December 18, 2018

Apple releases fixes after its computers got hacked

Apple-logo(LiveHacking.Com) – Apple has revealed that a small number of its computers where hacked by the same group who recently targeted Facebook. The iPhone-maker said it has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. As a result Apple has released some updates for Java and Mac OS X 10.6.

Java for OS X 2013-001 and Mac OS X v10.6 Update 13 are now available and addresses the following:

  • Multiple vulnerabilities existed in Java 1.6.0_37, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
  • Multiple vulnerabilities existed in Java, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.

The Java updates are available for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.x, OS X Lion Server v10.7.x, OS X Mountain Lion 10.8.x.

Apple also released a update to its malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed.

Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days

SMS fraud malware now targets OS X users

(LiveHacking.Com) –  SMS fraud is nothing new and is one of the preferred methods of generating income for malware writers on Android and on Windows. The Russian security firm Dr. Web has discovered a piece of malware which attempts to perpetrate SMS fraud on unsuspecting OS X users. Dubbed Trojan.SMSSend.3666, it  is the first program of its kind that targets Mac OS X.

With SMS fraud the malware writers attempt to subscribe victim’s to premium rate SMS services which charges high fees for useless messages. The Android variant is to cause the phone to send a message to one of these premium rate numbers.

The new Mac malware is a fake installer which can be downloaded under the guise of useful software. In this case, the Trojan pretends to be an installer for a program called VKMusic 4, a program meant for use on the VK social network. VK claims it is the largest European social network with more than a 100 million active users.

“In order to continue the ‘installation’ fraudsters ask that the victim enter their cellphone number into an appropriate field and then specify the code found in a reply SMS. By performing these actions the user agrees to terms of a chargeable subscription and a fee will be debited from their mobile phone account on a regular basis,” wrote Dr. Web.

Recent outbreaks of OS X malware have used vulnerabilities in Java, however this Trojan doesn’t use a known or unknown vulnerability, rather it is a simple social engineering ploy to trick the user into subscribing to a costly phone service. A relativity small number of OS X users will be affected as first it targets users of VK, second the OS X user needs to download the fake version of VKMusic from an underground web site.

It is anticipated that Apple’s XProtect malware utility will be updated to identify this new Trojan in due course.

Apple releases OS X Server v2.1.1 to fix problems in PostgreSQL & Jabber

(LiveHacking.Com) – Apple has released OS X Server v2.1.1 to address multiple vulnerabilities in PostgreSQL and fix an issue with the Jabber server’s handling of dialback result messages. Before Mac OS X 10.7, Apple sold a separate server edition of OS X, but now it is a separate set of server add-ons which can be bought directly from Apple’s online Mac App Store. OS X Server 2.1.1 is an update of that add-on component.

OS X Server adds the following capabilities to OS X: File sharing for Mac, PC, and iPad; Wiki Server; Profile Manager; Provide a Time Machine backup destination for Mac computers on your network; Standards-based SMTP, IMAP, and POP server; Calendar Server; Contacts Server; Messages Server; Encrypted VPN connections for Mac, iPad, iPhone, and PC; and Xsan

PostgreSQL
PostgreSQL has been updated to version 9.1.5 to address multiple vulnerabilities, the most serious of which may allow database users to read files from the file system with the privileges of the database server role account. Further information is available via the PostgreSQL web site at http://www.postgresql.org/docs/9.1/static/release-9-1-5.html.

Messages Server
An issue existed in the Jabber server’s handling of dialback result messages. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages.

From a security standpoint, OS X Server v2.1.1 includes the security updates of OS X Mountain Lion v10.8.2.

What’s New in Version 2.1.1

  • Managing DHCP service from within the Server application
  • iOS 6 device management support in Profile Manager
  • Using the Server application to create a large number of users or groups
  • Authenticating with Calendar Server when using an Active Directory account
  • Renewing certificates for use with the Apple Push Notification Service
  • Configuring DNS entries with second level domains and aliases
  • Retaining network, DNS and PHP settings installing or upgrading OS X Server
  • Migrating from Lion Server and Snow Leopard Server

In brief: Apples releases updates for OS X and Safari

(LiveHacking.Com) – Having released iOS 6 with a large number of security fixes, Apple has now released an update to OS X and a new verison of Safari. For OS X, Mountain Lion has been updated to v10.8.2, Lion jumps to v10.7.5 and for OS X 10.6 Snow Leopard Apple has released Security Update 2012-004. Safari has recevied a minor update to 6.0.1 to address a range of security issues.

The updates to OS X upgrade or fix a number of low level OS X components including:

  • Apache has been updated to version 2.2.22 to address several vulnerabilities, the most serious of which may lead to a denial of service.
  • A reachable assertion issue existed in the handling of DNS records. This issue was addressed by updating to BIND 9.7.6-P1.
  • PHP is updated to version 5.3.15 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.

Other components updated include: CoreText, DirectoryService, ImageIO, Kernel, Mail and QuickTime.

Safari has also been updated including a large set of fixes for WebKit. OS X Mountain Lion v10.8.2  automatically updates Safari to Safari 6.0.1.

Plethora of security updates in iOS 6

(LiveHacking.Com) – Yesterday Apple launched the latest version of its mobile operating system for the iPhone, iPad and iPod Touch. iOS 6 brings new features like Facebook integration and is the default OS for the new iPhone 5 which starts shipping on Friday. The new OS also includes lots of important security fixes.

Included in the fixes is an update to WebKit, the open source HTML rendering engine which Apple created and is also used in Google Chrome. Apple updated iTunes recently with a very similar set of WebKit fixes as those found in iOS 6. Apple describes the WebKit vulnerabilities by saying that “Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.” Which it explains is due to “multiple memory corruption issues existed in WebKit. These issues are addressed through improved memory handling.”

Other WebKit fixes also include several cross-site scripting fixes and better URL handling. According to Apple the Unicode fonts embedded in Safari could can been used to create a URL which contains look-alike characters. These look-alike characters can be used by a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain.

Apple also spent some time fixing issues with passcode which can be set from within iOS to stop unwanted access to the device. This included a design flaw in the support for viewing photos that were taken while the screen was locked. Previously to determine which photos should be displayed the passcode lock checked the time at which the device was locked and compared it to the time that a photo was taken. However, by spoofing the current time an attacker could gain access to photos that were taken before the device was locked. To fix this, iOS now explicitly keeps track of the photos that were taken while the device was locked.

Other fixes are:

  • CFNetwork – An issue existed in CFNetwork’s handling of malformed URLs. CFNetwork may send requests to an incorrect hostname, resulting in the disclosure of sensitive information. This issue was addressed through improvements to URL handling.
  • CoreGraphics – Multiple vulnerabilities existed in FreeType, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. These issues were addressed by updating FreeType to version 2.4.9. Further information is available via the FreeType site at http://www.freetype.org/
  • CoreMedia – An uninitialized memory access existed in the handling of Sorenson encoded movie files. This issue was addressed through improved memory initialization.
  • DHCP – Upon connecting to a Wi-Fi network, iOS may broadcast MAC addresses of previously accessed networks per the DNAv4 protocol. This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi networks.
  • ImageIO – A buffer overflow existed in libtiff’s handling of ThunderScan encoded TIFF images. This issue was addressed by updating libtiff to version 3.9.5.
  • ImageIO – Multiple memory corruption issues existed in libpng’s handling of PNG images. These issues were addressed through improved validation of PNG images.
  • ImageIO – A double free issue existed in ImageIO’s handling of JPEG images. This issue was addressed through improved memory management.
  • ImageIO – An integer overflow issue existed in libTIFF’s handling of TIFF images. This issue was addressed through improved validation of TIFF images.
  • International Components for Unicode – A stack buffer overflow existed in the handling of ICU locale IDs. This issue was addressed through improved bounds checking.
  • IPSec – A buffer overflow existed in the handling of racoon configuration files. This issue was addressed through improved bounds checking.
  • Kernel – An invalid pointer dereference issue existed in the kernel’s handling of packet filter ioctls. This may allow an attacker to alter kernel memory. This issue was addressed through improved error handling.
  • Kernel – An uninitialized memory access issue existed in the Berkeley Packet Filter interpreter, which led to the disclosure of memory content. This issue was addressed through improved memory initialization.
  • libxml – Multiple vulnerabilities existed in libxml, the most serious of which may lead to an unexpected application termination or arbitrary code execution. These issues were addressed by applying the relevant upstream patches.
  • Mail – A logic issue existed in Mail’s handling of attachments. If a subsequent mail attachment used the same Content-ID as a previous one, the previous attachment would be displayed, even in the case where the 2 mails originated from different senders. This could facilitate some spoofing or phishing attacks. This issue was addressed through improved handling of attachments.
  • Mail – A logic issue existed in Mail’s use of Data Protection on email attachments. This issue was addressed by properly setting the Data Protection class for email attachments.
  • Mail – S/MIME signed messages displayed the untrusted ‘From’ address, instead of the name associated with the message signer’s identity. This issue was addressed by displaying the address associated with the message signer’s identity when it is available.
  • Messages – When a user had multiple email addresses associated with iMessage, replying to a message may have resulted in the reply being sent from a different email address. This may disclose another email address associated to the user’s account. This issue was addressed by always replying from the email address the original message was sent to.
  • Office – Viewer An information disclosure issue existed in the support for viewing Microsoft Office files. When viewing a document, the Office Viewer would write a temporary file containing data from the viewed document to the temporary directory of the invoking process. For an application that uses data protection or other encryption to protect the user’s files, this could lead to information disclosure. This issue was addressed by avoiding creation of temporary files when viewing Office documents.
  • OpenGL – Multiple memory corruption issues existed in the handling of GLSL compilation. These issues were addressed through improved validation of GLSL shaders.
  • Passcode Lock – A logic issue existed with the display of the “Slide to Power Off” slider on the lock screen. This issue was addressed through improved lock state management.
  • Passcode Lock – A logic issue existed in the termination of FaceTime calls from the lock screen. This issue was addressed through improved lock state management.
  • Passcode Lock – A design issue existed in the support for viewing photos that were taken at the lock screen. In order to determine which photos to permit access to, the passcode lock consulted the time at which the device was locked and compared it to the time that a photo was taken. By spoofing the current time, an attacker could gain access to photos that were taken before the device was locked. This issues was addressed by explicitly keeping track of the photos that were taken while the device was locked.
  • Passcode Lock – A logic issue existed in the Emergency Dialer screen, which permitted FaceTime calls via Voice Dialing on the locked device. This could also disclose the user’s contacts via contact suggestions. This issue was addressed by disabling Voice Dialing on the Emergency Dialer screen.
  • Passcode Lock Using the camera from the screen lock could in some cases interfere with automatic lock functionality, allowing a person with physical access to the device to bypass the Passcode Lock screen. This issue was addressed through improved lock state management.
  • Passcode Lock – A state management issue existed in the handling of the screen lock. This issue was addressed through improved lock state management.
  • Restrictions – After disabling Restrictions, iOS may not ask for the user’s password during a transaction. This issue was addressed by additional enforcement of purchase authorization.
  • Safari – Websites could use a Unicode character to create a lock icon in the page title. This icon was similar in appearance to the icon used to indicate a secure connection, and could have lead the user to believe a secure connection had been established. This issue was addressed by removing these characters from page titles.
  • Safari – Password input elements with the autocomplete attribute set to “off” were being autocompleted. This issue was addressed through improved handling of the autocomplete attribute.
  • System Logs – Sandboxed apps had read access to /var/log directory, which may allow them to obtain sensitive information contained in system logs. This issue was addressed by denying sandboxed apps access to the /var/log directory.
  • Telephony – Messages displayed the return address of an SMS message as the sender. Return addresses may be spoofed. This issue was addressed by always displaying the originating address instead of the return address.
  • Telephony – An off-by-one buffer overflow existed in the handling of SMS user data headers. This issue was addressed through improved bounds checking.
  • UIKit – Applications that use UIWebView may leave unencrypted files on the file system even when a passcode is enabled. This issue was addressed through improved use of data protection.
  • WebKit – A cross-origin issue existed in the handling of CSS property values. This issue was addressed through improved origin tracking.
  • WebKit – A cross-origin issue existed in the handling of iframes in popup windows. This issue was addressed through improved origin tracking.
  • WebKit – A cross-origin issue existed in the handling of iframes and fragment identifiers. This issue was addressed through improved origin tracking.
  • WebKit – The International Domain Name (IDN) support and Unicode fonts embedded in Safari could have been used to create a URL which contains look-alike characters. These could have been used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This issue was addressed by supplementing WebKit’s list of known look-alike characters. Look- alike characters are rendered in Punycode in the address bar.
  • WebKit – A canonicalization issue existed in the handling of URLs. This may have led to cross-site scripting on sites which use the location.href property. This issue was addressed through improved canonicalization of URLs.
  • WebKit – An HTTP header injection issue existed in the handling of WebSockets. This issue was addressed through improved WebSockets URI sanitization.
  • WebKit – A state management issue existed in the handling of session history. Navigations to a fragment on the current page may cause Safari to display incorrect information in the URL bar. This issue was addressed through improved session state tracking.
  • WebKit – An uninitialized memory access issue existed in the handling of SVG images. This issue was addressed through improved memory initialization.

Safari 6.0 released with fixes for security vulnerabilities

(LiveHacking.Com) – Apple has released Safari 6.0 as part of the launch of OS X 10.8 Mountain Lion. The new version of the Mac OS includes an updated version of Apple’s web browser which has also been back ported to OS X 10.7 Lion. As well as new features, Safari 6.0 addresses multiple security issues.

The fixes included in version 6.0 include:

  • A cross-site scripting issue existed in the handling of feed:// URLs. This update removes handling of feed:// URLs.
  • An access control issue existed in the handling of feed:// URLs. This update removes handling of feed:// URLs.
  • Password input elements with the autocomplete attribute set to “off” were being autocompleted. This update addresses the issue by improved handling of the autocomplete attribute.
  • An issue existed in Safari’s support for the ‘attachment’ value for the HTTP Content-Disposition header. This header is used by many websites to serve files that were uploaded to the site by a third-party, such as attachments in web-based e-mail applications. Any script in files served with this header value would run as if the file had been served inline, with full access to other resources on the origin server. This issue is addressed by downloading resources served with this header, rather than displaying them inline.

Safari 6.0 uses the open source WebKit (which Apple created) as its rendering engine. WebKit contained multiple memory corruption issues which, if exploited, means that a user visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. These issues are addressed through improved memory handling inside WebKit.

Many of the WebKit vulnerabilities have been previously fixed in Google’s Chrome web browser (which also uses WebKit) with many of the vulnerabilities being credited to  the “Google Chrome Security Team” or to security researchers who receive rewards from Google for finding bugs like Miaubiz. However Apple did do its fair share of the work with a good number of the WebKit vulnerabilities being discovered by Apple itself.

Safari 6.0 isn’t available for OS X 10.5 Snow Leopard which has now been abandoned by Apple (leaving users with a 32 bit Intel Mac vulnerable). Also at this time there is no news about Safari 6.0 for Windows.

Apple to includes Windows style auto update feature in OS X Mountain Lion

(LiveHacking.Com) – Apple is to add a Windows style update service to OS X Mountain Lion that will automatically install required patches for users. In a recent update to the developer preview of Apple’s newest operating system for its line of Mac computers, Apple included what it called “Security Test Update Test 1.0.”

According to MacRumors, the “Security Test Update Test 1.0.” tests the new Mountain Lion Security Updates system. The new system includes:

  • Daily Checks for required security updates
  • The ability to install required security updates automatically or after restarting your Mac
  • A more secure connection to Apple’s update servers.

Previous versions of OS X including Leopard, Snow Leopard and Lion only downloaded updates after notifying the user and waiting for the user to accept and start the downloads. Apple also mentioned that it has increased the security used in the connections between an individual Mac and Apple’s update servers. This is probably in response to the additional hardening measures Microsoft recently rolled out for its Windows Update service due to the discovery that the Flame malware was using Windows Update to propagate itself.

OS X 10.8. also includes other security features like Gatekeeper which will restrict the installation of downloaded applications based on their source. It has three modes: users can allow applications to be installed only if they are downloaded from the Mac App Store, or if they are downloaded from the the Mac App Store and trusted developers; or from anywhere.

Apple has not revelaed the release date for Mountain Lion, but if it follows the same pattern it did with the release of Lion then Moutain Lion will come out on July 25. Apple has however announced that the upgrade will cost just $19.99 and be available in the Mac App Store.

Flashback Still a Problem, Large Number of Macs Still Infected

(LiveHacking.Com) – According to new figures released by Dr Web, over half a million Macs are still infected with the Flashback Trojan. The number of infected Macs rose to over 650,000 on April 4th and has remained consistent since even though Apple has released patches to fix the vulnerability used by the trojan. These numbers are in stark contrast to figures released by Symantec who say that “currently, it appears that the number of infected computers has tapered off, but remains around the 140,000 mark.”

Computerworld spoke with Symantec who have now revised their outlook and are agreeing with Dr. Web’s analysis. “We’ve been talking with them about the discrepancies in our numbers and theirs,” said Liam O Murchu, manager of operations at Symantec’s security response center, in an interview. “We now believe that their analysis is accurate, and that it explains the discrepancies.” To count the number of infections Symantec uses sinkholes and according to a blog update, these “sinkholes are receiving limited infection counts for” Flashback.

Flashback is spreading due to a Java concurrency vulnerability (CVE-20120-0507) which was fixed in Java Version 6 Update 31, or Java 7 Update 3 on Feb. 15, 2012 but only on the Windows platform. This left Mac users vulnerable. Apple finally fixed the vulnerability in early April, but by then the trojan had started to spread rapidly.

The exploit used by Flashback is based on a vulnerability in AtomicReferenceArray which allows the malware to disable the Java runtime sandbox mechanism. This is done by creating a special serialized object data which due to a logic error (and not a memory corruption) allows the attacker to run arbitrary code on the victim’s Mac. The Flashback trojan, which is so named as the first variant was distributed as a fake Flash Player installer, uses Java vulnerabilities dating back to 2009 through 2011.

Here at LiveHacking we urge Mac users to to install the Java updates and afterwards scan your system to check if it has been infected. Apple have released a Flashback Removal tool.

Apples Releases Flashback Malware Removal Tool as Another Mac Trojan is Discovered

(LiveHacking.Com) – Apple has released a malware removal tool to seek out and remove common variants of the Flashback malware. The tool will look for the malware and if it is found it presents a dialog notifying the user that malware was removed. In some cases, the user will need to restart in order to completely remove the malware. The tool can be downloaded separately for users of OS X Lion who do not have Java installed or as part of a security update.

The security update provides the removal tool for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3 and OS X Lion Server v10.7.3. It also adds functionality to automatically deactivated the Java browser plugin and Java Web Start on OS X Lion systems that have not used Java for a period of 35 days or more. The update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

Meanwhile Sophos has discovered a new piece of malware, which it is calling Sabpab, that exploits the same Java vulnerability used by Flashback. Sabpab is a backdoor Trojan which connects to a command and control server to receive commands from the attackers. Sabpab can be commanded to make screenshots of the infected Mac, upload and download files, and execute commands remotely.

It looks like the Sabpab Trojan is not as widespread as Flashback and the release of the latest Java updates should thwart its spread – as long as Mac users update promptly!

“It’s time for Mac users to wake up and smell the coffee. Mac malware is becoming a genuine issue, and cannot be ignored any longer” said Sophos on its blog.

Apple Updates Java to Stop Mac Flashback Malware Which Exploits Java Concurrency Vulnerability

(LiveHacking.Com) – Almost six weeks after Oracle updated Java for the Windows platform, Apple has released the same Java fixes for Mac OS X 10.7 and 10.6. According to the security advisory the update includes a fix for  a serious vulnerability which “which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.” This is of course referring to the Java concurrency vulnerability which is being used by the  BlackHole exploit kit on Windows and the Flashback malware on OS X.

According to Apple, Macs can become infected with malware which exploit this bug just by visiting a web page containing a maliciously crafted untrusted Java applet. Since the vulnerability allows hackers to break out of the sandbox Apple note that this “may lead to arbitrary code execution with the privileges of the current user.”

Thankfully the update is available for OS X 10.6 Snow Leopard as well as 10.7 Lion. There were concerns that Apple would silently drop supporting 10.6 as it has done for 10.5. OS X Leopard as it was known runs on Intel Macs but Apple insist on users upgrading. Recently Apple dropped 10.6 as a viable platform for developing iOS applications when it didn’t release the iPad 3 SDK for that version. The full list of OS X versions supported with the update are: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, Lion Server v10.7.3.

Once you have updated open Terminal and type “java -version” to check the Java version number, you should see “java version 1.6.0_31” if the upgrade was successful.

Since OS X 10.5 Leopard isn’t updates, users should disable Java immediately. You can find instructions on how to do this here or how to disable Java browser plugins can been in this short video.

This release updates Java to Java version 1.6.0 31 and Apple are recommending that users read the Java website at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html for more information.