Apple Releases Slew of Security Updates (OSX, Safari, iTunes, iOS 5, aTV)
I wasn’t going to post about last week’s fairly significant iTunes update, but then Apple went and patched a whole bunch of vulnerabilities across the board. Some of these are fairly significant so I thought I would provide a short breakdown of the changes. Either way, you should definitely be patching all of your Apple devices and software tonight.
Hit the jump for a summary of the key vulnerabilities patched in Apple’s security updates.
Browser and Smartphone Exploits Fly at Pwn2Own [Recap]
With Google offering $20,000 for a Chrome sandbox exploit, Apple releasing fresh security updates, and the organisers allowing researchers to target mobile phone basebands, it was sure make for an interesting Pwn2Own contest at CanSecWest this year.
For the fifth year running, Pwn2Own invited security researchers to discover vulnerabilities and develop exploits for the most popular browsers on Mac OS X and Windows (for some reason Linux is left out this year). Traditionally IE, Firefox and Safari have gotten exploited, with Chrome being the last browser standing at last year’s competition. Google upped the ante by making it significantly more attractive to target their browser this year.
In short: Safari, Internet Explorer, iPhone and Blackberry were all successfully compromised. Chrome and Firefox survive. Hit the jump for the full details! Read more
Apple Drops iOS 4.3 and Safari 5.0.4 Security Updates Ahead of Pwn2Own Contest
In awesome day-before-just-to-try-and-screw-with-your-exploits style, Apple has released significant security patches for iOS, Safari and Apple TV. Safari, which is one of the targets at CanSecWest’s Pwn2Own contest where hackers come to demonstrate 0day exploits, has received an update to 5.0.4, and fixes over 62 bugs including major vulnerabilities in WebKit (eg. Errorjacking) and the ImageIO and libxml libraries.
iOS 4.3 patches largely the same issues in MobileSafari, as well as a remote code execution vulnerability in CoreGraphics. iOS is expected to get a lot of attention at Pwn2Own, with at least four researchers having developed exploits. Charlie Miller and Dionysus Blazakis (@dionthegod) have one exploit which doesn’t work on update, although allegedly the vulnerability hasn’t been patched yet.
Whether or not these updates thwart some of the exploits developed for Pwn2Own remains to be seen. It’ll be cool if it prevents at least one. Either way, good job to Apple for trying.
Update: Just found out that target iPhones at Pwn2Own won’t be running the latest iOS 4.3 which does indeed prevent a number of exploits. Here’s a recap of the Pwn2Own action.
Lastly, Apple TV has been updated to 4.2 to patch a couple not-so-critical vulnerabilities in libfreetype and libtiff that could allow code execution if a malicious image were opened.
Hi the jump for the long list of issues fixed in iOS 4.3. Read more
Understanding Apple’s Approach to Security
With Apple’s growing market share in desktop computers, and relative dominance in mobile computing, the security of Mac OS X and iOS are increasingly becoming talking points. Apple continues to tout the security of OSX, whilst the iOS hacker community keeps looking for (and finding) exploits that will allow them to jailbreak iPhones and iPads. This article is my own look into Apple’s history and strategy, and how this translates into the company’s focus on security today. Read more
WordPress 3.0.5 Update Fixes Security Issues
WordPress 3.0.5 has been released, and is primarily a security update focusing on vulnerabilities which can be exploited through untrusted user accounts. This follows the recent 3.0.3 and 3.0.4 updates which were also security-focused. If your WordPress installation does not have any non-admin users, then this update is less urgent, however it is recommended that you update as soon as possible anyway.
Here is a description of the five main updates:
Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.
One information disclosure issue was addressed that could have allowed an Author-level user to view contents of posts they should not be able to see, such as draft or private posts.
Two security enhancements were added. One improved the security of any plugins which were not properly leveraging our security API. The other offers additional defense in depth against a vulnerability that was fixed in previous release.
WordPress 3.1 is currently at RC4 and is expected to be officially released soon.
Apple Releases QuickTime 7.6.9 Security Update
Apple has released QuickTime 7.6.9 for Leopard 10.5.8 and Windows (XP,V,7), patching a number of vulnerabilities including several that were fixed in the recent 10.6.5 update.
The vulnerabilities include improper handling of JP2, AVI, MPEG, Flashpix, GIF, PICT, and QTVR files. Viewing maliciously-crafted files can lead to remote code execution in some cases.
QuickTime definitely needs more strengthening. Leopard and Windows users, go forth and patch!
Making Calls Using Keylock Bypass Bug on iOS 4.1
A keylock bypass bug has been found in iOS 4.1 which allows unauthorised users circumvent the passcode screen to make calls. It’s a pretty simply trick which involves entering a number (eg. 1) on the ‘Emergency Call’ screen, pressing Call and then immediately pressing the lock button. This brings up the Phone app where the user can pick a name from the contact list, or enter a phone number of their choice. To return the phone to normal (without rebooting it), just hold down the Home button until the Voice screen comes up, press Cancel, and then the lock button.
You are able to add/delete contacts, and open the Mail app by sharing a contact where you can then create and send emails.
Here’s a demo:
I’m running 3.1.3 on an iPhone 2G, and for some reason I can make arbitrary calls directly from the Emergency Call screen without any fancy tricks. Go figure.
These kinds of vulnerabilities are not unique to iPhones however, with similar bypass bugs being found in some Android-based phones.
[Update] Thanks Andy for clarifying what an attacker can do using this technique.
[Update 2] This bug has been fixed in the iOS 4.2 update.
Vulnerability in FaceTime Beta (Quietly Patched?)
A vulnerability has been found in FaceTime Beta whereby a logged-in user can view and change any of the account details (including the security question/answer) for that account, without first being re-authenticated. There is also an issue with the logout function, as the password remains in the password field after logout, even after the application is quit and reopened.
Although no updates have been officially released, there are reports that some users can no longer reproduce these issues. Quiet fix by Apple? To be safe, you can avoid logging into FaceTime Beta on a computer you don’t own/fully trust until an official update or final version are released.
Apple QuickTime 7.6.7 “_Marshaled_pUnk” Code Execution Vulnerability and Metasploit Exploit
A new (read: yet another) 0day QuickTime vulnerability has been discovered by researcher Ruben Santamarta which leads to arbitrary client-side code execution. The vulnerability, which affects QuickTime <= 7.6.7 on Windows XP, Vista and 7 and defeats DEP and ASLR, is due to a flaw in the way the QuickTime ActiveX controller handles a supplied parameter and treats it as a trusted pointer.
This vulnerability can be exploited by luring the victim to a malicious web page. A heap-spraying Metasploit module has already been published which exploits this issue.
Hack Uses Geolocation to Pinpoint Your Location
In one of the more simple yet clever attacks I’ve seen this year, at BlackHat and Defcon, Samy Kamkar (author of the 2005 Samy MySpace worm) showed how javascript and geolocation could be used to more or less pinpoint a user’s location. An attack Samy dubbed ‘XXXSS‘.
The attack works by using javascript to obtain the MAC address (a unique hardware identifier) of the victim’s network router or gateway, and then submitting it to Google’s Geolocation service to obtain the coordinates. Read more
Loading ...
