Skip to content

Posts from the ‘Mac OS X’ Category

10
Mar

Safari Errorjacking Vulnerability and Exploit [Patched]

One of the vulnerabilities patched in Safari 5.0.4 is a fairly critical issue in WebKit (CVE-2011-0167) that allows Javascript to jump into the local zone, and access any file on the local computer that is accessible to the current user. This could be used by malicious websites to extract files and information from the victim’s computer. The vulnerability affects Safari on Mac OS X and Windows, and could affect other WebKit-based browsers, although Chrome is safe due to added restrictions.

The bug exists because most browser error pages are loaded from the local “file:” zone, a zone that Javascript is not normally allowed to access directly. Since a child browser window remains under the control of the parent, it is possible to cause a child browser window to error, thus entering the normally-restricted local zone, and then instructing the child window to access local files using this elevated local-zone privilege.

This issue was a nice catch, discovered by Aaron Sigel who has a detailed explanation, video demo and proof-of-concept on his blog. It probably goes without saying, but Safari users should run Software Update as soon as possible.

10
Mar

Apple Drops iOS 4.3 and Safari 5.0.4 Security Updates Ahead of Pwn2Own Contest

In awesome day-before-just-to-try-and-screw-with-your-exploits style, Apple has released significant security patches for iOS, Safari and Apple TV. Safari, which is one of the targets at CanSecWest’s Pwn2Own contest where hackers come to demonstrate 0day exploits, has received an update to 5.0.4, and fixes over 62 bugs including major vulnerabilities in WebKit (eg. Errorjacking) and the ImageIO and libxml libraries.

iOS 4.3 patches largely the same issues in MobileSafari, as well as a remote code execution vulnerability in CoreGraphics. iOS is expected to get a lot of attention at Pwn2Own, with at least four researchers having developed exploits. Charlie Miller and Dionysus Blazakis (@dionthegod) have one exploit which doesn’t work on update, although allegedly the vulnerability hasn’t been patched yet.

Whether or not these updates thwart some of the exploits developed for Pwn2Own remains to be seen. It’ll be cool if it prevents at least one. Either way, good job to Apple for trying.

Update: Just found out that target iPhones at Pwn2Own won’t be running the latest iOS 4.3 which does indeed prevent a number of exploits. Here’s a recap of the Pwn2Own action.

Lastly, Apple TV has been updated to 4.2 to patch a couple not-so-critical vulnerabilities in libfreetype and libtiff that could allow code execution if a malicious image were opened.

Hi the jump for the long list of issues fixed in iOS 4.3. Read moreRead more

9
Mar

Java Security Updates for Leopard and Snow Leopard

Java LogoApple has released Java for Mac OS X 10.6 Update 4 and Java for Mac OS X 10.5 Update 9, patching a number of vulnerabilities in the Java virtual machine. The most serious of these may allow an untrusted Java applet to execute arbitrary code outside of the Java sandbox. Users with Java installed should update soon. Those of you who don’t have Java don’t need to worry. If you’re unsure, just check Software Update.

Apple recently announced that the version of Java ported by Apple for Mac OS X has been deprecated. Starting in Mac OS X 10.7 “Lion”, the Java runtime will no longer be installed by default, instead requiring users to install Oracle’s Java runtime should they require Java support. Apple also recently stopped bundling Flash with Mac OS X by default, with new MacBook Air and MacBook Pros shipping without Flash. The divesting of these two products will not only eliminate Java and Flash vulnerabilities on default installs of Mac OS X, it will allow users who install these apps to get updates quicker directly from Oracle and Adobe, instead of having to wait for Apple to release software updates.

Hit the jump for details of the Java update for 10.6.

Read moreRead more

8
Mar

Understanding Apple’s Approach to Security

With Apple’s growing market share in desktop computers, and relative dominance in mobile computing, the security of Mac OS X and iOS are increasingly becoming talking points. Apple continues to tout the security of OSX, whilst the iOS hacker community keeps looking for (and finding) exploits that will allow them to jailbreak iPhones and iPads. This article is my own look into Apple’s history and strategy, and how this translates into the company’s focus on security today. Read moreRead more

27
Feb

New Mac OS X Backdoor Trojan (BlackHole RAT) in Development [Updated]

A ‘trojan’ targeting Mac OS X users, dubbed BlackHole RAT, appears to be in development. It’s a variant of a well-known series of malware called Remote Access Tools (RAT) that primarily targeted Windows. It should be noted that on its own, the trojan does not exploit OSX, instead relying on the user to unknowingly ‘install’ it. This is often done under the guise of pirated software, video plugins on porn sites, or from other non-reputable software sources. Although the details are not entirely clear, it appears like your computer needs to be directly accessible from the internet.

This ‘trojan’ (note the intended air quotes) has been blown out of proportion and does not pose a significant level of risk. Macs are not ‘less secure’ because of this tool, as it’s something that could be coded by any 14-year old with a relatively basic knowledge of programming. It’s essentially a normal application whose purpose is to accept connections from its owner, and allow them to perform actions on your computer, etc.

Hit the jump for the full details, a video and download link. Read moreRead more

21
Jan

GPGTools Release Unified Installer for MacGPG/GPGMail

The guys at GPGTools have taken control of the MacGPG2, GPGMail, GPG Keychain Access and GPG Services projects, and have released a single unified installer that installs all of these apps. They are maintaining these tools, which are all 64-bit and Snow Leopard compatible. The package also include Enigmail, a GPG-compatible plugin for Thunderbird (Mozilla’s free email client).

GPG is an open source alternative to PGP’s suite of public key encryption software (PGP Desktop), which allows you to encrypt/decrypt files and emails and create/validate digital signatures.

For more information, check out my tutorial on using GPGMail to send encrypted emails on Mac OS X.

8
Dec

Apple Releases QuickTime 7.6.9 Security Update

Apple has released QuickTime 7.6.9 for Leopard 10.5.8 and Windows (XP,V,7), patching a number of vulnerabilities including several that were fixed in the recent 10.6.5 update.

The vulnerabilities include improper handling of JP2, AVI, MPEG, Flashpix, GIF, PICT, and QTVR files. Viewing maliciously-crafted files can lead to remote code execution in some cases.

QuickTime definitely needs more strengthening. Leopard and Windows users, go forth and patch!

Read moreRead more

1
Dec

Creating a Secure Mac/PC Portable USB Drive

Ever since the release of the IronKey I’ve been drooling over the device (good thing it’s waterproof I guess). Due to not wanting to pay so much for a USB key, I decided to make my own. I grabbed myself a 32GB USB key, and got to work on making it as close to the IronKey as possible.

In this article I’m going to illustrate some of the things you can do to secure the information on your portable thumb drive, increase your privacy, and even install Mac OS X or Linux.
30
Nov

Using GPGMail to Encrypt Email

This post forms part of the series on Securing Leopard, and covers GPGMail, Mail.app plugin that allows you to digitally sign, encrypt and decrypt emails using PGP/GPG.

When Snow Leopard came around, it completely broke support for GPGMail, and there were no other solutions that enabled similar functionality. This caused a significant issue for Snow Leopard users needing GPG functionality. The original developer of GPGMail unfortunately did not have the time to update the plugin and restore support for Snow Leopard.

Since then the GPGMail project has been handed over to a new team of developers who have been working on restoring the full functionality of the plugin under 10.6. This tutorial shows you how to easily install GPGMail and start sending and receiving encrypted emails!

[Updated 21/01/2011] The team at GPGTools have now created a unified installer which consolidates MacGPG2, GPG Keychain Access, GPGMail and GPG Service. Their all-in-one installer simplifies the install process, and installs everything you need for encrypting/signing files and emails.

If you’ve used the GPGTools package, please post your experiences in the comments!

Read moreRead more

29
Nov

Armitage: Metasploit Attack Management GUI

Armitage, by Raphael Mudge, is a great little user interface for Metasploit which allows you to easily discover targets, deliver exploits, and manage your attacks to do things like pivots without any hassles.

Getting started with Armitage in Backtrack 4 R2 is easy. First, start the MySQL DB with /etc/init.d/mysql start (root/toor), and then start the Metasploit RPC daemon:

cd /pentest/exploits/framework3
./msfrpcd -f -U msf -P test -t Basic

Once msfrpcd is running, simply launch Armitage using the script provided and click Connect (you may need to check the Use SSL checkbox).

Armitage is written in Java, and works in Linux, Windows and Mac OS X. Download it here.

[Update] Armitage has been added to the Backtrack repos. Here’s a short tutorial, and check out the video tutorial below.

[Updated 21/01/2011] Hak5 episode 882 features a tutorial with mubix and Mudge (Hak5).

css.php