Tuesday, June 2, 2009 at 08:11AM Apple has plugged a buffer overflow in iTunes which would allow an attacker to insert code. In a primitive attack the application will terminate. The update improves the overall bounds checking.
Tuesday, May 26, 2009 at 08:42PM Java Runtime Environment in Mac OSX has vulnerabilities that Sun has released updates to. Apple will have to provide an update via Software Update for general users shortly, see references from a complete list from the Sun Solve site. The issues include privilege escalation, failure to check signatures, buffer overflows, parsing of Zip allowing reading of arbitrary memory and code from local system accessing the local host. The current test below will result in a bootstrap failure.
At this time users should disable Java, if however it is needed then only trusted sites' .class and JAR files should be run.
<<Note: Test site below is a link to test CVE-2008-5353, it will cause your system to crash. Currently Virus Barrier is detecting this security hole. It is not a live link, you are responsible, you have to cut and paste the link.>>
http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html
drStrangeP0rk
Marc Schoenefeld has posted information on how to install a non-OSX java distribution and a link to a site with the exploit. Currently Virus Barrier detects and will put the virus into quarantine. You should of course delete the class files which all have the Java/Evasion.A virus.
http://www.illegalaccess.org/
drStrangeP0rk
Apple has released updates to the Java Platform released by Apple. Make sure to select update from Software Update to install these updates, they are critical. When installing the update make sure no applications that use Java are running before installing. This fixes many of the issues including preventing Java applets/applications from running and gaining elevated privileges.
http://support.apple.com/kb/HT3633
http://support.apple.com/kb/HT3632
Wednesday, May 13, 2009 at 07:51PM Over 67 vulnerabilities spanning Mac OSX 10.4.x-10.5.x including in Apache, BIND, CoreGraphics, CUPS, enscript, Help Viewer, International Components for Unicode, Kerberos, Launch Services, Net SNMP, ATS, CFNetwork, CScope, Disk Images, Flash Plug-In iChat, IPSec, Kernel libxml ad Network Time.
Within CoreGraphics it relates mostly to PDF's, the exploit requires a users to loaded a specially crafted file from download or a web site. Used in conjunction it is possible for and elevation of privileges so having a limit account is not a full proof solution. ATS service can experience a buffer overflow due to the way that t handles Compact Fonts, this again used with other vulnerabilities can allow an attacker to elevate privileges. Use of a limited account is not one hundred percent effective.
Sites that are hosted from Mac OSX servers using Apache can publish specially crafted files that can substitute their own response for any web page being hosted on that system. CFnetwork flaw is related Set-Cookie parsing which can result in certain cookies being sent with clear text information. For developers that use XCode and need to print line number, many resort to using enscript. This update address several issues including the possibility to execute arbitrary code.
The update also address various issues related to Safari including the heap buffer issues related to libxml.There are also updates for Safari Public Beta which should not for any reason be used on a production system or a system with access to internal network resources.
drStrangeP0rk
This update also address important issues relates to Mac OSX Server. Administrators should patch their servers only after testing on non-production systems. Many of these updates are listed as critical, I currently have been using Parallels server for Mac OSX server and have not experienced any issues with our in-house test systems. These systems make up the bulk o my security lab.
Sunday, May 3, 2009 at 10:57AM There has been a drastic increase in spam related to the recent outbreak of Swine Flue. Many recent messages have links and file content that directs users to malicious sites. There is also reported cases of the inclusion of malicious files. It is important that users open emails from trusted sources.
One way to help users become better educated is to create a sample White Paper for your organization. Marshal8e6's TRACElabs is an excellent starting point including definitions and examples.
Wednesday, April 29, 2009 at 07:09AM Attackers continue to use maliciously crafted PDF files and JavaScript to take advantage of users, once the user opens the file with the exploit an attacker can execute code with the user privileges. (Note the importance of working as a non-root user!)
The exploit uses two functions specific to Acrobat, spell.customDictionayOpen() and getAnnots(). This is related to spell checking with custom dictionary and the getter method for annotations. The proof of concept was posted by "Arr1val" and possibly affect all versions of Acrobat Reader.
You should have already disabled JavaScript in acrobat. Other workarounds include using Preview.app to open PDF files or block PDF files at the firewall. Please see the reference links to this post for alternatives to Acrobat Reader.
drStrangeP0rk
Adobe has posted an update to these vulnerabilities.
http://www.adobe.com/support/security/bulletins/apsb09-06.html
