MAAS History
Archives

Entries by drStrangeP0rk (171)

Friday
Dec032010

Google Releases Version 8.0.552.215 of Chrome

Google's Chrome has generated a browser security defensive arms race and the recent update that address 800 bug fixes and include new security layers demostrates Google is in it to win it. Users and administrators should be overjoyed at the inclusion of built in PDF viewer within a sandbox. Adobe's Reader X also currently will perform much of its tasks within a sandbox as well, however including this layer as a defacto standard in browsers is an excellent move. Google is currently working with Adobe to place to run Flash within the Chrome sandbox and a release is available for Windows at this stage. Sandboxes are not a cure all but just another layer of defense, what is interesting is that browsers now are addressing extension/plugin security with the us of a sandbox. 

Ultimately we must continue to demand higher quality of code from extension/plugin developers and not place all our defenses in sandboxing. (Developers must still ensure secure coding principles such as verification, validation and unit testing and not fall into the trap, "Oh the sandbox will take care of that.") Chrome is an excellent browser for the Mac Platform, has a robust set of extensions, and should be considered an alternative to using Firefox especially on Windows systems in dual office deployments. Safari is still hard to beat in Mac OSX but I think that Google really is producing a quality product in Chrome which users should really consider using. 

Thursday
Nov252010

APPLE-SA-2010-11-22-2 Apple TV 4.1

Two critical Common Vulnerabilities and Exposures in FreeType and libpng. libpng has been updated to version 1.4.3, a malicious user can execute arbitrary code. FreeType has been updated to version 2.4.2 to address issues related to processing of a maliciously crafted font. This vulnerability has been present in other Apple products.

One important thing to keep in mind is that devices such as Apple TV, xBox 360 and the WII all are devices that if online have to be part of a risk assessment. Just as mobile devices and the way in which users use them is important to understand so are these devices.

Monday
Nov222010

APPLE-SA-2010-11-22-1 iOS 4.2  

Apple has released iOS 4.2 which addresses security issues in addition to allowing iPad users to take advantage of features such as multi-tasking. 

Major security issues in WebKit have been addressed including vulnerability and/or bugs related to pre-fetching DNS, memory corruption, CSS counter un-initialized pointer, design issues in handling visited pseudo class, input validation and color cast issues related to SVG documents. Other fixes related to iAd, ImageIO, libxml, CoreGraphics and FreeType have also been addressed. In all a total of 26 Common Vulnerabilities and Exposures are address in the WebKi alone. 

Users should update to the latest version but make sure to backup your device before the upgrade.

Friday
Nov192010

Adobe Releases Reader X

Adobe has released Reader X which includes a broker system sandbox to handle various system task related to previewing PDF files. Sand-Boxing technology has been available for MacOSX via seatbelt (sandbox-exec) in conjunction with a ".sb" configuration file. Users and administrators have had the capability to control executing processes actions including what file systems, spawing processes,hooking and network activity available.

What makes this exciting is that Adobe has included a similar sandbox to the one found in Google Chrome and has the option turned on as a default. Within Reader X agents control the writing to volumes, network sockets, process spawing and hooking. This is not full proof, but is a good start. Using Preview.app is the best solution at this time for viewing PDF files on the MacOSX. Reader X is worth a look and in the next release may prove to be once again the best solution for working with PDF files. 

For more on the technology please visit all the reference links below.

 

Thursday
Nov182010

APPLE-SA-2010-11-18-1 Safari 5.0.3 and Safari 4.1.3

Apple has released a security update for Safari to address serious vulnerabilities in WebKit. This update addresses 28 vulnerabilities mainly related to the handling of HTML, in consistent handling of strings, memory corruption and a use after free error. 

The update does requrer a restart, below is a simplified list from Apple. 

  • More accurate Top Hit results in the Address Field
  • More accurate results in Top Sites
  • Fixes an issue that could cause content delivered with the Flash 10.1 plug-in to overlap webpage content
  • More reliable pop-up blocking
  • Improved stability when typing into search and text input fields onwww.netflix.com and www.facebook.com
  • Improved stability when using JavaScript-intensive extensions
  • Improved stability when using VoiceOver with Safari