magmatic.com - Squawk Box

MAAS History

Entries by drStrangeP0rk (171)

Thursday

Nov122009

Microsoft Office 2008 Mac Update 12.2.3

Thursday, November 12, 2009 at 09:13AM

Microsoft has released an update of Office for the Mac to address several vulnerabilities. This includes the bounds checking issues to prevent malicious software from writing to unprotected memory. The OpenXML file converter for the Mac is patched including stability improvements to Microsoft Document Connection.

Entourage 2008 time zone and junk mail filter have been updated. Excel 2008 improvements include a fix to workday functions and unexpected crashes when working with PivotTables. In Word there have been improvements which address unexpected crashes related to accepting tracked changes, multi language document grammar checking and saving templates as .doc files.

All users should update versions 2004 and 2008 Office Mac to the latest version.

drStrangeP0rk |

Post a Comment |

3 References |

Microsoft,

Microsoft Office Macintosh,

Updates

Wednesday

Nov112009

Safari 4.0.4 Update: Apple-SA-2009-11-11-1

Wednesday, November 11, 2009 at 08:37PM

The Safari 4.0.4 update addresses various issues related to unexpected application termination, confidentiality discloser, unexpected actions and the loading of media element file types which are disabled. Users are recommended to install this update, it does require a restart.

Summary of Issues

Improved JavaScript performance
Improved Full History Search performance for users with a large number of history items
Stability improvements for 3rd-party plug-ins, the search field and Yahoo! Mail

WebKit did not generate resource load call backs in the Mail.app that lead to undesired request to servers or can result in the loading of undesired media HTML 5 Media Element. WebKit also is vulnerable to cross-site request forgery, custom headers allowed in a preflight request on a page requesting a resource on another could facilitate this kind of attack. The custom headers are removed from the preflight requests. In Safari the listed shortcut menu options are disabled when the target of a link is a local file. This prevents maliciously crafted files from accessing sensitive local data. The updates to libxml addressed in security update(s) for 10.6.X and 10.5.8 have been addressed for Mac OSX 10.4.X Client and Server in this update.

drStrangeP0rk |

Post a Comment |

2 References |

Apple,

Mac OSX 10.5,

Safari,

Server,

Software Update,

Updates

Monday

Nov092009

APPLE-SA-2009-11-09-1 Security Update 2009-006 / Mac OS X v10.6.2

Monday, November 9, 2009 at 10:56PM

Apple has release a security update which addresses a large set of CVE-ID's including the AFP memory corruption, adaptive firewall dictionary attack, apache updates, Apple Type Services, Certificate Assistant, CoreGraphics, CoreMedia, directory service, cups, disk image, dovecot, fetchmail, event monitor, file, ftp server, ImageIO, Help Viewer, IOKit, UCCompareTextDefault, IPSec, Kernel, Launch Services, libXML, libSecurity, Openldap, OpenSSH, PHP, QuickDraw Manager, QuickLook, QuickTime, FreeRADIUS, Login Services (Guest Account Issues) Screen Sharing, SVN and Spotlight. It is recommended that this update be applied via software update.

The server complete update package is approximately 524 megabytes.

Update on Tuesday, November 10, 2009 at 08:42AM by

drStrangeP0rk

Some of the major issues fixed include the following:

Adaptive Firewall-A brute force or dictionary attack may not be detected properly by the adaptive firewall. The firewall will not detect invalid SSH user name login attempts. The temporary rule generation and detection of these events are improved.

Apache-Various apache CVE-ID are addressed including an update to version 2.2.13, TRACE HTTP is disabled by default and Apache Portable Runtime is updated to 1.3.8. You can visit http://apache.org/ for more information.

Certificate Assistant-SSL certificates handling is improved to address NUL characters in the Common Name Field. In addition libsecurity now has MD2 hash disabled for X.509 certificate unless it is trusted root. Administrators should recreate any of these certificates with SHA1.

OpenSSH-Updated to 5.2p1 http://www.openssh.org/txt/release-5.2

OpenLDAP-An attacker could conduct a man-in-the-middle attack even if SSL is used. This is conjunction with the handling of Common Name Field improves the handling of SSL certificates. Several OpenLDAP patches are applied to prevent DOS and malicious code execution. Visit http://www.openldap.org/ for more information.

IPSec-Several vulnerabilities in the racoon daemon (which handles the encryption key) are mitigated by applying IPSec-Tools patches. https://trac.ipsec-tools.net/ is worth a look, make sure you understand IPSec since misconfiguration is far more dangerous then not using it.

Subversion-Various heap buffers are addressed by updating the SVN system to 1.6.5.

drStrangeP0rk |

Post a Comment |

2 References |

Apple,

Client,

Mac OSX 10.5,

Mac OSX 10.6,

Server,

Software Update,

Updates

Sunday

Nov082009

Jail Breaking and Entering the iPhone

Sunday, November 8, 2009 at 06:18PM

If you have taken the risk to jailbreak your iPhone you should be aware of reports of an attack in the wild reported by Intego on November 3. Jailbroken iPhones allow users to run software and applications not approved by apple, part of the jailbreak package includes allowing root ssh shell access among other services. Most users do not disable root remote login nor do they change the root password. The management of ssh on a jailbroken iPhone is very insecure, the root password is alpine so now you can wow your jailbroken iPhone friends.

I never recommend using any software that is cracked or jailbroken so I feel little compassion for people who have gone this route on phones that are not for personal experimentation. (Hack to Learn, keep it in the sand box or you might get burned.) General users should never run cracked devices or software, a recent Mac Trojan was spread via cracked software. With that said users can change the password using the passwd command after logging in as root. It is highly recommended that users also disable remote access by root. (Common on any system that runs ssh.)

What begun as soft core ransom ware used by a Dutch hacker which scanned networks looking for jailbroken iPhones has expanded into a full fledged worm called iKee. The original hack preceded to prompt users via SMS for five Euros to secure the phone. In its current form iKee scans the follow network ranges belonging to Australia 3G customers and is conducting a host of evil hack including changing of background images, lock outs and stealling of personal data. The current network ranges are the following:

202.81.64.0-202.81.79.255
23.98.128.0-123.98.143.255
120.16.0.0-120.23.255.255
114.72.0.0-114.75.255.255
203.2.75.0-203.2.75.255
210.49.0.0-210.49.255.255
203.17.140.0-203.17.140.255
211.28.0.0-211.31.255.255
58.160.0.0-58.175.255.255

It will be interesting to see if there is a spike in scanning of ssh on mobile networks in the coming weeks. Users should never ever used a cracked iPhone, make sure that if your company provides iPhones that all users including the IT department employees understand not to use jailbroken or cracked software. This should be part of employee usage aggrement and may need to be revisited in a Monday email blast from your security team.

Update on Monday, November 9, 2009 at 11:15AM by

drStrangeP0rk

iKee is replacing the default wallpaper with a photo of Rick Astley. Users will have to use the chown, chmod and of course the rm command to remove the exploited wallpaper. This can only be done of course if the root password was not change from alpine by iKee. (Currently it does not alter the root password but stay tuned.) I have to admit it is funny. Maybe jailbroken iPhone users after getting "Never Gonna Give You Up" stuck in their head will realize that they should not alter a system unless they understand the underlying implications or of course if they are big Rick Astley fans and do not care about the CIA of their data.

drStrangeP0rk |

Post a Comment |

2 References |

Apple,

Exploits,

Trojan,

Zero Day,

iPhone

Saturday

Nov072009

TLS/SSL Vulnerability

Saturday, November 7, 2009 at 06:44AM

This flaw affects browsers, servers, VPN deployments, https and any other service or devices that use the protocol. The Internet Engineering Task Force (IETF) will be proposing an extension to the protocol to address the vulnerability. Neither protocol ensures continuity before and after renegotiation allowing a man in the middle (MITM) to introduce data at the beginning of an SSL session. If you are using SSL/TLS for any service from Mac OSX Server 10.6.x or 10.5.x then it is vulnerable to this exploit. If you use a web site and connect to it via https then you are vulnerable as well. However you should continue to always use https.

The MITM needs to intercept the traffic, send their data to the SSL server and then request renegotiation. They can then forward the data from the original user exactly as it is done in the standard MITM attack. Web servers combine the data before renegotiation with data after renegotiation which compounds the problem and affects any site or web user of SSL. Client certificate authentication is the technology that is highly vulnerable in real world deployments but is a rarely used. The attack has been proven successful against a host of SSL applications and services including Apache and Microsoft IIS. Due to the difficulty of mounting the attack it would most likely be successful as a cocktail of exploits to attack a system. Encrypted data that is exposed to the MITM remains unreadable to the attacker but other weaknesses in the SSL/TLS protocol can be leveraged. Thus proving that a layer approach to security limits risk to a cocktail of exploits from crackers.

OpenSSL developers (released here) and GNU TLS are working on patches which allow you to disable renegotiation but this does not fix the protocol's issue. The removal of renegotiation may render some web services and applications unusable so updates should not be applied to production systems until detailed test are accomplished. A broader approach is to ensure that routers are running up to date firmware, Kaminsky DNS bug patch is applied, system software has the latest security patches and even within trusted networks packets are filtered (ingress and egress) including application layer firewall and IPFW firewall in OSX server. Application firewalls can filter embedded http request lines since they are not obfuscated which can limit the risk of this vulnerability.

Needless to state that this may be the tip of the iceberg and a vulnerability such as this can be used in countless imaginative ways. Similar to the Kaminsky DNS issue the internet is not falling but prudent action allows administrators to managed the risk of such vulnerabilities in widely used protocols.

Update on Monday, November 16, 2009 at 08:20AM by

drStrangeP0rk

It is being reported that a Turkish grad student, Anil Kurmus, has developed a real world attack using the SSL renegotiation bug. As was reported most researchers felt that the vulnerability most likely would not be used in an attack since it was complicate to execute resulting in limited results. Kurmus was able to use the bug to steal Twitter account information by injecting text that instructed Twitter's API to dump the contents of the web request into a Twitter message after it was decrypted. Twitter is the perfect victim since every request sent over their network includes user credentials in the form of user name and password. Second the API is very similar to the http protocol thus the Twitter API makes injection into a stream is easy. Users tend to also use applications which do not handle Twitter errors properly (error pages are not reported) thus users may never know about the attack. Twitter has closed this security hole last week but the TLS/SSL renegotiation bug is beyond theory and is effective with the balance of right attack surface, technical skill and determination.

http://www.theregister.co.uk/2009/11/14/ssl_renegotiation_bug_exploited/

drStrangeP0rk |

Post a Comment |

3 References |

Client,

Exploits,

Mac OSX 10.5,

Mac OSX 10.6,

OpenSSL Vulnerabilitites,

Server,

Zero Day