Calendar
TidBITS tested Apple’s Security Update and found a small avenue of risk, though seemingly unlikely. The risk will not be fully understood until the disclosure of the vulnerability by Dan kaminsky on August 6,. TidBITS outlines the risk with the underlying concern that Apple is just not responding to a critical need.
You are currently browsing the Stan's List weblog archives for the 'Security' category.
Categories
- .Mac
- AirPort
- Apple
- Apple Pro Apps
- Apple TV
- AppleScript
- Bluetooth
- Bugs
- Clones
- cost of ownership
- DRM
- Education
- eMac
- Games
- Graphic Displays
- Hardware
- iBook
- iLife
- iMac
- Intel CPU
- Intel iMac
- Intel Mac mini
- iPhone
- iPod
- iPod Touch
- iTunes
- iWork
- M$$$$
- Mac mini
- Mac Pro
- MacBook
- MacBook Air
- MacBook Pro
- MacWorld
- Maintenance
- MobileMe
- Multimedia
- Networks
- Office for Mac
- OS 9
- OS X
- Pixar
- Power Mac
- PowerBook
- QuickTime
- rumors
- Security
- Software
- Space
- Switching
- Technology
- The Internet
- UMPC
- Uncategorized
- video
Browse
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
You are currently browsing the Stan's List weblog archives for the 'Security' category.
Security Update 2008-005 addresses one of the most talked about vulnerabilities
Security Update 2008-005 is recommended for all users and improves the security of Mac OS X. Previous security updates have been incorporated into this security update.
Macworld’s Apple’s unforgivable DNS delay
MacInTouch reader Douglas Broussard warns of a phishing scam that purports to be from Apple:
I just received a deceptively well-crafted e-mail from a sender purporting to be Apple, claiming that I have billing problems. The link in the e-mail goes to http://www.satc.net/https/.store.apple.com/us/, which does not appear to be a valid Apple URL.
The e-mail is well laid-out, and uses Apple’s graphics from the .Mac/.Me service. The title of the e-mail is: “IMPORTANT: Billing Problems”.
I received the e-mail just after buying a song from iTunes, so I was worried my account info may have been compromised, but after doing a little detective work, this appears to be a coincidence.
The long headers in the e-mails seems to indicate that “User (unknown [92.55.82.185]) by mail.decitre.fr ” is the sender. I requested that Apple add that IP/domain to its blacklist, since the headers opf the e-mail are forged and look as though the mail is coming from Apple.
Here are the headers. One easy tip off is the X-Mailer header; Apple doesn’t send e-mails using OUtlook Express 6 for Windows.
To see this information when you suspect an e-mail isn’t genuine, Click the View Menu, select Message, and choose Long Headers. Look for the “Received:” section, and see if it matches the purported sender in the “From:” field of the e-mail.
From: Apple
Date: July 9, 2008 11:05:39 AM PDT
To: undisclosed-recipients: ;
Subject: IMPORTANT : Billing Problem
Reply-To: no_reply@apple.com
Return-Path:
Received: from smtpin132.mac.com ([10.150.68.132]) by ms232.mac.com (Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)) with ESMTP id <0K3R00JIR3LAB8I0@ms232.mac.com>; Wed, 09 Jul 2008 11:05:34 -0700 (PDT)
Received: from mail.decitre.fr ([195.28.201.9]) by smtpin132.mac.com (Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 32bit)) with ESMTP id <0K3R008M63L7OO00@smtpin132.mac.com>; Wed, 09 Jul 2008 11:05:34 -0700 (PDT)
Received: from User (unknown [92.55.82.185]) by mail.decitre.fr (Postfix) with ESMTP id 0390E1B008CB; Wed, 09 Jul 2008 20:05:24 +0200 (CEST)
Mime-Version: 1.0
Content-Type: text/html; charset=Windows-1251
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20080709180525.0390E1B008CB@mail.decitre.fr>
Security Update 2008-004 is recommended for all Tiger users and improves the security of Mac OS X. Previous security updates have been incorporated into this security update.
The description of what is contained in this security update are combined with the security fixes for Mac OS X v10.5.4.
Security Update 2008-004 and Mac OS X v10.5.4
* Alias Manager
CVE-ID: CVE-2008-2308
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of AFP volume mount information in an alias data structure. Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of alias data structures. This issue only affects Intel-based systems running Mac OS X 10.5.1 or earlier.
* CoreTypes
CVE-ID: CVE-2008-2309
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: Users are not warned before opening certain potentially unsafe content types
Description: This update adds .xht and .xhtm files to the system’s list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload. This update improves the system’s ability to notify users before handling .xht and .xhtm files. On Mac OS X v10.4 this functionality is provided by the Download Validation feature. On Mac OS X v10.5 this functionality is provided by the Quarantine feature. Credit to Brian Mastenbrook for reporting this issue.
* c++filt
CVE-ID: CVE-2008-2310
Available for: Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution
Description: A format string issue exists in c++filt, which is a debugging tool used to demangle C++ and Java symbols. Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings. This issue does not affect systems prior to Mac OS X 10.5.
* Dock
CVE-ID: CVE-2008-2314
Available for: Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: A person with physical access may be able to bypass the screen lock
Description: When the system is set to require a password to wake from sleep or screen saver, and Exposé hot corners are set, a person with physical access may be able to access the system without entering a password. This update addresses the issue by disabling hot corners when the screen lock is active. This issue does not affect systems prior to Mac OS X 10.5. Credit to Andrew Cassell of Marine Spill Response Corporation for reporting this issue.
* Launch Services
CVE-ID: CVE-2008-2311
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: A race condition exists in the download validation of symbolic links, when the target of the link changes during the narrow time window of validation. If the “Open ’safe’ files” preference is enabled in Safari, visiting a maliciously crafted website may cause a file to be opened on the user’s system, resulting in arbitrary code execution. This update addresses the issue by performing additional validation of downloaded files. This issue does not affect systems running Mac OS X 10.5 or later.
* Net-SNMP
CVE-ID: CVE-2008-0960
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: A remote attacker may be able to spoof an authenticated SNMPv3 packet
Description: An issue exists in Net-SNMP’s SNMPv3 authentication, which may allow maliciously crafted packets to bypass the authentication check. This update addresses the issue by performing additional validation of SNMPv3 packets. Additional information is available via http://www.kb.cert.org/vuls/id/878044
* Ruby
CVE-ID: CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, CVE-2008-2726
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: Running a Ruby script that uses untrusted input to access strings or arrays may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues exist in Ruby’s handling of strings and arrays, the most serious of which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of strings and arrays.
* Ruby
CVE-ID: CVE-2008-1145
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: If WEBRick is running, a remote attacker may be able to access files protected by WEBrick’s :NondisclosureName option
Description: The :NondisclosureName option in the Ruby WEBrick toolkit is used to restrict access to files. Requesting a file name which uses unexpected capitalization may bypass the :NondisclosureName restriction. This update addresses the issue by additional validation of file names. Additional information is available via http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ The directory traversal issue described in the advisory does not affect Mac OS X.
* SMB File Server
CVE-ID: CVE-2008-1105
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: A remote attacker may be able to cause an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of SMB packets. Sending malicious SMB packets to a SMB server, or connecting to a malicious SMB server, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking on the length of received SMB packets. Credit to Alin Rad Pop of Secunia Research for reporting this issue.
* System Configuration
CVE-ID: CVE-2008-2313
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A local user may be able to execute arbitrary code with the privileges of new users
Description: A local user may be able to populate the User Template directory with files that will become part of the home directory when a new user is created. This could allow arbitrary code execution with the privileges of the new user. This update addresses the issue by applying more restrictive permissions on the User Template directory. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Andrew Mortensen of the University of Michigan for reporting this issue.
* Tomcat
CVE-ID: CVE-2005-3164, CVE-2007-1355, CVE-2007-2449, CVE-2007-2450, CVE-2007-3382, CVE-2007-3383, CVE-2007-5333, CVE-2007-3385, CVE-2007-5461
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Multiple vulnerabilities in Tomcat 4.1.36
Description: Tomcat version 4.x is bundled on Mac OS X v10.4.11 systems. Tomcat on Mac OS X v10.4.11 is updated to version 4.1.37 to address several vulnerabilities, the most serious of which may lead to a cross-site scripting attack. Further information is available via the Tomcat site at http://tomcat.apache.org/ Tomcat version 6.x is bundled with Mac OS X v10.5 systems.
* VPN
CVE-ID: CVE-2007-6276
Available for: Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: Remote attackers may be able to cause an unexpected application termination
Description: A divide by zero issue exists in the virtual private network daemon’s handling of load balancing information. Processing a maliciously crafted UDP packet may lead to an unexpected application termination. This issue does not lead to arbitrary code execution. This update addresses the issue by performing additional validation of load balancing information. This issue does not affect systems prior to Mac OS X 10.5.
* WebKit
CVE-ID: CVE-2008-2307
Available for: Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit’s handling of JavaScript arrays. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Along with this fix, the version of Safari for Mac OS X v10.5.4 is updated to 3.1.2. For Mac OS X v10.4.11 and Windows XP / Vista, this issue is addressed in Safari v3.1.2 for those systems. Credit to James Urquhart for reporting this issue.
McAfee decided to find out what would happen if uses actually responded to spam email, mostly requesting to be removed from their email lists. Not surprising, the request was refused. The bait was a new PC, to bring enough volunteers. Phishing and money laundering attempts are the majority of the email. McAfee to announce their results next Tuesday, the 8th, according to Network World.
Exploit: OSX.Trojan.PokerStealer
Discovered: June 20, 2008
Risk: Low
Description: A Trojan horse has been found in the wild masquerading as program for Mac OS X called “PokerGame”. The Trojan in question is a shell script encapsulated in an application, and is distributed in a 65 KB Zip archive; unzipped, it is 180 KB.
The Trojan horse, when run, activates ssh on the Mac on which it is running, then sends the user name and password hash, along with the IP address of the Mac, to a server. It asks for an administrator’s password after displaying a dialog saying, “A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.
Security Focus reports of multiple Mac Trojan horses in the wild. The attack is against Apple Remote Desktop and rooted through AppleScript: osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘; for anyone, unless the normal user switched to fast user switching.
As with all Trojan Horses, the possibility of success is totally in the hands of the user. In order to succeed, an email must induce you to click on a URL (web link) which takes you to a malicious webpage, or you web surf and find the malicious webpage. There you are further induced to download the Trojan Horse and then open the file once downloaded. As in phishing, the success rate is small, but it does not take but a few to make it worthwhile.
Nathan points to discussion on the subject on MacInTouch’s Security Reader Report.
http://www.macintouch.com/readerreports/security/index.html#d21jun2008
First, he wants to emphasis, due to the amount of user participation necessary, there is still no need for anti-virus software.
The Trojan Horse has the ability to do damage by escalating its security privilege to Root because a vulnerability in ARDAgent allows access to SetUID.
This workaround removes SetUID:
A viable fix right now is to remove SetUID from the ARDAgent executable. Run this from an administrator account:
sudo chmod -s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
This will cause a warning with Repair Permissions but will prevent the problem until Apple releases a fix.
Editorial: If everyone was as sharp as Nathan (compliment) then phishing would never work. Unfortunately, this is not true. I have anti-virus software as I sent and receive a ton of email, visit a number of web pages in search of information for this list. I do not want to inadvertently forward a virus or a trojan horse.
Security Update 2008-003 is recommended for all users and improves the security of Mac OS X. Previous security updates have been incorporated into this security update.
Nothing noted yet as to what is patched.
Security Update 2008-003 (PPC)
Security Update 2008-003 Server (PPC)
Macworld reports that as a result of the popularity of iTunes, it has become a new avenue of attack, by those same cybercriminals who take advantage of eBay customers. Just as when they would tell you there was a problem with your eBay account trying to persuade you to had over your account information including credit card numbers, they are sending spam email which tells the user there is a problem with their iTunes account. Just like eBay, not every recipient will have an iTunes account. Just the same, many will take the bait. More …
QuickTime has always been a security weakness and it is likely impossible to plug all the holes. This is due, in part, to the multitude of media necessary to enable and plugins. The latest OS’ include “anti-exploitation” which does not close the front door, just makes it difficult to proceed any further. This is accomplished by randomly moving code that is important to attackers. TidBITS has an excellent analyses of this process.