MAAS History
Archives
Monday
Mar152010

Ransomeware, Scareware and Trojans are a Real Threat

DateMonday, March 15, 2010 at 09:51PM

It is very clear that as the user and developer base of Mac OSX grows so will the value of exploited Macintosh computers to cyber criminal organizations. The Mac is an intriguing target since it is truely a Unix box. The iPhone's and iPad's popularity has only increased interest in exploiting the Macintosh platform. 

One of the down sides of Apple's advertising campaign is that users fall victim to a false sense of security. They usually have weak password, no backups, opt out of firewall and virus protection software. Cyber criminals exploited jail broken iPhones after a proof of concept exploit was altered into a trojan that stole information, locked the users phone and re-directed users of a particular bank to a phishing site to steal account information. 

Dancho Danchev has an excellent article on ZDNet blog that is a must read. POC of various Mac SmS Ransomeware have been posted to various forums in Russian and Chinese. (Several 0day exploits have been posted to Zero Day Initiative that have also appeared on Chinese forums. With the DOD moving many client systems to MacOS the interest in MacOS by foreign governments will only increase.) It is only a matter of time before these POC are re-engineer into  criminalizeware. So, now is the time to start thinking about security within MacOS. Install anti-virus software, advance firewall that does egress and ingress filtering especially if you are not familiar with ipfw, install snort, auditing tools and only open files from trusted sources.

Ransomeware, scareware and trojans are a real threat, Mac users and administrators need to get used to it.

AuthordrStrangeP0rk | CommentPost a Comment | Reference3 References |
in , , , , ,
Friday
Mar122010

APPLE-SA-2010-03-11-1 Safari 4.0.5

DateFriday, March 12, 2010 at 06:49AM

Apple has released a security update to Safari to 4.0.5 to address 10 issues including zero -days related to ColorSync, ImageIO and WebKit. Six additional issues affect the windows version of Safari. 

One issue is related to bypassing the blocking of cookies even if Safari is set to block them when using PubSub. PubSub is used for feed handling, cookies set by RSS and Atom feeds would be accepted even if Safari is set to block them. This implementation error has been corrected. Some of the vulnerabilities in WebKit center around the handling of CSS, HTML handling and XML documents resulting in memory corruption which can result in malicious code execution or application DOS.  One such vulnerability related to the handling of CSS format () arguments resulting in application DOS and malicious code execution is addressed with better memory tracking. Other issues include the handling of HTML element callback content, handling of right-to-left display text, use after free handling of incorrectly nested HTML tags and parsing of XML documents. Again, these WebKit issues are addressed by improving memory reference tracking. 

There are also a host of improvements in the handling of 3rd party plug-ins, stability improvements for Web sites that use forms, stability improvements in the handling of Scalable Vector Graphics and fixing an issue related to iWork.com users being unable to comment on documents. The installation does require a restart of the system and is critical, users should not surf the Web with Safari until this update is installed. 

AuthordrStrangeP0rk | CommentPost a Comment | Reference1 Reference |
in , , , , ,
Tuesday
Mar092010

Office Update 2008 for Mac 12.2.4 Released

DateTuesday, March 9, 2010 at 06:20PM

Microsoft has released security update 12.2.4 for Office 2008 to address stability issues and CVE-2010-0263 in it Office products including Office 2008 for Mac. There is a flaw in the decompression of XLSX files, the headers are not validated properly. This could result in the execution of initialized blocks of memory, thus an attacker could execute remote code and execute it with that users privileges. The exploit could only be carried out with user interaction.

This update needs to be applied, select check for updates in Office or follow the reference link attached to download the file. 

AuthordrStrangeP0rk | CommentPost a Comment | Reference2 References |
in , ,
Friday
Mar052010

Researchers build Mobile Botnet with Weather.App 

DateFriday, March 5, 2010 at 05:19PM

Derek Brown and Daniel Tijerina of TippingPoint's Digital Vaccine Group built a malicious Weather.app for the iPhone that deliverers information about users including their GPS locations and phone activities back to a controller. Their test was only leveraged against jail broken iPhones, they did not try to pass the application into the iTunes AppStore. Due to the use of rigorous testing, digital signature process and Apple rejecting apps that "phone-home" or rely on private API's they felt it would be rejected. Their Malicious Weather.app did spread on underground sites that cater to jail broken iPhones. 

This  event supports Apple's recent decisions to block jail broken phones from the store, remove software which weakens the security of the iPhone and the institution of a rigorous validation and verification process of Apps before they are approved. However as was first discussed in a posting from Febuary it is only a matter of time before someone is able to upload an App to the iPhone store that Apple approves which will operate as malware or carry out malware type operations. This is not a matter of if but when, thus users should make sure to protect their devices with anti-virus Apps and backup their iPhone data. More importantly there is no reason to operate a jail broken iPhone. Organizations should make sure that their usage policies include that not device is jail broken and used for the organization's activities. Policy makers should get ahead of this ticking mobile time bomb. 

AuthordrStrangeP0rk | CommentPost a Comment | Reference1 Reference |
in , , , , , , ,
Thursday
Mar042010

Airport Application Level Gateway FTP Proxy Allows Security Bypass

DateThursday, March 4, 2010 at 05:54PM

Sabahatten Gucukoglu has posted the details of a flaw in the Airport, Airport Extreme and Time Capsule products' Application Level Gateway (ALG) which handles the FTP Proxy between external FTP  and internal NAT clients. The ALG provides seamless configuration with other Apple products and is used when using non-default port for services. With rearguards to FTP it allows servers behind a NAT to alter the address in the command channel, such as PORT, rewriting the command so clients can reach them when in passive mode. 

This resulting configuration allows any actor that has access to the FTP port forwarded on the WAN port that offers NAT to internal clients (public FTP server) the ability to induce a FTP server operating on the NAT LAN to send data to arbitrary addresses and ports. It does not matter if the FTP server is configured securely since the ALG is where the flaw exist thus no level of trust exist at the end points. This can be leveraged in a host of attacks from bouncing scans, denial of service, spamming and data theft.

Sabahatten Gucukoglu has reported this issue to Apple but there has been no patch issued for seven weeks so he has made the information public. Problems in the ALG's of WiFi devices  are an excellent attack vector. The public discloser does not include any firmware information and we have not confirmed it independently. 

Using FTP opens a host of problems, users should avoid it since there are currently better alternatives. Workarounds includes not triggering the ALG by using the defaults ports especially for FTP, not using FTP, and disabling of FTP uploads that can be download by guest (anonymous) users. Due to the public discloser we expect Apple to release a firmware update with the patches coming out this month.

 

AuthordrStrangeP0rk | CommentPost a Comment | Reference1 Reference |
in , , ,
Page 1 ... 24 25 26 27 28 ... 46 Next 5 Entries ยป