August 17, 2019

Mac Flashback Malware Updated to Exploit Java Concurrency Vulnerability

(LiveHacking.Com) – Following the news that various exploit kits for Windows (including BlackHole) have been updated to integrate exploits for the Java concurrency vulnerability (CVE-20120-0507), it is now being reported that the OS X specific malware known as Flashback has also been updated to exploit the same vulnerability. The vulnerability was fixed in Java Version 6 Update 31, or Java 7 Update 3 on Feb. 15, 2012 but only on the Windows platform. This left Mac users vulnerable.

The latest version of OS X (10.7 – Lion) doesn’t include Java by default however it can be downloaded and installed when needed. The last update Apple released for Java was in November 2011. Secondly there is a portion of Mac users who have remained on OS X 10.6 Snow Leopard (which included Java by default). Apple has been quietly dropping support for 10.6 and it remains to be seen if any eventual Java updates include the older platform.

The exploit used by Flashback is based on a vulnerability in AtomicReferenceArray which allows the malware to disable the Java runtime sandbox mechanism. This is done by creating a special serialized object data which due to a logic error (and not a memory corruption) allows the attacker to run arbitrary code on the victim’s Mac. The exploit is very reliable.

Flashback, which is so named as the first variant was distributed as a fake Flash Player installer, uses Java vulnerabilities dating back to 2009 through 2011. But all the vulnerabilities have been previously patched, up until now that is. Now this latest variant can install itself on any Mac – even those with all the latest updates installed.

Although Oracle released the fix for the concurrency vulnerability back in February,  Apple distributes its own self-compiled version of Java for Macs from Oracle’s source code and subsequent patches. However its release schedule is behind that of the Oracle builds for Java in Windows. It has long been said that this delay in shipping security related patches for Java  on Mac OS could be used by malware writers to their advantage, and the new Flashback.K malware confirms exactly that.

The best advice right now is for Mac users to disable Java completely unless it is absolutely necessary. You can find instructions on how to do this here.

New Mac Malware uses Office Documents to Exploit OS X

(LiveHacking.Com) – Alien Vault Labs have recently found some OS X malware which uses an already fixed vulnerability in Microsoft Office for Mac to infect Apple PCs with command-and-control malware. The vulnerability exploited by the malware was patched in June 2009 and affected all versions of Mac Office 2004 version 11.5.4 or earlier, Mac Office 2008 version 12.1.8 or earlier, and OpenXML Converter 1.0.2 or earlier. The malware, which will only infect unpatched systems, is the first recorded malware for OS X that attempts to use Office documents as a means of infection.

For a system to be infected a user needs to open a specially crafted Word document in an unpatched version of Word for Mac. The document then causes a script to save the malware to the hard disk. The malware is then run to complete the infection. Once installed the malware tries to make contact with a command-and-control server in China. The server sends instructions to the Mac giving the attacker remote control and allow them to install programs; view, change, or delete data; or create new accounts. By running Word from standard account (which the majority of Mac user do), the control that the remote attackers have over the system is limited.

Removal

The good news is that the malware is easy enough to remove by running the following commands in the OS X Terminal:

sudo rm /Applications/Automator.app/Contents/MacOS/DockLight
sudo rm /Library/launchd

As always, it is best to keep your Mac up to date via the automatic software updates supplied by Apple and by any third parties like Microsoft.

New Variants of Flashback Trojan for OS X Found

(LiveHacking.Com) – New variants of the Flashback trojan for OS X have been spotted by Security researchers from Intego. Flashback.G does not use an installer (unlike the previous incarnations) meaning if a user visits a web page (and they have not applied Apple’s Java updates) then the installation will occur without any user interaction. For those with up to date Java installations the trojan will trigger a certificate alert but they won’t be asked for the user password.

The trojan horse uses three methods to infect Macs. First it tries to install via one of two known Java vulnerabilities, one from way back in 2008, the other from last year. Successful exploitation of these vulnerabilities means the machine becomes infected without any user intervention. Those running Mac’s with the latest Java updates will not be affected by these first two attempts. However if the Java exploits fail then the trojan attempts again with a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Users who click on “Continue” will open the machine to infection.

Once installed the trojan patches applications like Safari and Skype to sniff out usernames and passwords, specially for sites like Google, Yahoo!, CNN and PayPal. A possible clue that a Mac has become infected is that applications like Safari start to crash as the trojan code makes the programs unstable.

“I don’t want to give [the hackers] more credit than they deserve, but [Flashback.G] is particularly sophisticated,” said Peter James, a spokesman for Intego, who spoke to ComputerWorld. “The Java vulnerability [approach] doesn’t require user interaction, and they’re putting victims into a strainer,” he added, referring to the social engineered-style fake certificate tactic that’s employed only if the Mac is invulnerable to the Java exploits.

Apple Releases Security Updates for OS X

(LiveHacking.Com) – Apple has released security updates for Apple OS X Lion 10.7 and Mac OS X Snow Leopard 10.6 to fix multiple vulnerabilities. These vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, and bypass security restrictions. The update is an amalgamation of recent security updates for several different components used by Apple (including Apache and PHP) along with fixes for Apple’s own code.

3rd Party

This release brings some of OS X’s third party components up to date including:

Apache: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. Apache disabled the ’empty fragment’ countermeasure which prevented these attacks. This issue is addressed by providing a configuration parameter to control the countermeasure and enabling it by default.

PHP is updated to version 5.3.8 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. However, it is worth noting that PHP 5.3.10 has since been released to fix the hash table collisions problem that affected all the popular Web programming languages (including PHP, ASP.NET, Ruby and Python).

SquirrelMail is updated to version 1.4.22 to address several vulnerabilities, the most serious of which is a cross-site scripting issue. This issue does not affect OS X Lion systems.

Tomcat is updated to version 6.0.33 to address multiple vulnerabilities, the most serious of which may lead to the disclosure of sensitive information. Tomcat is only provided on Mac OS X Server systems.

X11: A memory corruption issue existed in FreeType’s handling of Type 1 fonts. This issue is addressed by updating FreeType to version 2.4.7.

The update also revokes the trust for root certificates issued by DigiCert Malaysia. Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. Back in November it was discovered that DigiCert Malaysia had issued certificates with weak keys that it was unable to revoke.

Apple

Apple components that are updated include:

Address Book supports Secure Sockets Layer (SSL) for accessing CardDAV. A downgrade issue caused Address Book to attempt an unencrypted connection if an encrypted connection failed. An attacker in a privileged network position could abuse this behavior to intercept CardDAV data. This issue is addressed by not downgrading to an unencrypted connection without user approval.

CoreAudio: Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of AAC encoded audio streams.

CoreMedia: A heap buffer overflow existed in CoreMedia’s handling of H.264 encoded movie files.

QuickTime has been updated to resolve several issues including:

  • Opening a maliciously crafted MP4 encoded file may lead to an unexpected application termination or arbitrary code execution. An uninitialized memory access issue existed in the handling of MP4 encoded files.
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. A signedness issue existed in the handling of font tables embedded in QuickTime movie files.
  • Viewing a maliciously crafted JPEG2000 image file may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of JPEG2000 files.
  • Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of PNG files.

Time Machine: The user may designate a remote AFP volume or Time Capsule to be used for Time Machine backups. Time Machine did not verify that the same device was being used for subsequent backup operations. An attacker who is able to spoof the remote volume could gain access to new backups created by the user’s system. This issue is addressed by verifying the unique identifier associated with a disk for backup operations.

Apple Releases Security Updates for Apple iOS, Safari 5.1.1, OS X Lion v10.7.2, iWork 09, and Apple TV 4.4

(LiveHacking.Com) – With the launch of the much anticipated iOS 5, Apple has also issued a significant number of patches for a range of it products including some of its iOS applications, its Safari web browser, OS X 10.7, OS X 10.6 (via Security Update 2011-006) and Apple TV.

The full list along with links to the Apple knowledge base is as follows:

  • HT4999 – iOS 5 Software Update
  • HT5000 – Safari 5.1.1
  • HT5001 – Apple TV 4.4
  • HT5002 – OS X Lion v10.7.2 and Security Update 2011-006
  • HT5003 – Pages for iOS v1.5
  • HT5004 – Numbers for iOS v1.5

iOS 5
Apple are emphasizing the 200 new features in iOS 5, but it also contained multiples security fixes. Most of these are found in WebKit the HTML rendering engine at the heart of iOS’s version of Safari. Many of the issues fixed in Safari 5.1.1 are common with those in iOS 5, however the Safari 5.1.1 list is shorter due to the more frequent releases of Safari for the desktop.

Other iOS 5 fixes of interesting include:

  • A user’s AppleID password and username were logged to a file that was readable by applications on the system. This is resolved by no longer logging these credentials.
  • Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in CoreFoundation’s handling of string tokenization.
  • Viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Multiple memory corruption existed in freetype, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font.
  • Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. A buffer overflow existed in libTIFF’s handling of CCITT Group 4 encoded TIFF images.

Safari 5.1.1
Along with the long list of WebKit fixes, some of which are common with the fixes in iOS 5 and iTunes 10.5, there are several fixes for bugs that allowed arbitrary code execution or a cross-site scripting attack if the user visited a maliciously crafted website.

Apple also say that JavaScript performance has been improved up to 13% over Safari 5.1.

OS X Lion v10.7.2 and Security Update 2011-006
The update to Lion and the release of Security Update 2011-006 (which is available for OS X 10.6.8) fixes a number of problems including:

  • Apache is updated to version 2.2.20 to address several vulnerabilities, the most serious of which may lead to a denial of service.
  • Executing a binary with a maliciously crafted name may lead to arbitrary code execution with elevated privileges. A format string vulnerability existed in Application Firewall’s debug logging.
  • Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. An out of bounds memory access issue existed in ATS’ handling of Type 1 fonts. This issue does not affect OS X Lion systems.
  • OS X 10.7: Multiple denial of service issues existed in BIND 9.7.3. These issues are addressed by updating BIND to version 9.7.3-P3.
  • OS X 10.6: Multiple denial of service issues existed in BIND. These issues are addressed by updating BIND to version 9.6-ESV-R4-P3.
  • Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.
  • Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in CoreFoundation’s handling of string tokenization. This issue does not affect OS X Lion systems. This update addresses the issue through improved bounds checking.
  • Several updates for PHP, python, postfix and QuickTime.

Pages and Numbers for iOS
Opening a maliciously crafted Microsoft Word or Excel document may lead to an unexpected application termination or arbitrary code execution

Due to buffer overflow and memory corruption issues, opening a maliciously crafted Microsoft Word or Excel document may lead to an unexpected application termination or arbitrary code execution.

Apple Releases Safari 5.1 and 5.0.6 for OS X and Windows

(LiveHacking.Com) — Following the launch of OS X 10.7 (AKA Lion) which includes version 5.1 of Apple’s web browser Safari, Apple has released Safari 5.1 for Windows and OS X 10.6 and Safari 5.0.6 for OS X 10.5.

Safari 5.1 and 5.0.6 address multiple security vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, perform a cross-site scripting attack, or disclose sensitive information.

Apple lists over 57 different  CVE IDs in its security content of Safari 5.1 and Safari 5.0.6 advisory with web kit receiving the largest number of fixes.

Since other web browser like Google’s Chrome use web kit, Safari indirectly benefits from Google’s Chrome Security Award scheme. Names like Sergey Glazunov (a frequent winner under Google’s scheme) and Abhishek Arya (Inferno) of the Google Chrome Security Team are listed by Apple.

New security features in Safari 5.1 include

  • Privacy Pane – Some websites you visit can leave data on your computer. The new Privacy pane in Safari preferences shows what kind of data websites are storing and lets you remove it. You can also customize cookie settings and choose whether websites can request your location information.
  • Private AutoFill – Safari makes sure your information is kept private. Whenever you come across a web form, Safari automatically detects it and lets you choose to use AutoFill to complete the form with information from your Address Book. No information is ever added to a form automatically unless you say it’s OK.
  • Sandboxing [OS X Lion only] – Sandboxing is a security feature that helps prevent websites from tampering with your computer. All the web content and applications you use in Safari on Lion are sandboxed, so websites can’t use exploits to access your system. If a website contains malicious code intended to capture personal data or take control of your computer, sandboxing automatically blocks it to keep your computer and your information safe.

Safari 5.1 is available for Mac OS X 10.6, Windows XP, Vista and Windows 7 and can be downloaded from http://www.apple.com/safari/

Firefox 5.0.1 Released For OS X Only – Fixes 10.7 Lion Issue

(LiveHacking.Com) — The Mozilla Foundation has released Firefox 5.0.1 to address issues on Mac OS X.

This new version of Firefox has the following changes:

  • Worked around an issue in Mac OS X 10.7 that could cause Firefox to crash.
  • Worked around an issue caused by Apple’s “Java for Mac OS X 10.6 Update 5” where the Java plugin would not be loaded.

Although OS X 10.7 hasn’t been released yet there are rumours that its release is imminent and could even be today (July 14th). The Mozilla Foundation has therefore addressed the OS X 10.7 issue so that when Lion finally does hit the streets Firefox will work without any problems.

The other issue solves a problem with Java for Mac OS X 10.6 Update 5 which was released little over two weeks ago.

More information is available at http://www.mozilla.com/en-US/firefox/5.0.1/releasenotes/

Apple Release OS X Update in Fight Against MacDefender Malware

The MacDefender malware has been playing havoc with unwitting Mac users for the last month or so and last week Apple acknowledged its existence and promised a security update to OS X. The good news is that Apple have now shipped the promised update and MacDefender removal tool.

Security Update 2011-003 does three very specific things:

  1. The OSX.MacDefender.A definition has been added to the malware check within File Quarantine. Information on File Quarantine is available in this Knowledge Base article: http://support.apple.com/kb/HT3662
  2. The system will check daily for updates to the File Quarantine malware definition list. An opt-out capability is provided via the “Automatically update safe downloads list” checkbox in Security Preferences. Additional information is available in this Knowledge Base article: http://support.apple.com/kb/HT4651
  3. The installation process for this update will search for and remove known variants of the MacDefender malware. If a known variant was detected and removed, the user will be notified via an alert after the update is installed. Additional information is available in this Knowledge Base article: http://support.apple.com/kb/HT4651

Mac users were getting infected by MacDefender when they were redirected from legitimate websites to fake websites which told them that their Mac was infected with a virus. The user is then offered the MacDefender “anti-virus” software to solve the issue. Of course, this “anti-virus” software is in fact malware trying to get credit card information. The most common names for this malware are MacDefender, MacProtector and MacSecurity.

Apple Updates OS X, Safari and iOS

Microsoft released a bumper set of security fixes on Tuesday and today it was Apple’s turn with fixes for OS X, Safari and iOS. The update for OS X was to block the fraudulent SSL certificates stolen from Comodo (better late than never), Safari 5.0.5 fixes two vulnerabilities in WebKit and iOS has been updated to 4.3.2 to block the stolen Comodo certificates and to fix other vulnerabilities.

Security Update 2011-002 applies to Mac OS X v10.5.8 and Mac OS X v10.6.7 and does nothing else other than to blacklist the fraudulent Comodo certificates.

Safari has been updated to 5.0.5 for Mac OS X v10.5.8, Mac OS X v10.6.5 or later, Windows 7, Vista and XP. Two vulnerabilities have been fixed in WebKit:

  • An integer overflow issue existed in the handling of nodesets. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
  • A use after free issue existed in the handling of text nodes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

iOS 4.3.2 fixed the same to flaws listed above (as Safari on the desktop shares a lot of the same code as Safari that is built into iOS, blocked the Comodo certificates and fixed a vulnerability in libxslt and one in QuickLook:

  • libxslt’s implementation of the generate-id() XPath function disclosed the address of a heap buffer. Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap, which may aid in bypassing address space layout randomization protection. This issue is addressed by generating an ID based on the difference between the addresses of two heap buffers.
  • A memory corruption issue existed in QuickLook’s handling of Microsoft Office files. Viewing a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution.

The latter problem is likely to be the one used by Charlie Miller at this years Pwn20wn contest.

Apple updates Java for OS X 10.5 and 10.6

Apple has released Java for Mac OS X 10.5 Update 9 and Java for Mac OS X 10.6 Update 4. The updates effectively upgrades J2SE 5.0 to update 28 (Java 1.5.0_28) and Java SE 6 to update 24 (Java 1.6.0_24).

Multiple vulnerabilities exist in J2SE 5.0 update 26 (Java 1.5.0_26) and Java SE 6 update 22 (Java 1.6.0_22), the most serious of which may allow an untrusted Java applet to execute arbitrary code outside of the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are fixed in Java version 1.5.0_28 and 1.6.0_24.

Oracle previously released these updates for Java in February and these Apple updates are a result of these fixes trickling down to the official OS X release.

Apple have officially deprecated the Apple port of Java to OS X and it told developers to “not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X”.

However they have (together with Oracle) announced the OpenJDK project for Mac OS X and that “Apple will contribute most of the key components, tools and technology required for a Java SE 7 implementation on Mac OS X, including a 32-bit and 64-bit HotSpot-based Java virtual machine, class libraries, a networking stack and the foundation for a new graphical client.”