December 18, 2018

New iOS 5.1.1 Safari Browser Denial Of Service Vulnerability Found

(LiveHacking.Com) – Alberto Ortega, a vulnerability researcher at AlienVault and author of PenTBox (a set of security tools written in Ruby), has discovered a new denial of service vulnerability in Apple’s iOS. The problem, which occurs in the Safari web browser, has been seen to manifest itself on iOS 5.0.1, 5.1.0 and 5.1.1 and affects the iPod Touch, the iPhone and the iPad.

According to the security advisory, published by Alberto, when the JavaScript function match() gets a big buffer as a parameter the browser unexpectedly crashes. It also seems as if the search() function is also affected.

“iOS has a lot of mitigations to avoid successful exploitation,” Ortega said. “This software has errors and holes but you will need to bypass those hard mitigations and find more weaknesses to have something ‘usable’.” He believes that this vulnerailibty is a “step to achieve a real exploitation”.

To test the vulnerability you need to run the code posted in the advisory in Ruby and then open the URL of the running script in Safari. The Ruby script will send a specially crafted web page, which contains the relevant Javascript, to the iOS device. When attempting to run the Javascript Safari will crash.

This latest discovery comes only a few days after the Chronic-Dev Team published an untethered jailbreak for iOS 5.1.1.

At the time of disclosure, Ortega had already reported the problem to Apple, but there has been no official response.

Apple Updates Safari and Lion, Blocks Old Versions of Flash

(LiveHacking.Com) – Following the recent update of iOS, Apple has now applied a similar set of fixes to the desktop version of Safari as well as adding a new security measure which disables Adobe Flash Player if it is older than 10.1.102.64. At the same time Apple has also released an update to OS X Lion to fix the logging of passwords for FileVault and has updated a few key components like PHP and Samba.

Safari

Apple’s web browser is built around the WebKit layout engine which Apple started (as a fork of KHTML) back in 2001. It is now used as the layout engine for Safari and for Google’s Chrome. As a result when Google find security vulneravilities in Chrome, due to WebKit, they often need fixing in Safari as well. The fixes in Safari 5.1.7 are all related to WebKit:

  • The first fix is for the cross site scripting issues that were used by Sergey Glazunov during Google’s Pwnium contest. Apple fixed the same issues recently in iOS 5.1.1. Details of the exact nature of Sergey’s exploit are still unavailable but it is known that WebKit doesn’t properly handle history navigation, which allows remote attackers to execute arbitrary code by leveraging a “Universal XSS (UXSS)” issue.
  • The second fix, which also comes via Google, is a memory corruption issue. According to Apple visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • The third flaw to be repaired is a state tracking issue that existed in WebKit’s handling of forms. Due to this bug a maliciously crafted website may be able to populate form inputs on another website with arbitrary values.

As well as fixing these Critial errors Apple also added a new security feature which disables Adobe Flash Player if it is older than 10.1.102.64. It does this by moving the Flash files to a new directory. However all is not lost, as the users is presented with option to install an updated version of Flash Player from the Adobe website.

OS X Lion

Along side the Safari release, Apple also released OS X Lion v10.7.4 and Security Update 2012-002 (for OS X Snow Leopard). The big ticket item on this update is the disabling of the debugging switch which meant that FileVault passwords were being written to a debug log in plain text. According to Apple, this issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. They also have a web page (http://support.apple.com/kb/TS4272) for more information about how to securely remove any remaining records.

Apple also fixed another FileVault issue where due to an bug in the kernel’s handling of the sleep image (used for hibernation), some unencrypted data remains on the disk even when FileVault was enabled. This issue is addressed through improved handling of the sleep image. This issue does not affect systems prior to OS X Lion.

The update also upgrades (and/or fixes) different compoents of OS X including curl, HFS, ImageIO (where viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution), libpng, libarchive, libsecurity, libxml (multiple vulnerabilities existed in libxml, the most serious of which may lead to an unexpected application termination or arbitrary code execution), PHP and QuickTime, Ruby and Samba.

PHP for OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 has been updated to version 5.3.10 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. While Samba has been updated to remove the nine year old vulnerability which allowed an unauthenticated remote attacker to cause a denial of service or execute arbitrary code with system privileges.

Apple Includes iOS 5.1 WebKit Fixes in Safari

(LiveHacking.Com) – Apple recently released iOS 5.1 with over 60 fixes to WebKit, the web rendering engine used by the iPhone’s operating system. Now Apple has released and update to Safari (its web browser for Windows and Mac) with many an almost identical set of fixes. One thing made very clear from this is that Apple are truly using the same code across its mobile and desktop versions of it Safari browser and that vulnerabilities found by Google in its web browser often apply to Safari in iOS and on the desktop.

As with the iOS update, most (if not all) of these WebKit errors have been previously fixed in Google’s Chrome web browser with many of the vulnerabilities being credited to  the “Google Chrome Security Team” or to security researchers who receive rewards from Google for finding bugs like Sergey Glazunov. However Apple did do its fair share of the work with a good portion of the WebKit vulnerabilities being discovered by Apple themselves.

The majority of the WebKit errors are described by Apple, in its security advisory, as memory corruption issues that can be exploited if the user visits a specially crafted web page. Rendering the page may lead to an unexpected application termination or arbitrary code execution. Other fixes included in Safari 5.1.4 include:

  • Look-alike characters in a URL could be used to masquerade a website. The International Domain Name (IDN) support in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This issue is addressed through an improved domain name validity check. This issue does not affect OS X systems.
  • Visiting a maliciously crafted website may lead to the disclosure of cookies. A cross-origin issue existed in WebKit, which may allow cookies to be disclosed across origins.
  • Visiting a maliciously crafted website and dragging content with the mouse may lead to a cross-site scripting attack. A cross-origin issue existed in WebKit, which may allow content to be dragged and dropped across origins.
  • Cookies may be set by third-party sites, even when Safari is configured to block them. An issue existed in the enforcement of its cookie policy. Third-party websites could set cookies if the “Block Cookies” preference in Safari was set to the default setting of “From third parties and advertisers”.
  • HTTP authentication credentials may be inadvertently disclosed to another site. If a site uses HTTP authentication and redirects to another site, the authentication credentials may be sent to the other site.

Still Vulnerable?

What is currently unknown is if Safari is vulnerable to the two critical vulnerabilities found in Chrome last week during the CanSecWest security conference for which Google paid out over $120,000 to Sergey Glazunov and a researcher known as PinkiePie (aka PwniePie).

Download

Safari 5.1.4 is available to download, for Mac and Winodws, from Apple’s Safari page.

Apple Releases Security Updates for Apple iOS, Safari 5.1.1, OS X Lion v10.7.2, iWork 09, and Apple TV 4.4

(LiveHacking.Com) – With the launch of the much anticipated iOS 5, Apple has also issued a significant number of patches for a range of it products including some of its iOS applications, its Safari web browser, OS X 10.7, OS X 10.6 (via Security Update 2011-006) and Apple TV.

The full list along with links to the Apple knowledge base is as follows:

  • HT4999 – iOS 5 Software Update
  • HT5000 – Safari 5.1.1
  • HT5001 – Apple TV 4.4
  • HT5002 – OS X Lion v10.7.2 and Security Update 2011-006
  • HT5003 – Pages for iOS v1.5
  • HT5004 – Numbers for iOS v1.5

iOS 5
Apple are emphasizing the 200 new features in iOS 5, but it also contained multiples security fixes. Most of these are found in WebKit the HTML rendering engine at the heart of iOS’s version of Safari. Many of the issues fixed in Safari 5.1.1 are common with those in iOS 5, however the Safari 5.1.1 list is shorter due to the more frequent releases of Safari for the desktop.

Other iOS 5 fixes of interesting include:

  • A user’s AppleID password and username were logged to a file that was readable by applications on the system. This is resolved by no longer logging these credentials.
  • Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in CoreFoundation’s handling of string tokenization.
  • Viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Multiple memory corruption existed in freetype, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font.
  • Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. A buffer overflow existed in libTIFF’s handling of CCITT Group 4 encoded TIFF images.

Safari 5.1.1
Along with the long list of WebKit fixes, some of which are common with the fixes in iOS 5 and iTunes 10.5, there are several fixes for bugs that allowed arbitrary code execution or a cross-site scripting attack if the user visited a maliciously crafted website.

Apple also say that JavaScript performance has been improved up to 13% over Safari 5.1.

OS X Lion v10.7.2 and Security Update 2011-006
The update to Lion and the release of Security Update 2011-006 (which is available for OS X 10.6.8) fixes a number of problems including:

  • Apache is updated to version 2.2.20 to address several vulnerabilities, the most serious of which may lead to a denial of service.
  • Executing a binary with a maliciously crafted name may lead to arbitrary code execution with elevated privileges. A format string vulnerability existed in Application Firewall’s debug logging.
  • Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. An out of bounds memory access issue existed in ATS’ handling of Type 1 fonts. This issue does not affect OS X Lion systems.
  • OS X 10.7: Multiple denial of service issues existed in BIND 9.7.3. These issues are addressed by updating BIND to version 9.7.3-P3.
  • OS X 10.6: Multiple denial of service issues existed in BIND. These issues are addressed by updating BIND to version 9.6-ESV-R4-P3.
  • Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.
  • Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in CoreFoundation’s handling of string tokenization. This issue does not affect OS X Lion systems. This update addresses the issue through improved bounds checking.
  • Several updates for PHP, python, postfix and QuickTime.

Pages and Numbers for iOS
Opening a maliciously crafted Microsoft Word or Excel document may lead to an unexpected application termination or arbitrary code execution

Due to buffer overflow and memory corruption issues, opening a maliciously crafted Microsoft Word or Excel document may lead to an unexpected application termination or arbitrary code execution.

NSSLab Report Shows That IE Still Best At Blocking Socially Engineered Malware

 

(LiveHacking.Com) – NSS Labs has released its latest Web Browser Security Comparative Test Reports against Socially-Engineered Malware for the third quarter of 2011. The report examines the ability of the top five web browsers to protect users from websites that look harmless but actually are designed to trick visitors into downloading and installing malware.

According to a recent study by AVG, users are four times more likely to be tricked into downloading malware than be compromised by a vulnerability.

The report found that Windows Internet Explorer 9 (IE9) caught an exceptional 99.2% of live threats (96% with the SmartScreen URL reputation and an additional 3.2% with Application Reputation). Google Chrome 12 caught 13.2% of the live threats, four times more that it managed during the Q3 2010 global test. Apple Safari 5 and Firefox both caught 7.6% of the live threats. Opera 11 caught the lowest number of threats, just 6.1%.

The full report can be downloaded from the RSS Lab’s website (download PDF) and unlike previous reports this latest report was not paid for by Microsoft.

Apple Releases Safari 5.1 and 5.0.6 for OS X and Windows

(LiveHacking.Com) — Following the launch of OS X 10.7 (AKA Lion) which includes version 5.1 of Apple’s web browser Safari, Apple has released Safari 5.1 for Windows and OS X 10.6 and Safari 5.0.6 for OS X 10.5.

Safari 5.1 and 5.0.6 address multiple security vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, perform a cross-site scripting attack, or disclose sensitive information.

Apple lists over 57 different  CVE IDs in its security content of Safari 5.1 and Safari 5.0.6 advisory with web kit receiving the largest number of fixes.

Since other web browser like Google’s Chrome use web kit, Safari indirectly benefits from Google’s Chrome Security Award scheme. Names like Sergey Glazunov (a frequent winner under Google’s scheme) and Abhishek Arya (Inferno) of the Google Chrome Security Team are listed by Apple.

New security features in Safari 5.1 include

  • Privacy Pane – Some websites you visit can leave data on your computer. The new Privacy pane in Safari preferences shows what kind of data websites are storing and lets you remove it. You can also customize cookie settings and choose whether websites can request your location information.
  • Private AutoFill – Safari makes sure your information is kept private. Whenever you come across a web form, Safari automatically detects it and lets you choose to use AutoFill to complete the form with information from your Address Book. No information is ever added to a form automatically unless you say it’s OK.
  • Sandboxing [OS X Lion only] – Sandboxing is a security feature that helps prevent websites from tampering with your computer. All the web content and applications you use in Safari on Lion are sandboxed, so websites can’t use exploits to access your system. If a website contains malicious code intended to capture personal data or take control of your computer, sandboxing automatically blocks it to keep your computer and your information safe.

Safari 5.1 is available for Mac OS X 10.6, Windows XP, Vista and Windows 7 and can be downloaded from http://www.apple.com/safari/

Apple Updates OS X, Safari and iOS

Microsoft released a bumper set of security fixes on Tuesday and today it was Apple’s turn with fixes for OS X, Safari and iOS. The update for OS X was to block the fraudulent SSL certificates stolen from Comodo (better late than never), Safari 5.0.5 fixes two vulnerabilities in WebKit and iOS has been updated to 4.3.2 to block the stolen Comodo certificates and to fix other vulnerabilities.

Security Update 2011-002 applies to Mac OS X v10.5.8 and Mac OS X v10.6.7 and does nothing else other than to blacklist the fraudulent Comodo certificates.

Safari has been updated to 5.0.5 for Mac OS X v10.5.8, Mac OS X v10.6.5 or later, Windows 7, Vista and XP. Two vulnerabilities have been fixed in WebKit:

  • An integer overflow issue existed in the handling of nodesets. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
  • A use after free issue existed in the handling of text nodes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

iOS 4.3.2 fixed the same to flaws listed above (as Safari on the desktop shares a lot of the same code as Safari that is built into iOS, blocked the Comodo certificates and fixed a vulnerability in libxslt and one in QuickLook:

  • libxslt’s implementation of the generate-id() XPath function disclosed the address of a heap buffer. Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap, which may aid in bypassing address space layout randomization protection. This issue is addressed by generating an ID based on the difference between the addresses of two heap buffers.
  • A memory corruption issue existed in QuickLook’s handling of Microsoft Office files. Viewing a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution.

The latter problem is likely to be the one used by Charlie Miller at this years Pwn20wn contest.

Web Browser Tests Show IE Best at Detecting Socially-Engineered Malware

One of the most prevalent forms of malware on the Internet today is what is know as “socially-engineered malware” meaning malware that uses seemly benign links and/or trusted social networking sites (like Facebook® etc.) to trick visitors in to downloading and executing a piece of software that has malicious intent. Common examples of such seemly innocent programs are screen savers, video codec upgrades and free games.

Beginning in 2009, NSS Labs have been conducting tests on the leading web browsers to determine which browsers are most susceptible to socially-engineered malware. The Q3 2010 results have recently been published and the results are very interesting.

At the top of the leader board for protection surprisingly comes Internet Explorer. With a bad reputation over the years IE has often been pushed to one side in favor of Firefox, but these tests results portray IE in a new light. Internet Explorer 8 managed to block 90% of the malware but even more exceptional is that Internet Explorer 9 managed to catch 99% of the threats. These results are even more remarkable when compared to Firefox 3.6 which caught only 19% of the live threats which was actually a 10% decrease in protection from the Q1 2010 tests.

As for the rest of the browsers:  Safari 5 caught 11% of the threats, down 18% from Q1 2010. Google Chrome 6 caught 3% of the threats, down 14%  and Opera 10 caught nothing!

You can read the introduction to the group test here and you can download the full report (as a PDF) here.

Safari in iPhone is Vulnerable to Web Attacks by Hiding Address Bar

Safari in iPhone is vulnerable to web attacks that allow malicious websites to masquerade as trusted pages maintained by banks or other entities.

The vulnerability has been discovered by security researcher Nitesh Dhanjani. The weakness stems from the ability of web developers to display pages on iPhones that push the address bar out of view, with reference to Dhanjani’s blog post that demonstrates the problem.

Dhanjani made a proof of concept demo at his website with a fake Bank of America login page for mobile phone devices to stress the severity of this security issue in Apple’s iOS.

Related Articles: