magmatic.com - Squawk Box

MAAS History

Entries by drStrangeP0rk (171)

Tuesday

Mar092010

Office Update 2008 for Mac 12.2.4 Released

Tuesday, March 9, 2010 at 06:20PM

Microsoft has released security update 12.2.4 for Office 2008 to address stability issues and CVE-2010-0263 in it Office products including Office 2008 for Mac. There is a flaw in the decompression of XLSX files, the headers are not validated properly. This could result in the execution of initialized blocks of memory, thus an attacker could execute remote code and execute it with that users privileges. The exploit could only be carried out with user interaction.

This update needs to be applied, select check for updates in Office or follow the reference link attached to download the file.

drStrangeP0rk |

Post a Comment |

2 References |

Microsoft,

Updates,

Vulnerability

Friday

Mar052010

Researchers build Mobile Botnet with Weather.App

Friday, March 5, 2010 at 05:19PM

Derek Brown and Daniel Tijerina of TippingPoint's Digital Vaccine Group built a malicious Weather.app for the iPhone that deliverers information about users including their GPS locations and phone activities back to a controller. Their test was only leveraged against jail broken iPhones, they did not try to pass the application into the iTunes AppStore. Due to the use of rigorous testing, digital signature process and Apple rejecting apps that "phone-home" or rely on private API's they felt it would be rejected. Their Malicious Weather.app did spread on underground sites that cater to jail broken iPhones.

This event supports Apple's recent decisions to block jail broken phones from the store, remove software which weakens the security of the iPhone and the institution of a rigorous validation and verification process of Apps before they are approved. However as was first discussed in a posting from Febuary it is only a matter of time before someone is able to upload an App to the iPhone store that Apple approves which will operate as malware or carry out malware type operations. This is not a matter of if but when, thus users should make sure to protect their devices with anti-virus Apps and backup their iPhone data. More importantly there is no reason to operate a jail broken iPhone. Organizations should make sure that their usage policies include that not device is jail broken and used for the organization's activities. Policy makers should get ahead of this ticking mobile time bomb.

drStrangeP0rk |

Post a Comment |

1 Reference |

Apple,

Malware,

Privacy,

Zero Day,

iPad,

iPhone,

iPhone App,

iPod

Thursday

Mar042010

Airport Application Level Gateway FTP Proxy Allows Security Bypass

Thursday, March 4, 2010 at 05:54PM

Sabahatten Gucukoglu has posted the details of a flaw in the Airport, Airport Extreme and Time Capsule products' Application Level Gateway (ALG) which handles the FTP Proxy between external FTP and internal NAT clients. The ALG provides seamless configuration with other Apple products and is used when using non-default port for services. With rearguards to FTP it allows servers behind a NAT to alter the address in the command channel, such as PORT, rewriting the command so clients can reach them when in passive mode.

This resulting configuration allows any actor that has access to the FTP port forwarded on the WAN port that offers NAT to internal clients (public FTP server) the ability to induce a FTP server operating on the NAT LAN to send data to arbitrary addresses and ports. It does not matter if the FTP server is configured securely since the ALG is where the flaw exist thus no level of trust exist at the end points. This can be leveraged in a host of attacks from bouncing scans, denial of service, spamming and data theft.

Sabahatten Gucukoglu has reported this issue to Apple but there has been no patch issued for seven weeks so he has made the information public. Problems in the ALG's of WiFi devices are an excellent attack vector. The public discloser does not include any firmware information and we have not confirmed it independently.

Using FTP opens a host of problems, users should avoid it since there are currently better alternatives. Workarounds includes not triggering the ALG by using the defaults ports especially for FTP, not using FTP, and disabling of FTP uploads that can be download by guest (anonymous) users. Due to the public discloser we expect Apple to release a firmware update with the patches coming out this month.

drStrangeP0rk |

Post a Comment |

1 Reference |

ALG,

Airport,

Apple,

TimeCapsule

Friday

Feb262010

Intevydis Releases Firefox Exploit for 3.6

Friday, February 26, 2010 at 07:32AM

Intevydis, a security research firm, has released to its customers a very effective zero-Day which can be used to exploit a buffer overflow in Firefox 3.6. It is unclear if the exploit affects Mac OSX and it has not been made public yet. Usually if an exploit is found for a framework you can rest assure that other criminal elements will find out all then can about it and try to duplicate it or chain it within their own methods.

If the recent attacks against Google, Intel and other companies clearly demonstrates that attackers effectively leverage various exploits in a chain to defeat security. Each packet sent in an attack is a resource, an effective attacker goal is to develop a process that leverages the least amount of resources against the least resistant target. To counter this the security professional has to engineer a system that layers defenses to increase the cost of resources to the attacker to the point that they will move on. It is important to keep that in mind when zero-Day exploits are announced but not released. Yes they are dangerous but a layered defense can make the cost to high for the criminal of opportunity.

Mac administrators and users should never perform web surfing as an administrator account. Run No-Script, Click to Flash, Flash Block and set Preview.app to open PDF files. Also make sure that you only open files from trusted sources that presents evidence to validate that trust. For example use email with PGP to confirm the identity of the sender. Passwords should be complex, never shared, never used across systems, especially public systems and change at least every 2 months.

(Please note all cool buzz names have been removed, I have had too many meetings using buzz topics the last couple of months. I hoped at one time Web 2.0 would die and still people use it without knowing it was created to describe a host of technologies, no one writes Web 2.0 code. Sorry about the side bar but after reading "The Four Forces Shaping Cyber Security by William W. Agresti in IEEE Computer magazine which states that we should now use the term CyberSecurity exclusively to allow the public to get a better understanding. I am in the camp that Cyber anything is a bad idea but what do I know.)

drStrangeP0rk |

Post a Comment |

2 References |

Friday

Feb192010

Design Flaw in AdobeUpdater.app can be Exploited by an Attacker

Friday, February 19, 2010 at 09:52AM

It is being reported by Aviv Raff and now confirmed on the Adobe Security Blog that an issue exist with the Adobe Download Manager which could allow an attacker to force a download and installation of an Adobe product or of a malicious piece of software. He first reported to Adobe an issue related to the Download Manager which allowed an attacker to force the installation of an Adobe Product that has been removed.

Aviv Raff took this one step further and discovered a remote code execution flaw which allowed an attacker to install any malicious software using the Adobe Download Manager. It appears that the Adobe Download Manager does not use SSL which means that you expose yourself to a zero-day attack if you download an update from Adobe site.

Currently the exploit he has reported is not published but his posting on his site provides an outline of the exploit reported to Adobe. While his discovery is related to the AdobeDownloadManager for Windows systems. I have confirmed that the AdobeUpdate6.app for the Mac platform may also have this flaw. The Adobe Update6.app sends information over port 80 which can be exploited in a man-in-the middle attack. The Adobe Updater6.app does not use SSL properly so it is possible to alter the file to download and install files from an un-trusted source.

Users may want to turn off auto updates for Adobe products until more information become available.

Update on Wednesday, February 24, 2010 at 08:14AM by

drStrangeP0rk

Adobe has released a update for the Adobe Download Manager (which runs on the PC), however no update on the AdobeUpdater.app. The AdobeUpdater.app lives in Utilities/Adobe Utilities/, currently it is possible to connect to a site other then Adobe update page using simple man-in-the-middle attacks. The question is can this be exploited beyond the download.

One interesting note is that it does not contain andy Object-C runtime information but there are plenty of NIB's.

* Generated by class-dump 3.1.2.

*/This file does not contain any Objective-C runtime information.

A good place to start looking at what code is shared with the PC code that they patched. Users should make sure that Preview.app is the current viewer preference for PDF files.

http://blogs.adobe.com/psirt/2010/02/security_update_released_for_t.html

drStrangeP0rk |

Post a Comment |

2 References |

Adobe,

Zero Day