Skip to content

Posts tagged ‘vulnerability’


Safari 5.0.2 Update Fixes WebKit Bugs

Apple has released Safari 5.0.2 and 4.1.2 updates for Mac OS X and Windows which fix issues in both Safari and WebKit (the browser’s rendering engine).

The first issue, which only affects Safari on Windows systems, may lead to code execution if the user attempts to reveal the location of a downloaded file. The other two vulnerabilities include an input validation issue in WebKit’s handling of floating point data types, and a use-after-free issue in WebKit’s handling of elements with run-in styling. Both of these could be used to perform arbitrary code execution.

These two updates should be available in Software Update.

Hit the jump for Apple’s full patch info.

Read moreRead more


Apple QuickTime 7.6.7 “_Marshaled_pUnk” Code Execution Vulnerability and Metasploit Exploit

A new (read: yet another) 0day QuickTime vulnerability has been discovered by researcher Ruben Santamarta which leads to arbitrary client-side code execution. The vulnerability, which affects QuickTime <= 7.6.7 on Windows XP, Vista and 7 and defeats DEP and ASLR, is due to a flaw in the way the QuickTime ActiveX controller handles a supplied parameter and treats it as a trusted pointer.

This vulnerability can be exploited by luring the victim to a malicious web page. A heap-spraying Metasploit module has already been published which exploits this issue.

Read Reuben’s original advisory and then get Firefox.


QuickTime Player SMIL Buffer Overflow and Metasploit Exploit

On the 26th July 2010, Krystian Kloskowski discovered a vulnerability in QuickTime Player 7.6.6 for Windows caused by a buffer overflow in the application’s error logging.

The original advisory states:

The vulnerability is caused due to a boundary error in QuickTimeStreaming.qtx when constructing a string to write to a debug log file. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a specially crafted web page that references a SMIL file containing an overly long URL.

Successful exploitation of this vulnerability leads to the ability of executing arbitrary code on the victim’s computer.

A couple of days ago, Joshua Drake (aka. jduck) submitted a working exploit module to the Metasploit Framework.

As QuickTime is installed on many Windows systems these days (it’s included as part of iTunes), this vulnerability poses a real threat. As always users should beware of clicking on unknown links, but ultimately if someone wants to get you to visit a malicious page, they can.

In this case users should update QuickTime asap. Apple has released QuickTime 7.6.7 which fixes this issue.

[Update] Check out the video below for a demo of the Metasploit module in action:

Metasploit_Apple_Quicktime_Smil_Debug from 4xteam on Vimeo.


iPhone 4.0.2/iPad 3.2.2 Update Patches JailbreakMe Vulnerabilities

Apple has today released iOS 4.0.2 (and iOS 3.2.2 for iPad) which patches the two vulnerabilities used by JailbreakMe. The first, as I mentioned in my original post on the topic, was in FreeType, a font engine library. Apple describes the issue as:

A stack buffer overflow exists in FreeType’s handling of CFF opcodes. Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution. This issue is addressed through improved bounds checking.

The second vuln was in IOSurface, and allowed the exploit to escalate privileges to root, thus breaking out of Mobile Safari’s sandbox. IOSurface is a framework that contains low-level interfaces for sharing graphics surfaces between applications. The vulnerability is described as:

An integer overflow exists in the handling of IOSurface properties, which may allow malicious code running as the user to gain system privileges. This issue is addressed through improved bounds checking.

Apple’s original description of this update can be found here. Note that neither of these vulnerabilities were attributed to anyone (possibly because they weren’t actually disclosed through the proper channels).

These remotely-exploitable vulnerabilities are quite severe, and I definitely recommend all iPhone (and iPad) users to apply this update (including those of you who like to jailbreak).

Let’s see what the next Jailbreak will bring.

[Update 12/8/10] The source code for both of the exploits used by JailbreakMe is now available here.


JailbreakMe and the PDF Exploit

[Update] JailbreakMe 3.0 for iOS 4.3.3 is out! by comex (et al.) now provides an easy way of remotely jailbreaking the iPhone, iPad and iPod – including those running iOS up to 4.0.1.

The technique works thanks to a specially-crafted PDF document which exploits a vulnerability in the font engine library (possibly libfreetype) used by Mobile Safari. Another local privilege escalation exploit (possibly in IOKit) is then used to gain root access on the device, allowing for the jailbreak to take place.

Depending on the device used to visit, the site will deliver one of its existing payloads, to perform the initial exploit. During the jailbreak it will download an additional 3.7MB bin file.

Although this may seem like a great ‘feature’ to potential jailbreakers, users should be aware that a severe underlying flaw exists which allows this remote jailbreaking to take place. Until Apple patches this, iPhone users should beware of visiting untrusted sites, as this same exploit could potentially be modified to carry out attacks on legitimate non-jailbroken iPhones.

Here’s a video of someone jailbreaking Apple Stores for fun.

[Update 4/8/10] ultrasn0w update brings iPhone 4 carrier unlock.

[Update 11/8/10] iOS 4.0.2/3.2.2 update patches these two vulnerabilities.

[Update 12/8/10] comex has released the source code for the jailbreak exploit.


Apple Tops Secunia Vulnerability Ranking

Secunia’s 2010 Half Year report has found that the total number of vulnerabilities discovered so far this year already matches the number of vulnerabilities found in all of 2009. One key aspect of the report is that Secunia has seen the focus of vulnerabilities shifting away from the operating system, and onto third-party applications. This makes sense as third party apps is where more of the ‘low-hanging fruit’ will reside, making them a more worthy target to hackers and security researchers. According to the report, Apple tops the vendor list in number of vulnerabilities discovered so far this year (click on the graphic below to enlarge).

Vulnerabilities by Vendor (Source: Secunia 2010)

Looking at the statistics on Secunia’s site, I’m actually tempted to say that the number of vulnerabilities in Apple’s products are probably on a decent downward trend (based on the release of patches). Apple’s rise to the top of Secunia’s table is most probably due to an increased focus on Apple products (Mac OS X, Safari, iOS) in the past three years or so. The recent popularity of the company’s products has led to more research by those in the security industry, leading to an inevitable rise in the number of discovered vulnerabilities. The same would happen to any company who suddenly got the attention of the security industry (apart from Microsoft whose attention tends to remain more or less stable).

In some ways Apple being at the top of the list may be a good thing for it. I don’t see this as saying that users of Apple’s products are inherently less secure than other vendors. Market-share argument aside, we’ve yet to see any vulnerability being exploited in any significant way. I do believe that Apple needs to focus a bit more on security prior to releasing updates, and would probably benefit from fuzzing their own software for a while. The company could also be a bit more responsive in releasing security updates, but since security updates were de-coupled from the not-so-regular OS updates this has already improved somewhat.

All in all, not much to get hyped up about… yet. For further reading, check out my post on Understanding Apple’s approach to security.