Apple has released a security update their Windows version of QuickTime 7.6.7 fixing one vulnerability. According to Apple this issue does not affect Mac OS X systems.
QuickTime 7.6.7 may be obtained from the Software Update application, or from the QuickTime Downloads site: http://www.apple.com/quicktime/download/
Apple has released an update to fix comex’s recent .pdf exploit used by jailbreakme.com to jailbreak iDevices.
You must use iTunes to update your device. This update is not available through Apple Software Update
For more information on the security update Apple Security Updates web site: http://support.apple.com/kb/HT1222
Along with this Snow Leopard update to 10.6.2, Apple also released a security update for OS X 10.5.8 client and server. The update includes numerous security updates and some feature enhancements, Apple also pulled support for Intel Atom processor which breaks Hackintosh Netbooks.
The update is available via Software Update and Apple’s support downloads site.
updated 9.11.09
More variants of iPhone malware are showing up, some claiming to gather personal data from phones. Don’t be surprised with the source code for ikee circulating that more nefarious malware will be coming soon.
JailBroken phone w/ alpine default pswd = pwned phone or a honeypot 
iPhone ikee Virus
In the past week or so at least four variants of simple worms that look for default ssh passwords on Jail Broken iPhones and replace the backgrounds screens have turned up. The one in the Netherlands is asking users to paypal 5 € to have it fixed.
JD has an interview with the Australian writer ikee and two versions of the source code are available for research purposes. This variant scans a list of subnets for exploitable iPhones and pwns them replacing the background image with a custom one.
Affected users are iPhone users that have JailBroken their phones and NOT changed their default ssh password of alpine. Take a look here at Saurik’s page with detailed instructions on changing your ssh password.
Apple issued a Java update Thursday patching several known vulnerabilities.
The 161.35MB update is only applicable to Mac OS X Leopard version 10.5.8 or later (not Snow Leopard). Java SE 6 is updated to version 1.6.0_15, J2SE 5.0 is updated to version 1.5.0_20, and J2SE 1.4.2 is updated to version 1.4.2_22. While J2SE 5.0 and J2SE 1.4.2 support all Intel and PowerPC-based Macs, Java SE 6 requires a 64-bit Intel-based Mac.
For those of you that have recently updated to OS X 10.6 Snow Leopard time to u[pgrade Flash Player. Apple downgraded your installation of Flash to an earlier version (version 10.0.23.1), which is known not to be secure and is not patched against various security vulnerabilities. The version you should be running is the latest version of Flash Player for Mac – 10.0.32.18.
To check for your Version test for Adobe Flash Player
Update your flash version at Adobe
No not really, but it does check for a couple of the more common trojans. The last Developer seed of Snow Leopard Snow 10a421A and what we expect Apple to release on Friday contains a file XProtect.plist that checks for possible trojans.
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist
It contains five signatures for the two most active trojans, OSX.RSPlug that changes DNS settings and OSX.Iservice the one bundled with the pirated versions of iWork.
Apple issued a fix for the recent bind vulnerability. Good to see Apple releasing fixes fairly fast for known vulnerabilities.
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: A remote attacker may be able to cause the DNS server to unexpectedly terminate
Description: A logic issue in the handling of dynamic DNS update messages may cause an assertion to be triggered. By sending a maliciously crafted update message to the BIND DNS server, a remote attacker may be able to interrupt the BIND service. The issue affects servers which are masters for one or more zones, regardless of whether they accept updates. BIND is included with Mac OS X and Mac OS X Server but it is not enabled by default. This update addresses the issue by properly rejecting messages with a record of type ‘ANY’ where an assertion would previously have been raised.
It is possible for a malicious website to place arbitrary sites into your Top Sites view through automated actions. The attack technique makes use of javascript windows where in a small window is used to repeatedly browse to different sites that the attacker wants to add in your Top Sites list. This window is completely hidden using the window.blur function and user won’t know that is happening in the background. Please note that this attack is not possible using invisible iframes as Safari does not use iframe urls to decide Top Sites content.
For the complete vulnerability report and POC visit: http://securethoughts.com
Safari 4.0.3 is now available and addresses the following:
CoreGraphics
CVE-ID: CVE-2009-2468
Available for: Windows XP and Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the drawing of long
text strings. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. Credit
to Will Drewry of Google Inc for reporting this issue.
ImageIO
CVE-ID: CVE-2009-2188
Available for: Windows XP and Vista
Impact: Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the handling of EXIF
metadata. Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking.
Safari
CVE-ID: CVE-2009-2196
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8,
Mac OS X Server v10.5.8, Windows XP and Vista
Impact: A maliciously crafted website may be promoted into Safari’s
Top Sites view
Description: Safari 4 introduced the Top Sites feature to provide an
at-a-glance view of a user’s favorite websites. It is possible for a
malicious website to promote arbitrary sites into the Top Sites view
through automated actions. This could be used to facilitate a
phishing attack.
This issue is addressed by preventing automated website visits
from affecting the Top Sites list. Only websites that the
user visits manually can be included in the Top Sites list. As a
note, Safari enables fraudulent site detection by default. Since the
introduction of the Top Sites feature, fraudulent sites are not
displayed in the Top Sites view. Credit to Inferno of
SecureThoughts.com for reporting this issue.
WebKit
CVE-ID: CVE-2009-2195
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8,
Mac OS X Server v10.5.8, Windows XP and Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in WebKit’s parsing of
floating point numbers. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit: Apple.
WebKit
CVE-ID: CVE-2009-2200
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8,
Mac OS X Server v10.5.8, Windows XP and Vista
Impact: Visiting a maliciously crafted website and clicking “Go”
when viewing a malicious plug-in dialog may lead to the disclosure of
sensitive information
Description: WebKit allows the pluginspage attribute of the ‘embed’
element to reference file URLs. Clicking “Go” in the dialog that
appears when an unknown plug-in type is referenced will redirect to
the URL listed in the pluginspage attribute. This may allow a remote
attacker to launch file URLs in Safari, and lead to the disclosure of
sensitive information. This update addresses the issue by restricting
the pluginspage URL scheme to http or https. Credit to Alexios Fakos
of n.runs AG for reporting this issue.
WebKit
CVE-ID: CVE-2009-2199
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8,
Mac OS X Server v10.5.8, Windows XP and Vista
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious website to
direct the user to a spoofed site that visually appears to be a
legitimate domain. This update addresses the issue by supplementing
WebKit’s list of known look-alike characters. Look-alike characters
are rendered in Punycode in the address bar. Credit to Chris Weber of
Casaba Security, LLC for reporting this issue.
Safari 4.0.3 is available via the Apple Software Update application, or Apple’s Safari download site at:
http://www.apple.com/safari/download/
Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222
Apple recently released the new CrashWrangler tools to anyone with a free ADC account, and is available at:
https://connect.apple.com/cgi-bin/WebObjects/MemberSite.woa/wa/getSoftware?bundleID=20390
CrashWrangler is a set of developer tools that help in creating and debugging secure Mac OS X applications. The tools work by inspecting the application’s state at the time of the crash, as well as the application crash logs. Using these tools on a reproducible test case can determine if a crash could lead to a potentially exploitable
security issue, while providing valuable data to fix these issues. Additionally, any crash log can be inspected to determine if it is a duplicate of a known crash. The CrashWrangler tools support Mac OS X 10.5 or later.
It should be understood that CrashWrangler uses advanced heuristics, but that false positives and false negatives are possible. It’s intended for quick assessment. As always, a detailed manual inspection is the only way to be sure something is or isn’t exploitable.
The basic algorithm for determining exploitability looks like this.
Exploitable if:
Crash on write instruction
Crash executing invalid address
Crash calling an invalid address
Crash accessing an uninitialized or freed pointer as indicated by
using the MallocScribble environment variable
Illegal instruction exception
Abort due to -fstack-protector, _FORTIFY_SOURCE, heap corruption detected
Stack trace of crashing thread contains certain functions such as malloc, free, szone_error, objc_MsgSend, etc.
Not exploitable if:
Divide by zero exception
Stack grows too large due to recursion
Null dereference
Other abort
Crash on read instruction
If a crash is determined to be non-exploitable, it’s recommended to run the test case again with libgmalloc(3) on with MALLOC_ALLOW_READS and MALLOC_FILL_SPACE set, and see if the crash changes to one that is
considered to be exploitable.
CrashWrangler does not send any data about your crash to Apple or anyone else. Note that it does forward the information about the crash to CrashReporter, which is part of the OS, and as always it will send info to Apple if and only if you click the “Send to Apple” button in the Crash Reporter dialog.
Apple’s keyboards are no have 8Kb of flash memory, and 256 bytes of RAM. K. Chen has found a way to very easily install keyloggers, rootkits or other malicious code right inside of an Apple keyboard. K. Chen presented his findings at this year’s Black Hat conference.
It’s actually quite easy to abuse the memory and RAM in Apple keyboards, thanks to Apple’s HIDFirmwareUpdaterTool, which is used to update the firmware in HID devices, among which is the Apple keyboard. “The tool is run, a breakpoint set, and then you simply cut and paste the new code into the firmware image in memory. That’s it,” SemiAccurate explains. Nothing is encrypted, decrypted, and it’s all very simple to do. Resume the HIDFirmwareUpdaterTool, and a few seconds later, your keyboard is compromised. Rebooting won’t help, you can’t pull any batteries, and it’s impossible to detect.
In all practical sense you can abuse both the RAM available in keyboards and any other device and there are many Apple firmware updates available for all kinds of devices; graphics cards, keyboards, trackpads, bluetooth, EFI, SuperDrive, AirPort products , Time Capsule, etc.
Content © hard-mac.com. Proudly powered by WordPress. To bookmark this site, press Control+D.
"Black Hat" theme by Nicki Faulk. For best results, please view with Firefox. [ Log in ]