released new versions of Safari 6.1 and Safari 7.0 for Mac OS X to fix critical vulnerabilities. If exploited these vulnerabilities could lead to arbitrary code execution. The bugs fixed fall into two categories, those with Safari itself and those in the WebKit HTML rendering engine.

In Safari itself Apple has fixed one vulnerability which allowed hackers to create a site where Safari autofilled various user credentials unexpectedly. This could have led to unwanted information disclosure. According to Apple, ” Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking.”

The other fixes where for WebKit. Because of the vulnerabilities, a visit to a maliciously crafted website could lead to an unexpected application termination or arbitrary code execution. This was due to multiple memory corruption issues which were addressed through improved memory handling.

More details of the security content of Safari 6.1.1 and Safari 7.0.1 can be found here. Safari 6.1.1 and Safari 7.0.1 are available for OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.

Apple has also released an update to its latest iteration of OS X.

Apple recommends that all 10.9 users apply the OS X Mavericks v10.9.1 update. The update includes Safari 7.0.1 but doesn’t fix any other security issues in OS X. There are other bug fixes and enhancements which include:

  • Improved support for Gmail in OS X Mail, and fixes for users with custom Gmail settings Improves the reliability of Smart Mailboxes and search in Mail
  • Fixes an issue that prevented contact groups from working properly in Mail
  • Fixes an issue that prevented iLife and iWork apps from updating on non-English systems
  • Addresses an issue that may cause multiple prompts to unlock “Local items” keychain

More details about the security content of OS X Mavericks v10.9.1 can be found here.

Apple releases huge set of updates on back of new iPad announcements

Apple-logoApple has released a new slew of products in the run up to the holiday season including the new iPad Air, the iPad mini with a Retina display, the radically designed Mac Pro and an updated MacBook Pro. Along with these products Apple also released OS X 10.9 Mavericks which addresses some significant security vulnerabilities in OS X. Apple also released updates for iOS, OS X Server, Safari and iTunes.

OS X

Over 50 different security related bugs (with individual CVE designations) have been fixed. The most interesting of these include:

  • A fix to enable TLS 1.2 for CIFS networking as SSLv3 and TLS 1.0 are subject to a protocol weakness when using block ciphers. According to Apple, a man-in-the-middle attacker could have injected invalid data, causing the connection to close but revealing some information about the previous data. If the same connection was attempted repeatedly the attacker may eventually have been able to decrypt the data being sent, such as a password.
  • Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This was due to a buffer underflow in the handling of PDF files.
  • A malicious local application could cause a crash in the Bluetooth subsystem which could potentially be exploited. The problem was that the Bluetooth USB host controller was deleting interfaces too early.
  •  By registering for a hotkey event, an unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled.

The Darwin kernel was also updated to fix a variety of problems that in some cases could force a kernel panic. These included:

  • Use of SHA-2 digest functions in the kernel may result in an unexpected system termination. This bug revolved around an incorrect output length that was used for the SHA-2 family of digest functions. It resulted in a kernel panic when these functions were used, primarily during IPSec connections.
  • The kernel random number generator would hold a lock while satisfying a request from userspace, allowing a local user to make a large request and hold the lock for long periods of time, denying service to other users of the random number generator. This issue was addressed by releasing and reacquiring the lock for large requests more frequently.
  • The kernel would panic when an invalid user-supplied iovec structure was detected. This issue was addressed through improved validation of iovec structures.
  • Unprivileged processes may be able to cause an unexpected system termination or arbitrary code execution in the kernel.
  • Source specific multicast program may cause an unexpected system termination when using Wi-Fi network
  • An attacker on a local network can send specially crafted IPv6 ICMP packets and cause high CPU load. The issue was addressed by rate limiting ICMP packets before verifying their
  • checksum.
  • An integer truncation issue existed in the kernel socket interface, which could be leveraged to force the CPU into an infinite loop. The issue was addressed by using a larger sized variable.

Lots of third party applications where also updated including Curl, dyld, OpenLDAP, Perl, Python and Ruby.

iOS 7

iOS 7.0.3 is also now available and addresses more passcode and lock screen related problems:

  • A NULL dereference existed in the lock screen which would cause it to restart if the emergency call button was tapped while a notification was being swiped and while the camera pane was partly visible. While the lock screen was restarting, the call dialer could not get the lock screen state and assumed the device was unlocked, and so allowed non-emergency numbers to be dialed.
  • When returning to the passcode lock from the Phone app, the passcode entry view is sometimes visible when it should not be, and so may be accessed even if the iPhone has been disabled due to many incorrect passcode attempts.
  • A person with physical access to the device may be able to call arbitrary contacts because of a race conditions in the Phone app at the lock screen. Under various circumstances, the Phone app may allow access to the Contacts pane.

Safari 6.1

While OS X 10.9 includes the latest iteration of Apple’s web browser (Safari 7), Apple has also updated Safari 6 for OS X Lion v10.7.5, OS X Lion Server v10.7.5, and OS X Mountain Lion v10.8.5. Safari 6.1 fixes a number of problems most of them within WebKit, the rendering engine used by Apple and Google. Many of the bugs listed were previously fixed by Google in Chrome.

  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This was due to a memory corruption in the handling of
  • XML files.
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution, this time due to multiple memory corruption in WebKit.
  • An information disclosure issue existed in XSSAuditor. This issue was addressed through improved handling of URLs.
  • Dragging or pasting a selection may lead to a cross-site scripting attack. By dragging or pasting a selection from one site to another a user could allow scripts contained in the selection to be executed in the context of the new site. This issue is addressed through additional validation of content before a paste or a drag and drop operation.
  • Using the Web Inspector disabled Private Browsing.
  • A cross-site scripting issue existed in the handling of URLs. This issue was addressed through improved origin tracking.

OS X Server 3.0, iTunes and Apple Remote Desktop

Apple also released OS X Server 3.0 which addressed a number of security vulnerabilities including  a buffer overflow that existed in FreeRADIUS when parsing the ‘not after’ timestamp in a client certificate, when using TLS-based EAP methods. As a result of this, a remote attacker may have been able to cause a denial of service or arbitrary code execution.

Apple released two new versions of it Remote Desktop software, v3.7 and v3.5.4. Both versions fix the same security related bugs, the most severe of which could allow a remote attacker to execute arbitrary code because of a format string vulnerability in the handling of the VNC username.

Windows users also get an update in the form of iTunes 11.1.2. Several different errors are fixed, most are related to WebKit and are similar to the ones fixed in Safari 6.1.

More information about all of Apple’s security related updates can be found at http://support.apple.com/kb/HT1222

Apple updates OS X and Safari to fix critical security issues

(LiveHacking.Com) – Apple has released updates for Mac OS X 10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.3 to fix a range of Apple-logoCritical security vulnerabilities including a fix for an error that could allow a remote attacker to execute arbitrary code with system privileges on Macs with Directory Service enabled. At the same time Apple has also released Safari 6.0.5. The new release of the web browser, which is also included in OS X Mountain Lion v10.8.4, fixes a range of WebKit errors many of which have been previously fixed in Google Chrome.

Mac OS X

Several different security related bugs gave been fixed in OS X. Among them was an unbounded stack allocation issue that existed in the handling of text glyphs. It could be exploited by visiting a maliciously crafted site and may lead to an unexpected application termination or arbitrary code execution. The Directory Services vulnerability only applies to OS X 10.6. A remote attacker could execute arbitrary code with system privileges on Macs with Directory Service enabled due to an error with the way the directory server handled certain messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges.

There were also several fixes for OpenSSL. There are known attacks on the confidentiality of TLS 1.0 when compression was enabled. To address this Apple has disabled compression in OpenSSL. Also OpenSSL was updated to version 0.9.8x to address multiple vulnerabilities, which may lead to denial of service or disclosure of a private key.

Other fixes include:

  • An attacker with access to a user’s session may be able to log into previously accessed sites, even if Private Browsing was used
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
  • A local user in the lpadmin group may be able to read or write arbitrary files with system privileges
  • A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication.
  • Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted QTIF file may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted FPX file may lead to an unexpected application termination or arbitrary code execution
  • Playing a maliciously crafted MP3 file may lead to an unexpected application termination or arbitrary code execution

Also Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. These issues were addressed by updating Ruby on Rails to version 2.3.18.

It is worth noting that starting with OS X 10.8.4, Java Web Start (i.e. JNLP) applications downloaded from the Internet need to be signed with
a Developer ID certificate.

Safari

All the fixes in the new release of Safari are related to WebKit as follows:

  • Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • A cross-site scripting issue existed in the handling of iframes. This issue was addressed through improved origin tracking.
  • A cross-site scripting issue existed in the handling of copied and pasted data in HTML documents. This issue was addressed through additional validation of pasted content.
  • XSS Auditor may rewrite URLs to prevent cross-site scripting attacks. This may lead to a malicious alteration of the behavior of a form submission. This issue was addressed through improved validation of URLs.

More information about the security content of Safari 6.0.5 can be found here.

Apple releases fixes after its computers got hacked

Apple-logo(LiveHacking.Com) – Apple has revealed that a small number of its computers where hacked by the same group who recently targeted Facebook. The iPhone-maker said it has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. As a result Apple has released some updates for Java and Mac OS X 10.6.

Java for OS X 2013-001 and Mac OS X v10.6 Update 13 are now available and addresses the following:

  • Multiple vulnerabilities existed in Java 1.6.0_37, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
  • Multiple vulnerabilities existed in Java, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.

The Java updates are available for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.x, OS X Lion Server v10.7.x, OS X Mountain Lion 10.8.x.

Apple also released a update to its malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed.

Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days

SMS fraud malware now targets OS X users

(LiveHacking.Com) –  SMS fraud is nothing new and is one of the preferred methods of generating income for malware writers on Android and on Windows. The Russian security firm Dr. Web has discovered a piece of malware which attempts to perpetrate SMS fraud on unsuspecting OS X users. Dubbed Trojan.SMSSend.3666, it  is the first program of its kind that targets Mac OS X.

With SMS fraud the malware writers attempt to subscribe victim’s to premium rate SMS services which charges high fees for useless messages. The Android variant is to cause the phone to send a message to one of these premium rate numbers.

The new Mac malware is a fake installer which can be downloaded under the guise of useful software. In this case, the Trojan pretends to be an installer for a program called VKMusic 4, a program meant for use on the VK social network. VK claims it is the largest European social network with more than a 100 million active users.

“In order to continue the ‘installation’ fraudsters ask that the victim enter their cellphone number into an appropriate field and then specify the code found in a reply SMS. By performing these actions the user agrees to terms of a chargeable subscription and a fee will be debited from their mobile phone account on a regular basis,” wrote Dr. Web.

Recent outbreaks of OS X malware have used vulnerabilities in Java, however this Trojan doesn’t use a known or unknown vulnerability, rather it is a simple social engineering ploy to trick the user into subscribing to a costly phone service. A relativity small number of OS X users will be affected as first it targets users of VK, second the OS X user needs to download the fake version of VKMusic from an underground web site.

It is anticipated that Apple’s XProtect malware utility will be updated to identify this new Trojan in due course.

Apple releases OS X Server v2.1.1 to fix problems in PostgreSQL & Jabber

(LiveHacking.Com) – Apple has released OS X Server v2.1.1 to address multiple vulnerabilities in PostgreSQL and fix an issue with the Jabber server’s handling of dialback result messages. Before Mac OS X 10.7, Apple sold a separate server edition of OS X, but now it is a separate set of server add-ons which can be bought directly from Apple’s online Mac App Store. OS X Server 2.1.1 is an update of that add-on component.

OS X Server adds the following capabilities to OS X: File sharing for Mac, PC, and iPad; Wiki Server; Profile Manager; Provide a Time Machine backup destination for Mac computers on your network; Standards-based SMTP, IMAP, and POP server; Calendar Server; Contacts Server; Messages Server; Encrypted VPN connections for Mac, iPad, iPhone, and PC; and Xsan

PostgreSQL
PostgreSQL has been updated to version 9.1.5 to address multiple vulnerabilities, the most serious of which may allow database users to read files from the file system with the privileges of the database server role account. Further information is available via the PostgreSQL web site at http://www.postgresql.org/docs/9.1/static/release-9-1-5.html.

Messages Server
An issue existed in the Jabber server’s handling of dialback result messages. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages.

From a security standpoint, OS X Server v2.1.1 includes the security updates of OS X Mountain Lion v10.8.2.

What’s New in Version 2.1.1

  • Managing DHCP service from within the Server application
  • iOS 6 device management support in Profile Manager
  • Using the Server application to create a large number of users or groups
  • Authenticating with Calendar Server when using an Active Directory account
  • Renewing certificates for use with the Apple Push Notification Service
  • Configuring DNS entries with second level domains and aliases
  • Retaining network, DNS and PHP settings installing or upgrading OS X Server
  • Migrating from Lion Server and Snow Leopard Server