CyberInsecure.com

Archive for the ‘Software’ Category

Apple has released iPhone OS 2.2 with patches for 12 documented security flaws, some very serious. The vulnerabilities covered by the patch (which also affect iPod Touch) could allow remote code execution, information theft, software crashes and weakened encryption settings.

The updates include:

CVE-2008-2321: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-2327: Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-1586: A memory exhaustion issue exists in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected device reset.

CVE-2008-4227: The encryption level for PPTP VPN connections may revert to a previous lower setting. This update addresses the issue by properly setting the encryption preferences.

CVE-2008-4211: An issue in Office Viewer’s handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-4228: iPhone provides the ability to make an emergency call when locked. Currently, an emergency call may be placed to any number. A person with physical access to an iPhone may take advantage of this feature to place arbitrary calls which are charged to the iPhone owner.

CVE-2008-4229: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. A race condition in the handling of device settings may cause the Passcode Lock to be removed when the device is restored from backup. This may allow a person with physical access to the device to launch applications without the passcode.

CVE-2008-4230: If an SMS message arrives while the emergency call screen is visible, the entire SMS message is displayed, even if the “Show SMS Preview” preference was set to “OFF”. This update addresses the issue by, in this situation, displaying only a notification that a SMS message has arrived, and not its content.

CVE-2008-4231: A memory corruption issue exists in the handling of HTML table elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-4232: Safari allows an iframe element to display content outside its boundaries, which may lead to user interface spoofing.

CVE-2008-4233: If an application is launched via Safari while a call approval dialog is shown, the call will be placed. This may allow a maliciously crafted website to initiate a phone call without user interaction. Additionally, under certain circumstances it may be possible for a maliciously crafted website to block the user’s ability to cancel dialing for a short period of time.

CVE-2008-3644: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a person with physical access to an unlocked device.

There are still several known phishing and spamming flaws in iPhone that remain unfixed.

Computer maker Lenovo is shipping a malware-infected software package to Windows XP users, according to warning from anti-virus researchers at Microsoft. It was found in Lenovo Trust Key software for Windows XP, a digitally signed driver package available to Windows XP SP2 users.

The malicious file was identified by Microsoft as Win32/Meredrop, a Trojan dropper that is used to install and execute multiple malicious executables on an infected computer. Other anti-virus vendors are detecting the threat as a virus or a porn dialer.

The infected software is used to install the Lenovo Security Logon and the Lenovo Private folder applications for use with the Lenovo Trust Key (also known as Lenovo Insider Key).

Lenovo has already removed the compromised download from its Web site.

Researchers at VoIPshield Labs have reported a wide range of denial-of-service vulnerabilities in Microsoft Communicator, the unified communications that features business-grade instant messaging, voice, and video tools.

The flaws, rated “high severity,” could cripple VoIP-powered communications on Office Communications Server 2007, Office Communicator and Windows Live Messenger.

The vulnerabilities include:

Microsoft Communicator Emoticon: By issuing instant messages to a client which contain a very large number of emoticons it is possible to cause the Microsoft Communicator to become nonresponsive for a certain period of time. During this period of time the phone does not respond to incoming invite messages and can even be forced to go into an offline state, eventually requiring the phone to reregister.

Microsoft Communicator INVITE Flood: Due to the manner in which sessions and authentication are managed it is possible to cause Microsoft Communicator to open a very large number of sessions resulting in the consumption of huge amounts of memory, potentially resulting in a Denial of Service.

Microsoft Communicator Real-time Transport Control Protocol Report Block: Using a specially crafted RTCP receiver report packet it is possible cause a Denial of Service (DoS) against Microsoft Communicator, Office Communications Server (OCS) and Windows Live Messenger.

The company said Microsoft has acknowledged the issues.

Adobe AIR is vulnerable to several critical vulnerabilities that could expose users to code execution attacks. The company released AIR 1.5 with fixes for previously discussed flaws in Flash Player (which is embedded into AIR) and a patch for a separate issue that allows the execution of untrusted JavaScript with elevated privileges.

According to Adobe bulletin, the issues are all remotely exploitable. The could allow an attacker who successfully exploits the vulnerability to execute untrusted JavaScript with elevated privileges. An Adobe AIR application must load data from an untrusted source to trigger this potential vulnerability. In addition, AIR 1.5 includes a Flash Player update to resolve the critical issues outlined in Flash Player Security Bulletin APSB08-22, as well as issues included in Flash Player Security Bulletins APSB08-20 and APSB08-18. Adobe recommends AIR customers update to Adobe AIR 1.5.

Adobe recommends all users of Adobe AIR 1.1 and earlier versions upgrade to the newest version AIR 1.5 by downloading it from the AIR Download Center as soon as possible since these issues are remotely exploitable.

AVG, the popular anti-virus package, has recently falsely identified Adobe Flash as potentially malicious. The incident comes just days after some users of AVG were left with unusable Windows systems when AVG security scanner tagged a core Windows component, user32.dll, as Trojan. Less than a month ago AVG identified CheckPoint’s Zone Alarm as a Trojan.

Users of both AVG 7.5 and 8 (free and full editions) were hit on Sunday. AVG has admitted the problem and responded by posting advice on how to recover affected systems. The company has also updated its virus definition files to purge the false alarm detection on user32.dll from its virus signature database. Only 4 days after, users on AVG forums complained on Friday that Adobe Flash was detected by AVG’s scanner as malicious, following a recent update.

Explaining the latest issue, AVG said it had nothing to add to a statement issued on Thursday, before the Flash problem blew up, offering users affected by the Windows component snafu a free one-year license or license extension. “AVG Technologies apologizes again for the inconvenience caused to our customers and wishes to assure our users worldwide that the company is actively putting new processes in place to avoid similar occurrences in the future,” it said. A day later there’s another problem of the same type.

False alarms by anti-virus scanners have affected just about every security vendor at one time or another. The issue causes more inconvenience when Windows files are flagged as potentially malicious, as in this case with AVG, so its no surprise to find that AVG’s support forums (http://www.avg.com/support) are filling up with complaints.

These incident raise questions about the quality control regime for virus definition updates released by Czech-based AVG, best known for the popularity of the cut-down version it offers to consumers at no cost.

Apple has released Safari 3.2 to fix at least a dozen security flaws, some of them are very serious. The update, available for Windows XP, Windows Vista and Mac OS X (Tiger and Leopard), address vulnerabilities that could be exploited to take full control of a compromised machine.

Some of the more serious flaws:

CVE-2008-1767: A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution. Further information on the patch applied is available via
http://xmlsoft.org/XSLT/.

CVE-2008-3623: A heap buffer overflow exists in CoreGraphics’ handling of color spaces. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-2327: Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-2332: A memory corruption issue exits in ImageIO’s handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-3642: A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution.

Three of the 12 issues were found and fixed in WebKit, the open-source Web browser engine. Safari 3.2 should be treated as an “highly critical” update.  End users should apply this patch immediately.

Google has also released a new version of its Chrome browser with fixes for a pair of security issues that could expose users to data theft. The issue, rated as a “moderate” could allow hackers to use HTML files to steal arbitrary files from a victim’s machine:

r4188 and r4827 address an issue with downloaded HTML files being able to read other files on your computer and send them to sites on the Internet. We now prevent local files from connecting to the network using XMLHttpRequest()  and also prompt you to confirm a download if it is an HTML file.
Severity: Moderate. If a user could  be enticed to open a downloaded HTML file, this flaw could be exploited to send arbitrary files to an attacker.

The patch, which will eventually be rolled out via Chrome’s automatic update feature, also adds new features around bookmarking and pop-up blocking.

Mozilla has released a new version of its flagship Firefox browser to fix a total of 11 vulnerabilities that expose users to code execution, information stealing or denial-of-service attacks. Four of the 11 flaws covered with the new Firefox 3.0.4 are rated “critical” because of the risk of code execution attacks via specially rigged Web pages.

The four critical vulnerabilities are:

MFSA 2008-55 Crash and remote code execution in nsFrameManager. A vulnerability in part of Mozilla’s DOM constructing code can be exploited by modifying certain properties of a file input element before it has finished initializing. When the blur method of the modified input element is called, uninitialized memory is accessed by the browser, resulting in a crash. This crash may be used by an attacker to run arbitrary code on a victim’s computer.

MFSA 2008-54 Buffer overflow in http-index-format parser. This is a flaw in the way Mozilla parses the http-index-format MIME type. By sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim’s computer.

MFSA 2008-53 XSS and JavaScript privilege escalation via session restore. The browser’s session restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Any otherwise unexploitable crash can be used to force the user into the session restore state. This vulnerability could also be used by an attacker to run arbitrary JavaScript with chrome privileges.

MFSA 2008-52 Crashes with evidence of memory corruption. Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

The Firefox update also fixes the following issues:

MFSA 2008-58 Parsing error in E4X default namespace.

MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals.

MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation.

MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome.

MFSA 2008-47 Information stealing via local shortcut files.

Mozilla recommends that users who still run FF2 upgrade to FF3 as soon as possible.

Microsoft’s scheduled batch of patches for November fixes at least four documented vulnerabilities affecting Windows, Internet Explorer and Office users. The company released two security bulletins — one rated critical, one rated important — with fixes for flaws that could lead to remote code execution attacks.  The updates apply to users running all supported versions of Windows (including Vista and Windows Server 2008) and most versions of Microsoft Office.

The critical MS08-069 bulletin should be treated with the utmost priority because of the risk of remote code execution attacks if a Windows user is simply tricked into browsing to a rigged Web page with Internet Explorer.

Details from the bulletin:

CVE-2007-0099: A remote code execution vulnerability exists in the way that Microsoft XML Core Services parses XML content. The vulnerability could allow remote code execution if a user browses a Web site that contains specially crafted content or opens specially crafted HTML e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2008-4029: An information disclosure vulnerability exists in the way that Microsoft XML Core Services handles error checks for external document type definitions (DTDs). The vulnerability could allow information disclosure if a user browses a Web site that contains specially crafted content or opens specially crafted HTML e-mail. An attacker who successfully exploited this vulnerability could read data from a Web page in another domain in Internet Explorer. In all cases, however, an attacker would have no way to force users to visit these Web sites.

CVE-2008-4033: An information disclosure vulnerability exists in the way that Microsoft XML Core Services handles transfer-encoding headers. The vulnerability could allow information disclosure if a user browses a Web site that contains specially crafted content or opens specially crafted HTML e-mail. An attacker who successfully exploited this vulnerability could read data from a Web page in another domain in Internet Explorer.

The second update — MS08-068 — provides cover for a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. Exploit code for this flaw is currently available on the Internet:

CVE-2008-4037: A remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol handles NTLM credentials when a user connects to an attacker’s SMB server. This vulnerability allows an attacker to replay the user’s credentials back to them and execute code in the context of the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Apple has shipped a major iLife security update to fix three documented vulnerabilities that could expose Mac OS X users to arbitrary code execution attacks. The flaws patched with the new iLife Support 8.3.1 could be exploited via specially crafted TIFF or JPEG images, Apple warned in an advisory.

The patch includes:

CVE-2008-2327: (iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11)  Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This flaw was discovered internally by Apple’s security team.

CVE-2008-2332: (iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11) A memory corruption issue exits in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. Robert Swiecki of Google Security Team is credited with finding and reporting this vulnerability.

CVE-2008-3608: (iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11) A memory corruption issue exists in ImageIO’s handling of embedded ICC profiles in JPEG images. Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution.  This bug was discovered internally by Apple’s security team.

More details are available at http://support.apple.com/kb/HT3276

Two “highly critical” vulnerabilities in the cross-platform VLC Media Player could put users at risk of remote code execution attacks, according to a warning from security researchers. An error in the CUE demuxer can be exploited to cause a stack-based buffer overflow via a specially crafted CUE image file. In second vulnerability, an error in the RealText demuxer can be exploited to cause a stack-based buffer overflow via a specially crafted RealText subtitle file.

The issues, reported in versions 0.5.0 through 0.9.5, could let hackers take complete control of compromised machines through rigged media files. VideoLAN, the open-source group that manages the VLC project, has released patches and strongly recommends that users upgrade to VLC media player 0.9.6.

Exploitation of this issue requires the user to explicitly open a specially crafted file. As with any media player, the standard advice is to avoid from opening files from untrusted third parties or accessing untrusted remote sites.

For details and updates visit VideoLAN website.