October 25, 2014

Apple fixes 44 security bugs in iOS

Apple-logo(LiveHacking.Com) – Apple has released a new point release of iOS 7 to address 44 different security issues with Apple’s mobile operating system. Among the patches are bug fixes for vulnerabilities in the iOS kernel, and fixes for errors in “launchd,” which could allow a malicious application to execute arbitrary code with system privileges. There are also lots of fixes for WebKit, the HTML rendering engine used by Safari.

The kernel vulnerability, which could cause an iOS device to unexpectedly restart, exists because of a null pointer de-reference in the handling of IOKit API arguments. This problem was addressed through additional validation of IOKit API arguments.

launchd has been patched quite extensively in this release. The program is responsible for starting, stopping and managing back ground processes and apps on iOS. According to Apple’s security notice for iOS 7.1.2, launchd has several different vulnerabilities including a heap buffer overflow in the handling of IPC messages, a heap buffer overflow in the handling of log messages, and some unspecified integer overflow/underflow issues. All of these could possibly allow a malicious application to execute arbitrary code with system privileges.

The WebKit HTML rendering engine was also heavily patched with 28 unique bugs being squashed. Many of the bugs were discovered either by Google’s Chrome Security Team or by renowned security researchers like “miaubiz” who were participating in Google’s Vulnerability Rewards Program for Chromium. However Apple did find several bugs on its own. In total, the discovery of 12 of the 28 vulnerabilities is attributed (or co-attributed) to Apple. The result of the “multiple memory corruption issues” in WebKit was that a user visiting a maliciously crafted website could lead to an unexpected application termination or arbitrary code execution.

Two other WebKit vulnerabilities were also found by Erling Ellingsen of Facebook. The first was an encoding issue that existed in the handling of unicode characters in URLs. The result was that a malicious site could send messages to a connected frame or window in a way that might circumvent the receiver’s origin check. The other problem was a spoofing issue that existed in the handling of URLs.

Another interesting issue fixed in this version of iOS was a problem with Siri and lock codes. If a Siri request referred to one of several possible contacts, Siri displayed a list of choices and the option ‘More…’ for a complete contact list. When used at the lock screen, Siri did not require the passcode before viewing the complete contact list.

iOS 7.1.2 is available now for the iPhone 4 and later, the iPod touch (5th generation) and later, and the iPad 2 and later.

Apple releases iTunes 10.7 with support for iOS 6 plus it fixes 163 WebKit vulnerabilities

(LiveHacking.Com) – In the wake of the new iPhone 5 announcement, Apple  has released iTunes 10.7 for Windows  7, Vista and XP to include support for iOS 6 and the new iPhone plus it has taken the opportunity to update the built-in WebKit based web browser. The iTunes Store is web powered and as such uses WebKit to display the current songs, movies and TV which Apple are offering.

WebKit is an open source HTML rendering engine which Apple created. It is also used in Google Chrome. As a result when Apple or Google fix a security issue in WebKit everyone benefits, even iTunes users! This update fixes 163 vulnerabilities.

Apple explains these 163 vulnerabilities in the succinct statement: “Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.” Which it explains is due to “multiple memory corruption issues existed in WebKit. These issues are addressed through improved memory handling.”

Many of these vulnerabilities have been previously fixed in Google’s Chrome web browser with many of the vulnerabilities being credited to  the “Google Chrome Security Team” or to security researchers who receive rewards from Google for finding bugs like Miaubiz. However Apple did do its fair share of the work with at least 25 of the vulnerabilities being discovered by Apple itself.

iOS 6 will become available on Wednesday, Sept. 19. It will be available for the new iPhone 5 and fifth-generation iPod Touch plus users of the iPhone 4S, iPhone 4, iPhone 3GS, new iPad, iPad 2, and fourth-generation iPod touch will be able to upgrade for free.

You can download iTunes 10.7 from Apple’s official website.

Address Bar Spoofing Vulnerability in Safari in iOS

(LiveHacking.Com) – David Vieira-Kurz of MajorSecurity has discovered an address bar spoofing vulnerability in the Safari web browser used in iOS. The vulnerability, which is actually in WebKit – the rendering engine used on mobile Safari, allows an attacker to manipulate the address bar in the browser and take the user to a malicious site with a fake (but genuine looking) URL showing.

The vulnerability is caused due to an error in the handling of URLs when using javascript’s window.open() method. This can be exploited to trick users into supplying sensitive information to a malicious web site, because the address bar shows the URL of a genuine and trusted site.

Proof of concept
David has created a special web page which demonstrates the vulnerability at http://majorsecurity.net/html5/ios51-demo.html

  1. Visit the POC site with an Apple iOS device
  2. Click the “demo” button
  3. Safari will open a new window with “http://www.apple.com” in the address bar, but in fact the Apple web site is being displayed inside an iframe and the actual site is http://www.majorsecurity.net
  4. Safari’s address bar is showing “http://www.apple.com” which makes the user believe they are currently visiting Apple.com but in fact they are on another website.

The advisory says the vulnerability is present in iOS 5.0 and iOS 5.1 and that Apple have been informed. Our internal testing here at LiveHacking.com has shown that the vulnerability also exists in iOS 4.3.1 which could mean that all iOS 4 and iOS 5 devices are vulnerable.


Apple Includes iOS 5.1 WebKit Fixes in Safari

(LiveHacking.Com) – Apple recently released iOS 5.1 with over 60 fixes to WebKit, the web rendering engine used by the iPhone’s operating system. Now Apple has released and update to Safari (its web browser for Windows and Mac) with many an almost identical set of fixes. One thing made very clear from this is that Apple are truly using the same code across its mobile and desktop versions of it Safari browser and that vulnerabilities found by Google in its web browser often apply to Safari in iOS and on the desktop.

As with the iOS update, most (if not all) of these WebKit errors have been previously fixed in Google’s Chrome web browser with many of the vulnerabilities being credited to  the “Google Chrome Security Team” or to security researchers who receive rewards from Google for finding bugs like Sergey Glazunov. However Apple did do its fair share of the work with a good portion of the WebKit vulnerabilities being discovered by Apple themselves.

The majority of the WebKit errors are described by Apple, in its security advisory, as memory corruption issues that can be exploited if the user visits a specially crafted web page. Rendering the page may lead to an unexpected application termination or arbitrary code execution. Other fixes included in Safari 5.1.4 include:

  • Look-alike characters in a URL could be used to masquerade a website. The International Domain Name (IDN) support in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This issue is addressed through an improved domain name validity check. This issue does not affect OS X systems.
  • Visiting a maliciously crafted website may lead to the disclosure of cookies. A cross-origin issue existed in WebKit, which may allow cookies to be disclosed across origins.
  • Visiting a maliciously crafted website and dragging content with the mouse may lead to a cross-site scripting attack. A cross-origin issue existed in WebKit, which may allow content to be dragged and dropped across origins.
  • Cookies may be set by third-party sites, even when Safari is configured to block them. An issue existed in the enforcement of its cookie policy. Third-party websites could set cookies if the “Block Cookies” preference in Safari was set to the default setting of “From third parties and advertisers”.
  • HTTP authentication credentials may be inadvertently disclosed to another site. If a site uses HTTP authentication and redirects to another site, the authentication credentials may be sent to the other site.

Still Vulnerable?

What is currently unknown is if Safari is vulnerable to the two critical vulnerabilities found in Chrome last week during the CanSecWest security conference for which Google paid out over $120,000 to Sergey Glazunov and a researcher known as PinkiePie (aka PwniePie).

Download

Safari 5.1.4 is available to download, for Mac and Winodws, from Apple’s Safari page.

iOS 5.1 Fixes Mammoth Amount of Security Issues – Many in WebKit

(LiveHacking.Com) – Apple has released iOS 5.1 for the iPhone 3GS, 4 and 4S, the 3rd and 4th generation iPod touch, and all of its iPad models. As well as a few new features, this point release update contains a slew of security related bug fixes. Over 90 individual identifiable vulnerabilities were fixed, the majority of which were in WebKit – the web browser rendering system used in Safari. These WebKit errors are ones mostly already fixed in Chrome with the credit for the discovery of the vulnerabilities going to the “Google Chrome Security Team.” However Apple haven’t been sitting around doing nothing, a healthy portion of the WebKit errors were also discovered by Apple themselves.

The WebKit errors are described by Apple, in its security advisory, as memory corruption issues that can be exploited if the user visits a specially crafted web page. Rendering the page may lead to an unexpected application termination or arbitrary code execution.

Besides WebKit, Apple fixed other bugs including a kernel logic issue in the handling of debug system calls that could allow a malicious program to gain code execution in other programs with the same user privileges, and a race condition in the handling of slide to dial gestures that could allow a person with physical access to the device to bypass the Passcode Lock screen.

Another lock screen issue fixed is related to Siri. If Siri was enabled for use on the lock screen, and Mail was open with a message selected behind the lock screen, a voice command could be used to send that message to an arbitrary recipient. This issue is addressed by disabling forwarding of active messages from the lock screen.

A non WebKit related error has been fixed in Safari’s Private Browsing mode. Safari’s Private Browsing is designed to prevent recording of a browsing session. Pages visited as a result of a site using the JavaScript methods pushState or replaceState were recorded in the browser history even when Private Browsing mode was active. This issue is addressed by not recording such visits when Private Browsing is active.

New Features

Besides support for the new iPad with the retina display, iOS 5.1 adds the following notable new features:

  • Images can now be removed manually from the Photo Stream in iCloud. Any photos deleted are now also removed from other iOS devices connected to iCloud.
  • Genius now available with iTunes Match.
  • Improved Location Services.
  • Support for Siri in Japanese.
  • New Lockscreen camera button – you no longer have to double tap home button, just swipe up to access the Camera app.
  • App Store download limit over 3G increased from 20 megabytes to 50 megabytes.
  • Face detection in Camera app now tags faces with green boxes.

Google Pay Out $47,500 in Rewards For Security Bugs Found and Fixed in Chrome 17.0.963.65

(LiveHacking.Com) – Google has released Chrome 17.0.963.65 for Windows, Linux and Mac which fixes a number security related and non-security related bugs. Along the way, Google gave out an extra $30,000 as special rewards for some special bugs. Including a further 14 rewards, for other security related bugs, Google paid out of $47,000 to security researchers for helping make Chrome more secure.

The three special bug finds are:

  1. [$10,000] [116661] Rockstar CVE-1337-d00d1: Excessive WebKit fuzzing. Credit to miaubiz.
  2. [$10,000] [116662] Legend CVE-1337-d00d2: Awesome variety of fuzz targets. Credit to Aki Helin of OUSPG.
  3. [$10,000] [116663] Superhero CVE-1337-d00d3: Significant pain inflicted upon SVG. Credit to Arthur Gerkis.

To determine the above rewards, Google looked at bug finding performance over the past few months. The three named individuals stood out significantly

“We have always reserved the right to arbitrarily reward sustained, extraordinary contributions. In this instance, we’re dropping a surprise bonus. We reserve the right to do so again and reserve the right to do so on a more regular basis! Chrome has a leading reputation for security and it wouldn’t be possible without the aggressive bug hunting of the wider community” wrote Jason Kersey from Google.

The other security related bugs that are fix include:

  • [$1000] [105867] High CVE-2011-3031: Use-after-free in v8 element wrapper. Credit to Chamal de Silva.
  • [$1000] [108037] High CVE-2011-3032: Use-after-free in SVG value handling. Credit to Arthur Gerkis.
  • [$2000] [108406] [115471] High CVE-2011-3033: Buffer overflow in the Skia drawing library. Credit to Aki Helin of OUSPG.
  • [$1000] [111748] High CVE-2011-3034: Use-after-free in SVG document handling. Credit to Arthur Gerkis.
  • [$2000] [112212] High CVE-2011-3035: Use-after-free in SVG use handling. Credit to Arthur Gerkis.
  • [$1000] [113258] High CVE-2011-3036: Bad cast in line box handling. Credit to miaubiz.
  • [$3000] [113439] [114924] [115028] High CVE-2011-3037: Bad casts in anonymous block splitting. Credit to miaubiz.
  • [$1000] [113497] High CVE-2011-3038: Use-after-free in multi-column handling. Credit to miaubiz.
  • [$1000] [113707] High CVE-2011-3039: Use-after-free in quote handling. Credit to miaubiz.
  • [$500] [114054] High CVE-2011-3040: Out-of-bounds read in text handling. Credit to miaubiz.
  • [$1000] [114068] High CVE-2011-3041: Use-after-free in class attribute handling. Credit to miaubiz.
  • [$1000] [114219] High CVE-2011-3042: Use-after-free in table section handling. Credit to miaubiz.
  • [$1000] [115681] High CVE-2011-3043: Use-after-free in flexbox with floats. Credit to miaubiz.
  • [$1000] [116093] High CVE-2011-3044: Use-after-free with SVG animation elements. Credit to Arthur Gerkis.

Note that the referenced bugs may be kept private until a majority of Chrome users are up to date with the fix.

This release also fixes a number of non-security related issues including:

  • Cursors and backgrounds sometimes do not load (bug 111218)
  • Plugins not loading on some pages (bug 108228)
  • Text paste includes trailing spaces (bug 106551)
  • Websites using touch controls break (bug 110332)

Along with these fixes, the release contains an updated version of the Adobe Flash player (11.1.102.63). But at the time of writing Adobe hasn’t published any information about what has been fixed in this new version.

WebKit Vulnerability Allows Attackers to Take Control of Android Devices

(LiveHacking.Com) – CrowdStrike, a new security technology company formed by key cyber security executives from McAfee, will demonstrate a new WebKit based attack against Google Android which results in the attacker gaining access to critical system processes and taking complete control of the victim’s device. The firm plans the demo as part of its debut at the RSA Conference 2012.

To launch the attack a hacker sends an email or text message that tricks the recipient (via social engineering) to click on a link, which in turn infects the device. At this point, the hacker gains complete control of the phone, enabling him to eavesdrop on phone calls and monitor the location of the device.

Since WebKit is also used in Google Chrome, Research in Motion’s BlackBerry, Apple’s Safari web browser and Apple’s iOS devices, this could open up exploits across multiple platforms.

“With modifications and perhaps use of different exploits, this attack will work on every smartphone device and represents the biggest security threat on those devices,” said Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike.

The CrowdStrike exploit only works on Android 2.2 (Froyo) but Alperovitch said he expects to have a second version of the hack soon that can attack phones running Android 2.3 (Gingerbread, which runs on about 59% of all Android devices).

The consequences of such a vulnerability are enormous as once the hole is patched in the WebKit project it can take months for the fix to trickle down to actual devices. Worse still many handset manufacturers never update the firmware on older phones meaning that some Android 2.2 users will be left with a vulnerable phone with no possibility of a fix other than resorting to custom ROM images.

Apple Releases iTunes 10.5 With Support for iOS 5 and Fixes for Multiple Vulnerabilities

(LiveHacking.Com) – Apple has released iTunes 10.5 in preparation for the imminent release of iOS5. Along with support for iCloud and wireless syncing, iTunes 10.5 contains a large number of security related fixes for the Windows version. The OS X version contains all the new features but not the security fixes as Apple is planning to release a separate system wide update for OS X to address these vulnerabilities, although some have already been addressed in previous security updates by Apple.

The update fixes 79 vulnerabilities of which 73 are within WebKit, the HTML rendering engine found in Safari and Google Chrome, which Apple also uses to power iTunes. Since fixes are also applied to WebKit via Google’s Vulnerability Rewards Program, names like Sergey Glazunov (famous for his work on Chrome) also appear in the list of contributors.

Other than the WebKit fixes, the following vulnerabilities were patched:

  • A memory corruption issue existed in the handling of string tokenization. This issue does not affect OS X Lion systems. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006.
  • An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This issue does not affect OS X Lion systems.
  • A buffer overflow existed in the handling of audio stream encoded with the advanced audio code. This issue does not affect OS X Lion systems.
  • A buffer overflow existed in the handling of H.264 encoded movie files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.2. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006.
  • A heap buffer overflow existed in ImageIO’s handling of TIFF images. This issue does not affect OS X Lion systems. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
  • A reentrancy issue existed in ImageIO’s handling of TIFF images. This issue does not affect Mac OS X systems.