CyberInsecure.com

Archive for the ‘Apple’ Category

Apple has shipped a new Mac OS X update that addresses 25 documented vulnerabilities that could lead to arbitrary code execution attacks. Apple fixes in this 2008-004 Security Update code execution flaws in Launch Services, SMB File Server, System Configuration, VPN and WebKit.

Fixes for six highly critical Ruby, a popular open-source scripting language, vulnerabilities are also included. The update also installs a Tomcat patch that addresses nine vulnerabilities, the most serious of which may lead to a cross-site scripting attack.

Here is the list of vulnerabilities from Apple’s security bulletin:

Alias Manager (CVE-2008-2308): A memory corruption issue exists in the handling of AFP volume mount information in an alias data structure. Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution. This issue only affects Intel-based systems running Mac OS X 10.5.1 or earlier.

CoreTypes (CVE-2008-2309): This update adds .xht and .xhtm files to the system’s list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload.

c++filt (CVE-2008-2310): A format string issue exists in c++filt, which is a debugging tool used to demangle C++ and Java symbols. Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems prior to Mac OS X 10.5.

Dock (CVE-2008-2314): When the system is set to require a password to wake from sleep or screen saver, and Exposé hot corners are set, a person with physical access may be able to access the system without entering a password. This issue does not affect systems prior to Mac OS X 10.5.

Launch Services (CVE-2008-2311): A race condition exists in the download validation of symbolic links, when the target of the link changes during the narrow time window of validation. If the “Open ’safe’ files” preference is enabled in Safari, visiting a maliciously crafted website may cause a file to be opened on the user’s system, resulting in arbitrary code execution. This issue does not affect systems running Mac OS X 10.5 or later.

Net-SNMP (CVE-2008-0960): An issue exists in Net-SNMP’s SNMPv3 authentication, which may allow maliciously crafted packets to bypass the authentication check. Additional information is available from US-CERT.

Ruby: Multiple memory corruption issues exist in Ruby’s handling of strings and arrays, the most serious of which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of strings and arrays. Also, if WEBRick is running, a remote attacker may be able to access files protected by WEBrick’s :NondisclosureName option.

SMB File Server (CVE-2008-1105): A heap buffer overflow exists in the handling of SMB packets. Sending malicious SMB packets to a SMB server, or connecting to a malicious SMB server, may lead to an unexpected application termination or arbitrary code execution.

System Configuration (CVE-2008-2313): A local user may be able to populate the User Template directory with files that will become part of the home directory when a new user is created. This could allow arbitrary code execution with the privileges of the new user. This issue does not affect systems running Mac OS X 10.5 or later.

Tomcat: Tomcat version 4.x is bundled on Mac OS X v10.4.11 systems. Tomcat on Mac OS X v10.4.11 is updated to version 4.1.37 to address several vulnerabilities, the most serious of which may lead to a cross-site scripting attack. Further information is available via the Tomcat site.

VPN (CVE-2007-6276): A divide by zero issue exists in the virtual private network daemon’s handling of load balancing information. Processing a maliciously crafted UDP packet may lead to an unexpected application termination. This issue does not lead to arbitrary code execution.

WebKit (CVE-2008-2307): A memory corruption issue exists in WebKit’s handling of JavaScript arrays. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Along with this fix, the version of Safari for Mac OS X v10.5.4 is updated to 3.1.2.

Updates can be retrieved and installed using Mac OS X’s integrated update feature.

Security researchers from SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat, Apple’s instant messaging and video chat software, and Limewire.

SecureMac, a Mac-specific anti-virus vendor, researchers discovered the Trojan in June 19. The Trojan, AppleScript.THT, was classified as a “critical” threat. SecureMac’s warning came one day after an anonymous reader disclosed a few details of the ARDAgent vulnerability on Slashdot.org, and on the same day that rival security vendor Intego provided more information about the bug.

The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger’s and Leopard’s Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.

Like any Trojan horse, AppleScript.THT does not spread on its own but relies on user interaction, such as downloading and launching, to infect a machine. Trojans can also be silently introduced on a computer if it’s injected after a successful attack using another vulnerability, such as a browser bug.

Users can protect themselves by removing ARDAgent from its normal location, which is System/Library/CoreServices/RemoteManagement, and archiving the application. MacScan 2.5.2 (a software by SecureMac) can also protect your system against this threat if you got the latest Spyware Definitions update (2008011), dated June 19th. SecureMac recommends that users download files only from trusted sources and sites.

Apple released earlier QuickTime 7.5, which fixes a number of security bugs. The update is highly critical and it patches at least five code execution vulnerabilities in Windows XP, Windows Vista and Mac OS X. It fixes multiple buffer overflows, memory corruption issues and URI handling flaws that could allow malicious hackers to launch exploits with QuickTime movie or image files.

Apple’s security improvements include fixes for:

CVE-2008-1581 (for Windows Vista and Windows XP SP2): An issue in QuickTime’s handling of PixData structures when processing a PICT image may result in a heap buffer overflow. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems running Mac OS X.

CVE-2008-1582 (for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A memory corruption issue exists in QuickTime’s handling of AAC-encoded media content. Opening a maliciously crafted media file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of media files.

CVE-2008-1583 (for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A heap buffer overflow exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

CVE-2008-1584 (for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): An issue in QuickTime’s handling of Indeo video codec content may result in a stack buffer overflow. Viewing a maliciously crafted movie file with Indeo video codec content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering Indeo video codec content.

CVE-2008-1585 (for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A URL handling issue exists in QuickTime’s handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content in QuickTime Player. This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them.

Microsoft has released Security Advisory (953818) to address reports of a blended threat that affects Windows users who have installed Apple’s Safari web browser. According to the advisory, by convincing a user to visit a specially crafted website, an attacker may be able to execute arbitrary code on an affected system due to Safari’s default file downloading behavior and the way that Windows Internet Explorer handles the downloaded files.

Nitesh Dhanjani has disclosed around middle of last month a vulnerability in Safari (and the way it interacts with Windows and OSX) that allows a remote malicious user to download several files unknowingly to the user’s default download folder (Desktop for Windows and Downloads for OSX). The attack has been dubbed carpet bombing because of its potential to plant multiple malicious files that can in turn obliterate the user’s PC into a digital mess.

The security researcher has been able to show that Safari doesn’t ask for user permission when downloading resources. He set up a sample malicious Web site that served malicious iFrames. He accessed the site using Safari and found that the browser automatically downloads the files multiple times (hence, carpet bombing), storing copies of these in said folders without first waiting for user commands or showing some dialog box informing the user of what is happening. The report includes a screenshot of the potential danger the automatic download action can cause.

Apple is treating this reported vulnerability not as a security issue, but as another avenue to create an additional enhancement to prevent unwanted downloads.

Microsoft recommends users avoid using Safari until researchers have looked into the browser, and until appropriate updates are provided by either Microsoft or Apple. Users are encouraged to change the download location of files by editing user preferences in Safari.

More than three months after it last update for Mac OS X, Apple released an update with numerous stability, compatibility and security fixes. Mac OS X 10.5.3, the third upgrade to Leopard since Apple launched the current in October 2007, addresses issues in several components and bundled applications. Some of these are updates for Apple and others are updates to the Open Source packages that Apple provides in it’s Operating System. Apple did not include patches for two of three iCal vulnerabilities that were made public a week ago.

Updates to the following security related modules were made:

AFP Server — Files that are not designated for sharing may be accessed remotely.

Apache — Multiple vulnerabilities in Apache 2.0.55, including cross-site scripting. Apache is updated to version 2.0.63 to address several vulnerabilities.

AppKit — Maliciously crafted file, unexpected application termination, arbitrary code execution.

Apple Pixlet Video — Vulnerability to unexpected application termination, arbitrary code execution.

ATS — Vulnerability to arbitrary code execution.

CFNetwork — Vulnerability leading to disclosure of sensitive information.

CoreFoundation — Vulnerability leading to unexpected application termination or arbitrary code execution.

CoreGraphics — Vulnerability that may lead to an unexpected application termination or arbitrary code execution.

CoreTypes — Lack of prompting against opening “certain potentially unsafe content types” in Automator, Help, Safari, and Terminal.

CUPS — Information disclosure.

Flash Player Plug-in — Arbitrary code execution, Updating to version 9.0.124.0.

Help Viewer — Vulnerability to application termination or arbitrary code execution.

iCal — Vulnerability to unexpected application termination or arbitrary code execution.

International Components for Unicode — Disclosure of sensitive information.

Image Capture — Path traversal vulnerability.

ImageIO — Out-of-bounds memory read leading to information disclosure, Multiple vulnerabilities in libpng version 1.2.18, and Vulnerability to unexpected application termination or arbitrary code execution.

Kernel — Remote vulnerability to unexpected system shutdown due to undetected failure condition and Local user vulnerability to unexpected system shutdown due to mishandling of code signatures.

LoginWindow — Race condition preventing MCX preferences being applied.

Mail — IPv6 vulnerability leading to unexpected application termination, information disclosure, or arbitrary code execution.

ruby — Remote vulnerability, updated to version 1.1.4.

Single Sign-On — Password disclosure in sso_util.

Wiki Server — Remote vulnerability to information disclosure.

Mac OS X 10.5.3 can be downloaded manually from the Apple site, or retrieved and installed using Mac OS X’s integrated update feature.

According to security vendor Core Security Technologies, Apple’s iCal calendar application contains three vulnerabilities that could allow an attacker to crash the application or execute remote code on the victim’s Mac. Core Security released an advisory on Wednesday detailing the vulnerabilities, which affect iCal version 3.0.1 running under Mac OS X 10.5.1 (Leopard).

In order for an attacker to exploit these vulnerabilities, an iCal user must be convinced to open an .ics file sent via e-mail or hosted on a Web server. The ability to add or modify files on a CalDAV server would allow the attacker to trigger the exploits directly. This is the most serious of three vulnerabilities and is possible due to potential memory corruption resulting from a resource liberation bug.

The other two vulnerabilities could be used to crash iCal using a maliciously crafted iCal (.ics) file. There is a possibility to use these two flaws for execution of arbitrary code but so far there is no proof such an attack is possible.

Core Security notified Apple of the vulnerabilities back in January. In February, Apple said it would fix the bugs in its March security patch, but it didn’t. Core Security then rescheduled publication of information about the vulnerabilities for April. So far Apple did not address the vulnerabilities and Core said it is about to publish the information to the public.

Phishers have started targeting users of Apple Inc.’s iTunes music store with sophisticated identity theft attacks. According to e-mail security vendor Proofpoint Inc., many users recieved spam with messages telling them that they must correct a problem with their iTunes account. A link in the spam leads to a site posing as an iTunes billing update page.

This fake page asks for information, including credit card number and security code, Social Security number and mother’s maiden name. The theft attempt is a new addition to companies and brands like like PayPal, eBay and Citibank, which are constantly attacked by phishers.

Users who receive an e-mail with a link to a site requesting personal financial information, should be very cautious about proceeding. Bookmark or type in the URLs for sites containing financial information, such as your bank or e-commerce sites like iTunes. Never visit the links you receive in an unsolicited e-mail.

According to researcher Nitesh Dhanjani, Safari browser doesn’t bother to ask for user permission before downloading resources from websites. When encountering malicious iframes and other scripts, the browser obediently does what the website tells it to do, including downloading a file as many times as HTML scripts order.

The vulnerability allows miscreants to dump hundreds of malicious files into a user’s default download location (in Windows it’s the desktop and in OS X it’s the download folder). It wouldn’t be hard for a rogue site, for example, to load up a desktop with dozens of booby-trapped “My Computer” icons that look like the real Windows icon and wait for a confused user to accidentally click on them.

When informed of this vulnerability, Apple agreed that it might be good if Safari actually checked with the user before downloading potentially vicious files, but signaled that kind of addition wasn’t much of a priority.

According to Apple’s security team, they are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. Apple wants to set users expectations that this could take quite a while, if it ever gets incorporated. Apple uses its security update mechanism as a way to push Safari on users who have never installed the browser, something that offends the sensibilities of many who believe security update notices should be reserved only for buggy software that presents a clear and present danger - that is for buggy software that’s already installed.

Apple QuickTime is prone to multiple remote vulnerabilities. These issues may allow remote attackers to disclose sensitive information, execute arbitrary code, and carry out denial-of-service attacks.

These issues arise when the application handles specially crafted Java applets, image files and movie files. Successful exploits may allow attackers to gain access to sensitive information, obtain remote unauthorized access in the context of a vulnerable user, and trigger a denial-of-service condition.

Versions of QuickTime prior to 7.4.5 are affected by these vulnerabilities. Vulnerable:

Apple QuickTime Player 7.4.1
Apple QuickTime Player 7.3.1 .70
Apple QuickTime Player 7.3.1
Apple QuickTime Player 7.1.6
Apple QuickTime Player 7.1.5
Apple QuickTime Player 7.1.4
Apple QuickTime Player 7.1.3
Apple QuickTime Player 7.1.2
Apple QuickTime Player 7.1.1
Apple QuickTime Player 7.0.4
Apple QuickTime Player 7.0.3
Apple QuickTime Player 7.0.2
Apple QuickTime Player 7.0.1
Apple QuickTime Player 7.4
Apple QuickTime Player 7.4
Apple QuickTime Player 7.3
Apple QuickTime Player 7.2
Apple QuickTime Player 7.1

Not Vulnerable:

Apple QuickTime Player 7.4.5 on: Apple Mac OS X 10.4.9, Apple Mac OS X 10.3.9, Apple Mac OS X 10.5, Apple Mac OS X Server 10.4.9, Apple Mac OS X Server 10.3.9, Apple Mac OS X Server 10.5

Apple released an advisory and fixes to address these issues and 11 patches fixing a variety of problems that could allow a hacker to execute malicious code on a machine. The up-to-date version of QuickTime is now 7.4.5. Apple’s Software Update function will download the new patches for computers running Windows and Apple’s Mac OS X.