MAAS History
Archives

Entries by drStrangeP0rk (171)

Thursday
Feb042010

iPhone Application Security > FreeBit ServersMan 3.1.5 DOS Crash Attack

There has been more interest in iPhone applications and the security of such applications. Even if Apple reviews every application and Cocoa development using XCode includes validation and verification tools developers do not always use secure coding methods. Recently there have been various presentations about rouge applications that access personal information such as address books, passwords and location information. Currently there is a CVE canidate for FreeBit ServersMan 3.1.5 iPhone application due to a DOS Crash Attack vulnerability triggered by a malformed HEAD request.  It is clear that phone application security has to be included in an organizations Information Assurance Risk Matrix.

Apple's review process may be circumvented in a malicious way resulting in distribution of malware, it is just a matter of time. I would expect that security researches may try to see if they can pass a malicious application through the Apple approval process. It is also to be expected that at some point this will be successful. Software always has an unexpected vulnerability or a flaw that the level of risk is mis-understood.

Where I think the serious problems occur (related to the iPhone) and should really be the focus of security professionals is users who by-pass the iTunes store,have a jail broken iPhones or a failure to include phone in an organizations Information Security Program. When allowing applications access to data on your phone users must understand what they are approving. Education is the key, security professionals must include employees phones within their security policies and procedures. If your company provides users with iPhones so should there be terms of use for employees to follow. This should address many of the risk factors similar to employees computers such as alteration, installation of the hardware or software. This should go beyond the iPhone since any phone can be compromised in this fashion. 

For a very excellent rebuttal to a recent paper related to the topic (link in references) users should visit Intego's Blog but remember that understanding the debate is not a risk assessment. That has to be conducted in an un-bias manner, something Mac Administrators have difficulty with. This comes from someone who has be an Apple user since the Apple ][.

Wednesday
Feb032010

APPLE-SA-2010-02-02-1 iPhone OS 3.1.3/iPhone OS 3.1.3/iPodtouch

Apple released a security update for the iPhone OS/iPod Touch which users should install that addresses various security issues. There was a buffer overflow in the handling of mp4 audio files and a buffer underflow in ImageIO handling of tiff files which could lead to application termination or code execution. These issues are addressed by using improved bound checking. 

WebKit had been updated to address input validation when handling FTP directory listings. It is possible that a maliciously design FTP can be used to cause a DOS or disclose information. Also in WebKit HTML Media Element failures in WebKit can result in Mail loading remote media even if remote image loading is disabled. A maliciously crafted file can be used for Reconnaissance related to user activity. The memory curruption bypass issues have allso been fixed.

There is also an iTunes update that should be installed as well. This includes various performance improvements. 

Thursday
Jan282010

iPad Black Hat Search Optimization

"Black Hat search Optimization" is a method to use aggressive and deceptive methods to front load search engines with sites. The introduction of the new iPad has become a feeding ground for organizations that practice these methods. What is worst it has also resulted in the directing of users to malicious sites. 

All Macintosh computers should be running some form of Anti-Virus software and at a minimum have the application firewall set for Specific Services and Applications. We recommend far more advanced configurations for power users such as ipfw or other commercial offering and least privileged principles.

Tuesday
Jan262010

Intego's Annual Year in Mac Security Report

As a new year starts you can always look forward to reports on the past years security incidents and the prospects for the coming year. Although many vendors release these reports which tend to slant to a particular product or service there usefulness is debatable. However I think anyone interested in Mac OSX security should read Intego's Mac Security Report for 2009 to understand the trends from the past year. 

This report reviews various incidents from the past year and Apple responses. Based on the earnings report by Apple for the last quarter we can expect the number of incidents related to trojan's viruses and malware to grow as the popularity of the platform grows. It is a relativly simple equation, more Mac Users equals more machnes with high speed connection that crackers would love to exploit. 

I love Intego's Virus Barrier and any client that I first start working with usually becomes a fan very quickly. The software is seamless, fast, easy to manage and stable. I recommend it for Soho clients and larger organizations. 

Thursday
Jan212010

Firefox 3.6 Released

Firefox 3.6 has been released with some improvements which includes in depth add-on notification. Firefox will now use notifications of out of date and insecure plug-ins (improved handling of Flash updates) when a page loads requirering action by the user. The "Enable Java" option is now located in Add-In window. Private browsing now will also remove the Temporary files when the application closes. 

Other application improvements include renaming of panels, full screen mode, support for personas, robust auto-complete and tabs. Users should update to this version to enhance their Firefox experience.