Tag Archives: Safari

Time to Polish Your Apple: OS X & Safari Updates

Severity: High

Summary:

  • These vulnerabilities affect: Apple OS X 10.6.x-10.8.x and Safari 6.0.4 and below
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files (often multimedia files), or visiting malicious websites
  • Impact: Various results; in the worst case, an attacker can execute code with your privileges
  • What to do: Install the appropriate OS X and Safari, or let Apple’s Software updater do it for you.

Exposure:

Yesterday, Apple released two security updates to fix many vulnerabilities in OS X and Safari (Mac version only). If you use Mac computers, you should apply these significant updates quickly. I summarize Apple’s alerts below:

Apple released an update to fix vulnerabilities in all current versions of OS X. The update patches about 33 (number based on CVE-IDs) security issues in 11 of the components that ship as part of OS X, including QuickTime, OpenSSL, and Ruby. The flaws differ in scope and impact, but the worst allow attackers to execute code with your privileges simply by enticing you into viewing a malicious file. Most of these file handling issue involve multimedia files, such as movies and pictures. If you use a Mac, you should install the update as quickly as you can. See Apple’s alert for more detail on each flaw.

WatchGuard rating: Critical

Apple also released an update to fix about 26 security flaws in Safari for Mac (Apple seems to have discontinued supporting Safari for Windows). The majority of these are memory corruption issues that attackers could exploit to run arbitrary code on your Mac, with your privileges. Of course, they’d have to lure you to a web site with malicious code in order to trigger the attack. Many of these vulnerabilities are ideal for drive-by download attacks. Again, if you have a Mac, I recommend you patch Safari, even if you don’t use it as your primary browser. See Apple’s alert for more detail.

WatchGuard rating: Critical

Solution Path:

Apple has released update for all these products. If you use Mac computers, you should download and install the updates as soon as you can, or let Apple’s Software Updater do it for you. That said, the OS X update is rather large, and will require a reboot, so plan that update accordingly.

Personally, I have not had any problems with Apple’s automatic updates, so I recommend you use the Automatic Updater to download and remind you of patches regularly, at least on your client machines (you may need to plan your OS X server updates more carefully).

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured UTM appliance can help mitigate the risk of some of these issues. That said, it cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Apple’s updates are your best solution.

Status:

Apple has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

Make Sure to Update Your Apple Devices

If you follow my weekly security video, WatchGuard Security Week in Review, you probably already know that Apple released both an OS X and Safari security update last week. Hopefully, you’ve already applied those two updates, but if not I highly recommend you do so immediately. Among other things, the OS X update includes a Java related security fix. Lately, cyber criminals have really targeted Java in attacks against both Macs and PCs, so it’s important you apply all Java related updates as quickly as you can.

This week, Apple also released iOS and Apple TV security updates. These updates fix a number of security issues in these popular products. High on the list of fixed issues was a very highly publicized lock screen bypass flaw in iOS, which an attacker could exploit to gain access to the data on your phone when lost or stolen. iOS 6.1.3 fixes that particular lock screen issues, and a few other vulnerabilities. However, later in the week news emerged of another lockscreen flaw that affects iPhone 4s. So it looks like Apple will have some more lock screen related updates in their future.

In any case, if you use Apple devices, you’re probably affected by at least one of these issues. So I recommend you go get the corresponding updates, or let Apple’s automatic update mechanisms do their job. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 36 – White House Hack

Pwned DSL Routers, White House Hack, and Phone Scams

Cyber security is on the industry’s mind. As a result, every week seems packed with information and network security news. If you don’t have time to keep up because you are too busy putting out normal IT fires, this weekly podcast is for you. WatchGuard Security Week in Review is dedicated to quickly summarizing the biggest security stories each week, and to sharing tips and best practices that can help protect you from the latest threats. If you want a 10 minute or less summary of each week’s security news, give this video podcast a try.

This week, I talk about a FUD-filled White House hack, an attack campaign that infected 4.5 million Brazilian routers, a couple examples of phone scams and social engineering, and much more. If any of this interests you, or you just want to relax for 10 minutes while sipping your first coffee of the day, press play on the video below.

As always, I’ve included a Reference section below, which links to each of the stories. If you want more details than I can cover in this short episode, check the links out. Hope to see you next time, and stay safe out there.

(Episode Runtime: 10:25)

Direct YouTube Link: http://www.youtube.com/watch?v=MupAGOg-RBI

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 35 – Adobe Certs

New Java 0day, Cisco DoS, and Stolen Adobe Certs

There’s no shortage of information and network security news lately. If you find yourself struggling to keep up with it, due to all your other daily tasks, let my weekly summary videos fill you in. WatchGuard Security Week in Review quickly highlights the most important stories of the week, and lets you know what to do about the ones that might affect you.

This week’s episode includes two important software updates, news of another Java zero day flaw, a story about advanced attackers breaching a Smart Grid vendor’s network, and details about stolen Adobe code signing certificates. There’s patches to install and certificates to revoke, so give this week’s episode a view to learn what to do.

If you’d like more details on any of these stories, or want to see the ones I didn’t have time to cover in the video, check out the Reference section below. Have a great weekend, and see you next Friday.

(Episode Runtime: 8:50)

Direct YouTube Link: http://www.youtube.com/watch?v=R-DbODYoBLI

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 34 – IE 0day

IE 0day, Bank Attacks, and Massive Apple Update

Are you too busy to follow security news yourself, but would like quick updates about the latest attacks, vulnerabilities, and trends? Then WatchGuard Security Week in Review is for you. In this weekly video (posted every Friday), I quickly summarize the biggest information and network security news. Rather than let your busy schedule keep you in the dark, give this short recap video a try.

Today’s episode covers a major zero day vulnerability in Internet Explorer (IE), a bunch of security updates for Macs and iOS devices, and a few stories about attackers targeting banks. If you manage Windows systems, it’s worth a watch for the IE vulnerability alone.

As an aside, I’ve been traveling in Europe all this week, so I had to produce this episode quickly, from my hotel room, on my iPhone. The quality is not quite up to its normal par, and due to my schedule, I had to skim over a few details and skip a few stories. However, if you are interested in more information, or would like to see some of the stories I didn’t mention in the video, be sure to check out the Reference section below.

Finally, if you have suggests for what you’d like to see in future episodes, let me know in the comments.

(Episode Runtime: 5:40)

Direct YouTube Link: http://www.youtube.com/watch?v=AqN8zgFj5z8

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Apple Posts Security Updates for OS X, iOS, and Safari

Severity: High

Summary:

  • These vulnerabilities affect: Apple OS X 10.6.x-10.8.x, Safari 6.0 and below, and iOS 5.1.1 and below.
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files, or visiting malicious websites
  • Impact: Various results; in the worst case, an attacker can execute code with your privileges, and leverage other flaws to elevate to root
  • What to do: Install the appropriate OS X, Safari, and iOS update as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Yesterday, Apple released three security updates to fix many vulnerabilities in OS X, iOS, and Safari (Mac version only). Like the iTunes patch from last week, these updates fix an unusually large number of vulnerabilities. For instance, the iOS update fixes around 197 flaws, many of them affecting the Webkit component.  If you use Mac computers, or iOS devices, you should apply these significant updates quickly. I quickly summarize Apple’s three alerts below:

If you paid attention to Apple’s iPhone 5 announcement last week, you may also have been excited about iOS 6, which they posted yesterday. If iOS 6′s new features weren’t enough to sell you on the new firmware, Apple’s iOS 6 security alert should close the deal. According to Apple’s alert, iOS 6 fixes around 197 security vulnerabilities. The flaws differ widely, but attackers can exploit the worst of them to execute arbitrary code on your iOS devices. The attacker only has to lure you to a site containing malicious content, or entice you to interact which some sort of file (whether it be an image, movie, or config file). If you have an iPhone, iPod, or iPad, you should update it to iOS 6 as quickly as possible. See Apple’s security update if you want more details on the individual flaws, including their CVE numbers.
WatchGuard rating: Critical

Apple also released a huge OS X security update to fix vulnerabilities in all current versions of OS X. The almost 700MB patch fixes about 35 (number based on CVE-IDs) security issues in many components that ship as part of OS X or OS X Server, including QuickTime, the Kernel, and BIND. Again, the flaws differ in scope and impact, but the worst allow attackers to execute code with your privileges simply by enticing you into viewing malicious file or web content. Furthermore, some of the Kernel flaws allow attackers to elevate their privilege, gaining complete control of your computer. If you use a Mac, you should install the update as quickly as you can. See Apple’s alert for more detail on each flaw.
WatchGuard rating: Critical

Finally, Apple also released an update to fix about 60 security flaws in Safari for Mac (Apple seems to have discontinued supporting Safari for Windows). Many of these flaws are the same Webkit component issues that Apple recently patched in iTunes. Like those flaw, by enticing you to a web site containing malicious code, attackers can execute code with your privileges. Many of the vulnerabilities are ideal for drive-by download attacks. Again, if you have a Mac, I recommend you patch Safari, even if you don’t use it as your primary browser.
WatchGuard rating: Critical

Solution Path:

Apple has released update for all these products. If you use Mac computers, or iOS devices, you should download and install the updates as soon as you can, or let Apple’s Software Updater do it for you. That said, the OS X update is rather large, and will require a reboot, so plan that update accordingly.  Personally, I have had few issues with Apple’s Automatic Updater. I recommend you use the Automatic Updater to download and remind you of patches regularly, at least on your client machines (you may need to plan your OS X server updates more carefully).

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured UTM appliance can help mitigate the risk of some of these issues. That said, it cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Apple’s updates are your best solution.

Status:

Apple has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

Security Stories You May Have Missed Over the Holidays

If your office gets quiet around the week leading up to Christmas and New Years, as many seem to, you may have missed a few interesting security stories during this lull. Let me catch you up in one fell swoop.

Below, I quickly highlight a menagerie of interesting security stories, which you may have missed over the past two weeks:

  • Unpatched Vulnerability in Windows Win32k.sys Component – According to reports, a “researcher” calling himself webDEViL found a memory corruption flaw in Windows’ win32k.sys component. By enticing you to a web site containing malicious code, an attacker could exploit this flaw to execute malicious code on your computer, with your privileges. So far, webDEViL has only been able to exploit the flaw via Safari, which isn’t a very popular web browser for Windows systems. That said, it does affect fully patched Windows 7 64-bit systems, thus poses a fairly severe risk to Windows-based Safari users. Microsoft has not released a patch yet, but I will  follow up when they do. For more information, see Secunia’s advisory.
  • Siemens Accused of Security Cover-up – Siemens has received a lot of attention from the security industry lately. It first started with the infamous Stuxnet malware, which owned Siemens-based software and equipment, and opened many peoples eyes to the possibility of digital SCADA and ICS attacks. Since then, many researchers have focused on SCADA system vulnerabilities, including a recent example where a researcher found a SCADA system exposed on the internet with only a three character password. The latest drama comes from a security researcher’s blog, where he accuses Siemens of lying about a security flaw in one of their products. In short, Billy Rios (the researcher) is unhappy that a Siemens PR person claimed there are no open issues regarding authentication bypass bugs in Siemens products. As a result, Rios decided to publicly disclose just such an issue.
  • Free iPad 2 Offer Lures Gaga Fans – As they say on the Internet (and Star Wars), “It’s a trap!” According to PC Advisor, many users following Lady Gaga on Twitter and Facebook almost had their credentials stolen by following links about a free iPad 2 promotion.
  • Anonymous Still Up to No Good - During the holiday, Anonymous breached Stratfor, a “global intelligence” company in Texas. They reportedly stole 200GB of email, and a client list of 4000, including credit cards info. In the last week, Anonymous has also threatened to attack Sony and Nintendo due to their support of SOPA. As I predicted for 2012, I expect to continue to see these sort of Anonymous-related hacktivism incidents throughout the year.
That’s a small taste of some of the security stories that surfaced over the last few weeks. In general, we’re seeing more security stories a week than we have in years past. I expect 2012 to busy year for security professionals and the unprotected. — Corey Nachreiner, CISSP (@SecAdept)

Apple Releases a Pile of Security Updates in October

If you use Apple products, you’ll be busy updating this month. Today, Apple released a bunch of security advisories (on their Security Update page), informing customers of updates for many of their products. Here’s a list of security advisories for all the updated products:

If you use any of the affected Apple products, you should follow the links above to learn more about the flaws these updates fix. You can also download all the relevant updates from Apple’s Downloads page, or let Apple’s automatic update software do it for you.

We’ll release a more complete alert on Apple’s OS X update in awhile. Meanwhile, you can get a head start on the OS X update, and all the others, by visiting the links above. — Corey Nachreiner, CISSP (@SecAdept)

Apple Releases OS X, Safari, and iOS Security Updates

Yesterday, Apple released a handful of security advisories for various products, including:

The Snow Leopard update only fixes one security issue. If you read my “Fraudulent Certificate” post from a few weeks ago, you know that attackers were able to get their grubby hands on some fraudulently-issued, but technically legitimate digital certificates for some pretty well known domains. At the time, Microsoft had released a fix for Windows to ensure that it would not consider these certificates legitimate. This small OS X updates does the same thing for Snow Leopard.

The Safari update, which is probably the most critical of them all, fixes two flaws in the popular browser’s WebKit component. By enticing you to a web page containing malicious code, an attacker could leverage this flaw to execute code on your computer, with your privileges. Attackers commonly exploit these type of flaws in drive-by download attacks.

The two iOS updates also fix various code execution vulnerabilities that could occur on iPhones, iPods, and iPads. The worst is similar to the Safari vulnerabilities above. If an attacker can lure you to a special site with your iPhone, he could exploit this vulnerability to execute code. Since certain applications run on iPhones as root, this could give attackers full control of the device. In the real-world, these sorts of iOS flaws are more commonly leveraged by jailbreakers; to gain control of their phones. However, nothing is stopping malicious attackers from leveraging the same techniques to spread mobile malware.

If you have any of these products, you should download and install the updates recommended in each advisory, or just let Apple’s automatic update software do it for you. — Corey Nachreiner, CISSP. (@SecAdept)

2011′s First OS X Update Patches 57 Vulnerabilities

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various documents or images
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer
  • What to do: OS X administrators should download, test and install OS X 10.6.7 or Security Update 2011-001 as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 57 (number based on CVE-IDs) security issues in 26 components that ship as part of OS X or OS X Server, including Apache, Quicktime, and ClamAV. Some of the fixed vulnerabilities include:

  • Multiple ImageIO Buffer Overflow Vulnerability. ImageIO is one of the components that helps OS X handle various image file types. Unfortunately, it also suffers from various security vulnerabilities involving the way it handles certain types of image files (such as a buffer overflow vulnerabilities). Though these vulnerabilities differ technically, they generally share the same scope and impact. If an attacker can get a victim to view a specially crafted image file (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash an application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. The affected image types include JEPG, TIFF, and XBM.
  • Many ATS Vulnerabilities. The Apple Type Service (ATS) helps OS X machines handle fonts. ATS suffers from various memory related vulnerabilities having to do with the way it handles certain types of embedded fonts. By tricking one of your users into downloading and viewing a malicious document containing a specially crafted font, an attacker can exploit this flaw to execute code on that user’s computer. By default, the attacker would only execute code with that user’s privileges.
  • Five Quicktime Vulnerabilities. Quicktime is the popular video and media player that ships with OS X (and iTunes). Quicktime suffers from five security issues (number based on CVE-IDs) involving how it handles certain image and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted image or video in QuickTime, he could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges.

Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, cross-site scripting (XSS) vulnerabilities, and information disclosure flaws. Components patched by this security update include:

AirPort Apache
AppleScript ATS
bzip2 CarbonCore
ClamAV CoreText
File Quarantine HFS
ImageIO Image RAW
Installer Kerberos
Kernel Libinfo
libxml Mailman
PHP QuickLook
QuickTime Ruby
Samba Subversion
Terminal X11

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.

On a related note, Apple has released many security updates in the last few weeks. Besides the Java update we alerted about early this month, Apple has also posted the following security-related product updates:

If you use any of those products, we recommend you update them as well, or let Apple’s automatic Software Updater do it for you.

Solution Path:

Apple has released OS X Security Update 2011-001 and OS X 10.6.7 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these flaws.

References:

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)


Follow

Get every new post delivered to your Inbox.

Join 7,380 other followers

%d bloggers like this: