Marc Gurman at 9to5Mac has discovered a vulnerability on the iPad that allows for a limited bypass of the device’s lockscreen. Anyone with an iPad Smart Cover (or fridge magnet) can gain access to the previously-open app (or the home screen if no app was open).
By holding the power button to bring up the ‘Power Off’ screen, closing the smart cover, re-opening it (or just sliding a fridge magnet along the right-hand side of the device), and clicking cancel, the attacker will be dropped into the screen that was open before the iPad was locked. If the attacker gets dropped into the home screen, then they’ll be able to see the installed apps, but won’t be able to open anything. If Safari or Mail (or any other app) was the open when the device was locked, then the attacker would have access to that app.
Unlike Siri being available from the lock screen, which is not a security flaw (an unintended behaviour), this one actually is; and although an attacker does not get full control of the iPad, the severity depends on whether a sensitive app was being used before the device was locked.
Luckily it is possible to protect yourself against this bug in the interim by disabling Smart Covers in Settings > General > iPad Cover Lock/Unlock > Off. Expect Apple to patch this in iOS 5.0.1. Check out 9to5’s video below for a demonstration:
[Update] Apple did indeed patch this bug in iOS 5.0.1. Those of you who disabled your Smart Covers for security purposes can now re-enable them!
I wasn’t going to post about last week’s fairly significant iTunes update, but then Apple went and patched a whole bunch of vulnerabilities across the board. Some of these are fairly significant so I thought I would provide a short breakdown of the changes. Either way, you should definitely be patching all of your Apple devices and software tonight.
Hit the jump for a summary of the key vulnerabilities patched in Apple’s security updates.
The two latest iOS updates are fairly significant in that they patch two critical vulnerabilities. iOS update 4.3.4 patched a number of bugs including comex’s PDF/FreeType vulnerability used to create the latest JailbreakMe exploit. If you’re a jailbreaker, it’s essential that you run comex’s ‘PDF Patcher 2’ within Cydia, in order to patch the underlying vulnerability. iOS update 4.3.5 released a couple days ago, patches a fairly significant bug in the way iOS validates SSL/TLS certificates. This vulnerability can allow an attacker to intercept and/or modify data protected within an SSL session without the user knowing it. This was possible to due the fact that iOS didn’t validate the basicContstrains parameter of SSL certificates in the chain.
If you’re only an occasional patcher – now is the time.
Apple has released Security Update 2011-003 for Mac OS X 10.6 which updates the system’s built in ‘File Quarantine’ (aka. XProtect) mechanism to detect and remove OSX.MacDefender.A. More significantly, however, Apple has now enabled the ability for File Quarantine to receive daily updates to to its malware definition list, essentially giving Mac OS X a very simplistic built-in anti-virus. Now it’s just up to Apple to actually update the malware definitions list on a regular basis.
In System Preferences > Security > General, users can choose whether or not they want to “Automatically update safe downloads list”. I’m not sure “safe downloads list” is the best name for it however, as it doesn’t really help users understand what its purpose is. I highly recommend keeping this option checked. Note that the screenshot below is not a recommendation of what your preferences should look like, it’s merely highlighting the new option. For more into about configuring your Security settings check out Securing Leopard: Security, FileVault and Firewall (to be updated with this new setting shortly).
[Updated 01/06/2011] As I wholly expected, a new variant of MACDefender is already out in the wild that does not get detected by OSX’s File Quarantine. As File Quarantine is simply a blacklist of known malware, it does not have the ability to pick up on malware it doesn’t recognise. This will be a good test to see how quickly Apple responds and updates the File Quarantine definitions. If you installed the 2011-003 security update then your system is already set to check for new updates every 24 hours. Browse safe out there.
[Updated 02/06/2011] Apple has already updated the File Quarantine definitions for the latest MACDefender variant (OSX.MacDefender.C). Pretty good response time by Apple!
A fairly significant 0day vulnerability is being reported in the Skype client (< 220.127.116.112) for Mac OS X. By sending a specially-crafted instant message, an attacker may be able to remotely execute code on the recipient’s computer and gain access to a root shell. This issue has been discovered (by accident it seems) by Gordon Maddern of Australian security consultancy Pure Hacking.
“About a month ago I was chatting on skype to a collegue about a payload for one of our clients. Completely by accident, my payload executed in my collegues skype client. I decided to investigate a little further and found that the Windows and Linux clients were not vulnerable. It was only the Mac skype client that seemed to be affected. […] Low and behold (sic) I was able to remotely gain a shell.”
It is believed that due to the relative simplicity in the delivery of the payload, it may be possible for this attack to be automated in the form of a worm. Skype are aware of this issue,
but have yet to release a patch (see below). Mac users should be extra careful until a patch is made available, and in the short term I recommend quitting Skype when not using it, or at least checking that your Skype client is set to only allow messages from your contacts (Skype > Preferences > Privacy Tab > Allow Messages From: Contacts).
No further details or proof-of-concept of the vulnerability are available as of yet, although I’d be interested to see it… time to start pasting random Metasploit payloads into Skype! ;)
Full disclosure of the vulnerability is now available here. In short, the issue was a persistent XSS that could be used to redirect the user to a malicious website. Here’s the PoC attack string:
WordPress have released a minor 3.1.1 update which patches an XSS flaw on the database upgrade screens. The change log also mentions a strengthening of security mechanisms relating to media uploads, and fixes to potential PHP crashes caused by complex hyperlinks. The update also includes a number of other security and bug fixes.
It’s a fairly minor update that shouldn’t break any plugins. Update when ready.
Apple has released 10.6.7 and its first security patch of the year, 2011-001, fixing a large number of bugs and vulnerabilities. In particular it fixes a known graphics bug in the 2011 MacBook Pros. It also improves Back To My Mac connectivity and SMB (windows file sharing). From a security perspective it fixes issues in a number of components including the Kernel, Airport, ImageIO, and QuickTime, many of which potentially lead to remote code execution. This update also adds detection for the OSX.OpinionSpy spyware to Mac OS X’s built-in file quarantine.
It’s a fairly big update, so users are naturally advised to patch soon. Hit the jump for the full list of security issues fixed. Read more
This issue was a nice catch, discovered by Aaron Sigel who has a detailed explanation, video demo and proof-of-concept on his blog. It probably goes without saying, but Safari users should run Software Update as soon as possible.
Apple has released Java for Mac OS X 10.6 Update 4 and Java for Mac OS X 10.5 Update 9, patching a number of vulnerabilities in the Java virtual machine. The most serious of these may allow an untrusted Java applet to execute arbitrary code outside of the Java sandbox. Users with Java installed should update soon. Those of you who don’t have Java don’t need to worry. If you’re unsure, just check Software Update.
Apple recently announced that the version of Java ported by Apple for Mac OS X has been deprecated. Starting in Mac OS X 10.7 “Lion”, the Java runtime will no longer be installed by default, instead requiring users to install Oracle’s Java runtime should they require Java support. Apple also recently stopped bundling Flash with Mac OS X by default, with new MacBook Air and MacBook Pros shipping without Flash. The divesting of these two products will not only eliminate Java and Flash vulnerabilities on default installs of Mac OS X, it will allow users who install these apps to get updates quicker directly from Oracle and Adobe, instead of having to wait for Apple to release software updates.
Hit the jump for details of the Java update for 10.6.