March 6, 2015

Apple updates iOS, OS X and Apple TV in monster patch release

ios8-logo(LiveHacking.Com) – Following Google’s disclose of a number of zero day vulnerabilities in OS X, Apple has released a huge set of patches that fix a range of Critical security problems on OS X, iOS, Apple TV, and Safari.

Starting with OS X, Apple’s patches fix 54 separate CVEs including 11 from Google’s Project Zero. Among the fixes are patches for the 3 bugs which Google disclosed last week:

  • An error existed in the Bluetooth driver that allowed a malicious application to control the size of a write to kernel memory.
  • Multiple type confusion issues existed in coresymbolicationd’s handling of XPC messages.
  • A memory access issue existed in the handling of IOUSB controller user client functions.

A security vulnerability in the Intel graphics driver is also credited to Google’s project zero. According to the release notes, multiple vulnerabilities existed in the Intel graphics driver, the most serious of could lead to arbitrary code execution with system privileges.

Another six CVE’s were reported to Apple from another of Google security groups, this time the Google Security Team. Among its catches are a bug in the kernel: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content.

The security update is available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1. You can read the full details here: http://support.apple.com/en-us/HT1222

Since iOS and OS X share much of the same code (certainly at the lower levels), Apple also released an update to its mobile operating system with many of the same fixes. The iOS update addresses 33 different CVEs and fixes some of the same vulnerabilities from Google’s Project Zero. You can read more about iOS 8.1.3 here: http://support.apple.com/kb/HT204245

Like iOS, Apple TV also uses lots of the same core technologies as OS X. In response to Google’s disclosures and in the light of other security issues, Apple has released Apple TV 7.0.3. It addresses 29 different CVEs including the disclosed problems with XPC: Multiple type confusion issues existed in networkd’s handling of interprocess communication. By sending a maliciously formatted message to networkd, it could be possible to execute arbitrary code as the networkd process.

Apple TV 7.0.3 is available for all 3rd generation and later Apple TV boxes. Full details can be found here: http://support.apple.com/kb/HT204246

To round off this huge security update, Apple has also updated Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3 on OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1 to fix a series of memory issues with WebKit. If exploited these vulnerabilities could allow an attacker to run arbitrary code on a victim’s Mac, if tricked into visiting a maliciously crafted website.

Apple has also updated its web plug-in blocking mechanism to disable all versions prior to Flash Player 16.0.0.296 and 13.0.0.264.

Google discloses three more zero-day vulnerabilities, this time for OS X

Apple-logo(LiveHacking.Com) – Google recently came under some heavy criticism when it disclosed a zero-day vulnerability in Windows just days before Microsoft was scheduled to release a fix. Now the search giant as done it again. But this time Google shows that it is truly non-partisan because the disclosures aren’t for Windows, but for OS X.

The first vulnerability allows an attacker to pass arbitrary commands to the networkd OS X system daemon in XPC  messages. XPC provides a lightweight mechanism for basic interprocess communication. The problem is that the daemon uses the values from  xpc_dictionary_get_value and xpc_array_get_value without subsequent checking of the type of the returned value. Google posted proof-of-concept (POC) code that allows a shell command to be executed as networkd on OS X 10.9.5. The POC uses a specially crafted XPC message which results in “touch /tmp/hello_networkd” being executed. That is a benign command, but it can be replaced with something more malicious.

The second vulnerability in IOKit IOService allows an attacker to  execute code on an OS X machine with root privileges through a null pointer dereferencing. The third flaws also relates to IOKit, this time in the Bluetooth subsystem. To exploit it the machine needs to have a Bluetooth device attached, for example a Apple Bluetooth keyboard. Once exploited it allows an attacker to write into kernel memory, potentially allowing them to create a denial of service situation or to access private data.

The security flaws were reported to Apple in October 2014. All three advisories were subsequently published by Google after the expiration of the 90-day grace period give under Project Zero.

Apple patches security flaws in iOS 8, OS X 10.10 and Apple TV 7

Apple-logo(LiveHacking.Com) – Apple has released new versions of three of its major software products. The new versions of iOS, OS X and Apple TV address multiple security vulnerabilities. iOS 8.1.1, which is available for the iPhone 4s and later; the iPod touch (5th generation) and later; and the iPad 2 and later; addresses nine separate vulnerabilities. Apple TV 7.0.2, which is available for Apple TV 3rd generation and later, addresses four vulnerabilities, all of which are common with the iOS release. OS X 10.10.1 patches four flaws, two of which are common with the iOS release and two which are specific to OS X.

The common fixes are as follows:

  • iOS and OS X: A privacy issue existed where browsing data could remain in the cache after leaving private browsing. (CVE-2014-4460)
  • iOS and OS X: The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user’s approximate location before a user entered a query. (CVE-2014-4453)
  • iOS and Apple TV: A state management issue existed in the handling of Mach-O executable files with overlapping segments. (CVE-2014-4455)
  • iOS and Apple TV: A malicious application may be able to execute arbitrary code with system privileges due to a validation issue that existed in the handling of certain metadata fields in IOSharedDataQueue objects. (CVE-2014-4461)
  • iOS and Apple TV: Due to multiple memory corruption issues in WebKit, visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. (CVE-2014-4452 and CVE-2014-4462)

The iOS specific fixes are:

  • In some circumstances, the failed passcode attempt limit was not enforced. (CVE-2014-4451)
  • The Leave a Message option in FaceTime may have allowed viewing and sending photos from the device. (CVE-2014-4463)
  • A permissions issue existed with the debugging functionality for iOS that allowed the spawning of applications on trusted devices that were not being debugged. (CVE-2014-4457)

The OS X only patches are:

  • The request made by About This Mac to determine the model of the system and direct users to the correct help resources included unnecessary cookies. (CVE-2014-4458)
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution due to a use after free issue existed in the handling of page objects. (CVE-2014-4459)

More information about all these patches can be found on Apple’s Security Updates web site: http://support.apple.com/kb/HT1222

Shellshock: Code injection vulnerability found in Bash

bash-man-page(LiveHacking.Com) – A code injection vulnerability in the Bourne again shell (Bash) has been disclosed on the internet. If exploited then arbitrary commands can be executed, and where Bash is used in relation to a network service, for example in CGI scripts on a web server, then the vulnerability will allow remote code execution.

The problem resolves about the way that Bash processes environment variables used to export shell functions to other bash instances. Bash uses environment variables named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the process environment. The problem is that Bash does not stop after processing the function definition; it continues to parse and execute any shell commands following the function definition.

This means that shell commands can be tagged onto the end of environment variables and they will be executed by the shell. The vulnerability is deemed as critical because Bash is used widely on many types of UNIX-like operating systems including Linux, BSD, and Mac OS X.

The most prominent attack vector is via HTTP requests sent to CGI scripts executed by Bash. Also, if SSH has been configured to allow remote users to run a set of restricted commands, like rsync or git, this bug means that an attacker can use SSH to execute any command and not just the restricted command.

The initial bug was designated as CVE-2014-6271, and a patch was subsequently issued. However it was later discovered that the patch had an issue in the parser and did not fully address the problem. As a result a second CVE was assigned, CVE-2014-7169, to cover the remaining problems after the application of the first patch.

To test your system to see if your version of bash is vulnerable, run these two commands:

env X="() { :;} ; echo vulnerable" /bin/sh -c "echo completed"
env X="() { :;} ; echo vulnerable" `which bash` -c "echo completed"

In either case, if the word “vulnerable” is displayed then your shell needs patching.

The United States Computer Emergency Readiness Team (US-CERT) has issued a statement: Bourne Again Shell (Bash) Remote Code Execution Vulnerability, along with the following alert: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169).

Red Hat has posted a special report on its security blog: Bash specially-crafted environment variables code injection attack. Akamai, a provider of cloud services, has also posted a blog post called Environment Bashing.

 

Apple updates OS X, iOS, Apple TV and AirPort

Apple-logoApple has released a slew of updates for several of its key platforms to fix a range of security issues including some related to the OpenSSL HeartBleed bug. According to the release notes for AirPort Base Station Firmware Update 7.7.3, the new software contains a fix for an out-of-bounds memory issue in the OpenSSL library when handling TLS heartbeat extension packets (i.e. the HeartBleed bug). Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected.

For iOS, Apple TV and OS X, Apple also released a set of patches one of which also applies to sessions protected by SSL. Known as a “triple handshake” attack, it was possible for an attacker to create two connections using the same keys and handshake. As a result an attacker could insert data into one connection and renegotiate so that the connections are forwarded to each other. To work around this scenario Apple has changed the SSL renegotiation code so that  the same server certificate needs to be presented as in the original connection.

The update to OS X is called Security Update 2014-002 and has various changes for  OS X 10.7 Lion, OS X 10.8 Mountain Lion and OS X 10.9 Mavericks. The changes are as follows:

  • Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie.
  • A format string issue existed in the CoreServicesUIAgent’s handling of URLs.
  • A buffer underflow existed in the handling of fonts in PDF files.
  • A reachable abort existed in the Heimdal Kerberos’ handling of ASN.1 data. This meant that a remote attacker could cause a denial of service.
  • A buffer overflow issue existed in ImageIO’s handling of JPEG images.
  • A validation issue existed in the Intel Graphics Driver’s handling of a pointer from userspace. As a result a malicious application could take control of the system.
  • A set of kernel pointers stored in an IOKit object could be retrieved from userland.
  • A kernel pointer stored in a XNU object could be retrieved from userland.
  • If a key was pressed or the trackpad touched just after the lid was closed, the system might have tried to wake up while going to sleep, which would have caused the screen to be unlocked. This issue was addressed by ignoring keypresses while going to sleep.
  • An integer overflow issue existed in LibYAML’s handling of YAML tags as used by Ruby.
  • A heap-based buffer overflow issue existed in Ruby when converting a string to a floating point value.
  • WindowServer sessions could be created by sandboxed applications.

Apple has also updated iOS 7 with the release of iOS 7.1.1. It patches the same Set-Cookie HTTP headers bug as found in OS X plus it updates WebKit (the HTML rendering engine used by mobile Safari) to fix a number of issues, many of which were found by Google (for its Chrome browser). The new Apple TV 6.1.1 firmware has the same changes as iOS 7.1.1 and addresses the Set-Cookie HTTP headers bug and also patches WebKit.

You can get more information on Apple’s security updates here: http://support.apple.com/kb/HT1222

New digitally signed malware targets Mac users

os x mavericks desktopA new piece of digitally signed malware that targets Mac users has been discovered. The new malware, which has been dubbed OSX/LaoShu-A by Sophos and is considered as bot, is being used in an “undelivered courier item” email campaign which tries to trick users into downloading the malware as they try to see the description of an alleged undelivered parcel.

In this particular case the email explains that the undelivered item contained some documents which have been scanned and are waiting for the user to inspect them. A link is provided which takes the unsuspecting user to a fake courier website (often a clone of a real courier website like FedEx or DHL) and then proceeds to download an attachment. If the malicious website detects that the web browser is running on Windows then a piece of malware called Mal/VBCheMan-C is downloaded.

However for Mac users a .zip file is downloaded containing an application that looks like a PDF document. OS X will automatically unzip the file and leave the application in the Downloads folder. The app icon has been intentionally given the PDF icon to trick users into thinking it is a PDF document. However when clicked it will install the malware. Because the application is digitally signed OS X won’t produce a warning about the application coming from an unknown source, but rather it will only warn the user that it has been downloaded from the Internet. Although the warning does actually say “application” rather than “document” the dialog offers the user two possibilities to Cancel or to Open. The use  of the word Open by Apple rather than Run can leave the user with the impression that they are opening a document.

According to Sophos OSX/LaoShu-A is a bot and takes commands from a C&C server, however its main function appear to be data stealing as it will search for files with extensions such as DOC, DOCX, XLS, XLSX, PPT and PPTX and try to upload them to the C&C server. However it can also download new program files and execute shell commands which means it will basically be able to do whatever the attackers tell it to do.

In conclusion, don’t click on random links in unsolicited emails especially those with good link bait like the undelivered courier item emails.

Apple releases new versions of Safari to fix critical vulnerabilities

safari-logoApple has released new versions of Safari 6.1 and Safari 7.0 for Mac OS X to fix critical vulnerabilities. If exploited these vulnerabilities could lead to arbitrary code execution. The bugs fixed fall into two categories, those with Safari itself and those in the WebKit HTML rendering engine.

In Safari itself Apple has fixed one vulnerability which allowed hackers to create a site where Safari autofilled various user credentials unexpectedly. This could have led to unwanted information disclosure. According to Apple, ” Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking.”

The other fixes where for WebKit. Because of the vulnerabilities, a visit to a maliciously crafted website could lead to an unexpected application termination or arbitrary code execution. This was due to multiple memory corruption issues which were addressed through improved memory handling.

More details of the security content of Safari 6.1.1 and Safari 7.0.1 can be found here. Safari 6.1.1 and Safari 7.0.1 are available for OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.

Apple has also released an update to its latest iteration of OS X.

Apple recommends that all 10.9 users apply the OS X Mavericks v10.9.1 update. The update includes Safari 7.0.1 but doesn’t fix any other security issues in OS X. There are other bug fixes and enhancements which include:

  • Improved support for Gmail in OS X Mail, and fixes for users with custom Gmail settings Improves the reliability of Smart Mailboxes and search in Mail
  • Fixes an issue that prevented contact groups from working properly in Mail
  • Fixes an issue that prevented iLife and iWork apps from updating on non-English systems
  • Addresses an issue that may cause multiple prompts to unlock “Local items” keychain

More details about the security content of OS X Mavericks v10.9.1 can be found here.

Apple releases huge set of updates on back of new iPad announcements

Apple-logoApple has released a new slew of products in the run up to the holiday season including the new iPad Air, the iPad mini with a Retina display, the radically designed Mac Pro and an updated MacBook Pro. Along with these products Apple also released OS X 10.9 Mavericks which addresses some significant security vulnerabilities in OS X. Apple also released updates for iOS, OS X Server, Safari and iTunes.

OS X

Over 50 different security related bugs (with individual CVE designations) have been fixed. The most interesting of these include:

  • A fix to enable TLS 1.2 for CIFS networking as SSLv3 and TLS 1.0 are subject to a protocol weakness when using block ciphers. According to Apple, a man-in-the-middle attacker could have injected invalid data, causing the connection to close but revealing some information about the previous data. If the same connection was attempted repeatedly the attacker may eventually have been able to decrypt the data being sent, such as a password.
  • Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This was due to a buffer underflow in the handling of PDF files.
  • A malicious local application could cause a crash in the Bluetooth subsystem which could potentially be exploited. The problem was that the Bluetooth USB host controller was deleting interfaces too early.
  •  By registering for a hotkey event, an unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled.

The Darwin kernel was also updated to fix a variety of problems that in some cases could force a kernel panic. These included:

  • Use of SHA-2 digest functions in the kernel may result in an unexpected system termination. This bug revolved around an incorrect output length that was used for the SHA-2 family of digest functions. It resulted in a kernel panic when these functions were used, primarily during IPSec connections.
  • The kernel random number generator would hold a lock while satisfying a request from userspace, allowing a local user to make a large request and hold the lock for long periods of time, denying service to other users of the random number generator. This issue was addressed by releasing and reacquiring the lock for large requests more frequently.
  • The kernel would panic when an invalid user-supplied iovec structure was detected. This issue was addressed through improved validation of iovec structures.
  • Unprivileged processes may be able to cause an unexpected system termination or arbitrary code execution in the kernel.
  • Source specific multicast program may cause an unexpected system termination when using Wi-Fi network
  • An attacker on a local network can send specially crafted IPv6 ICMP packets and cause high CPU load. The issue was addressed by rate limiting ICMP packets before verifying their
  • checksum.
  • An integer truncation issue existed in the kernel socket interface, which could be leveraged to force the CPU into an infinite loop. The issue was addressed by using a larger sized variable.

Lots of third party applications where also updated including Curl, dyld, OpenLDAP, Perl, Python and Ruby.

iOS 7

iOS 7.0.3 is also now available and addresses more passcode and lock screen related problems:

  • A NULL dereference existed in the lock screen which would cause it to restart if the emergency call button was tapped while a notification was being swiped and while the camera pane was partly visible. While the lock screen was restarting, the call dialer could not get the lock screen state and assumed the device was unlocked, and so allowed non-emergency numbers to be dialed.
  • When returning to the passcode lock from the Phone app, the passcode entry view is sometimes visible when it should not be, and so may be accessed even if the iPhone has been disabled due to many incorrect passcode attempts.
  • A person with physical access to the device may be able to call arbitrary contacts because of a race conditions in the Phone app at the lock screen. Under various circumstances, the Phone app may allow access to the Contacts pane.

Safari 6.1

While OS X 10.9 includes the latest iteration of Apple’s web browser (Safari 7), Apple has also updated Safari 6 for OS X Lion v10.7.5, OS X Lion Server v10.7.5, and OS X Mountain Lion v10.8.5. Safari 6.1 fixes a number of problems most of them within WebKit, the rendering engine used by Apple and Google. Many of the bugs listed were previously fixed by Google in Chrome.

  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This was due to a memory corruption in the handling of
  • XML files.
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution, this time due to multiple memory corruption in WebKit.
  • An information disclosure issue existed in XSSAuditor. This issue was addressed through improved handling of URLs.
  • Dragging or pasting a selection may lead to a cross-site scripting attack. By dragging or pasting a selection from one site to another a user could allow scripts contained in the selection to be executed in the context of the new site. This issue is addressed through additional validation of content before a paste or a drag and drop operation.
  • Using the Web Inspector disabled Private Browsing.
  • A cross-site scripting issue existed in the handling of URLs. This issue was addressed through improved origin tracking.

OS X Server 3.0, iTunes and Apple Remote Desktop

Apple also released OS X Server 3.0 which addressed a number of security vulnerabilities including  a buffer overflow that existed in FreeRADIUS when parsing the ‘not after’ timestamp in a client certificate, when using TLS-based EAP methods. As a result of this, a remote attacker may have been able to cause a denial of service or arbitrary code execution.

Apple released two new versions of it Remote Desktop software, v3.7 and v3.5.4. Both versions fix the same security related bugs, the most severe of which could allow a remote attacker to execute arbitrary code because of a format string vulnerability in the handling of the VNC username.

Windows users also get an update in the form of iTunes 11.1.2. Several different errors are fixed, most are related to WebKit and are similar to the ones fixed in Safari 6.1.

More information about all of Apple’s security related updates can be found at http://support.apple.com/kb/HT1222

Apple updates OS X and Safari to fix critical security issues

(LiveHacking.Com) – Apple has released updates for Mac OS X 10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.3 to fix a range of Apple-logoCritical security vulnerabilities including a fix for an error that could allow a remote attacker to execute arbitrary code with system privileges on Macs with Directory Service enabled. At the same time Apple has also released Safari 6.0.5. The new release of the web browser, which is also included in OS X Mountain Lion v10.8.4, fixes a range of WebKit errors many of which have been previously fixed in Google Chrome.

Mac OS X

Several different security related bugs gave been fixed in OS X. Among them was an unbounded stack allocation issue that existed in the handling of text glyphs. It could be exploited by visiting a maliciously crafted site and may lead to an unexpected application termination or arbitrary code execution. The Directory Services vulnerability only applies to OS X 10.6. A remote attacker could execute arbitrary code with system privileges on Macs with Directory Service enabled due to an error with the way the directory server handled certain messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges.

There were also several fixes for OpenSSL. There are known attacks on the confidentiality of TLS 1.0 when compression was enabled. To address this Apple has disabled compression in OpenSSL. Also OpenSSL was updated to version 0.9.8x to address multiple vulnerabilities, which may lead to denial of service or disclosure of a private key.

Other fixes include:

  • An attacker with access to a user’s session may be able to log into previously accessed sites, even if Private Browsing was used
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
  • A local user in the lpadmin group may be able to read or write arbitrary files with system privileges
  • A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication.
  • Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted QTIF file may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted FPX file may lead to an unexpected application termination or arbitrary code execution
  • Playing a maliciously crafted MP3 file may lead to an unexpected application termination or arbitrary code execution

Also Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. These issues were addressed by updating Ruby on Rails to version 2.3.18.

It is worth noting that starting with OS X 10.8.4, Java Web Start (i.e. JNLP) applications downloaded from the Internet need to be signed with
a Developer ID certificate.

Safari

All the fixes in the new release of Safari are related to WebKit as follows:

  • Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • A cross-site scripting issue existed in the handling of iframes. This issue was addressed through improved origin tracking.
  • A cross-site scripting issue existed in the handling of copied and pasted data in HTML documents. This issue was addressed through additional validation of pasted content.
  • XSS Auditor may rewrite URLs to prevent cross-site scripting attacks. This may lead to a malicious alteration of the behavior of a form submission. This issue was addressed through improved validation of URLs.

More information about the security content of Safari 6.0.5 can be found here.

Apple releases fixes after its computers got hacked

Apple-logo(LiveHacking.Com) – Apple has revealed that a small number of its computers where hacked by the same group who recently targeted Facebook. The iPhone-maker said it has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. As a result Apple has released some updates for Java and Mac OS X 10.6.

Java for OS X 2013-001 and Mac OS X v10.6 Update 13 are now available and addresses the following:

  • Multiple vulnerabilities existed in Java 1.6.0_37, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
  • Multiple vulnerabilities existed in Java, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.

The Java updates are available for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.x, OS X Lion Server v10.7.x, OS X Mountain Lion 10.8.x.

Apple also released a update to its malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed.

Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days