Apple has been all over InfoSec news in the past week or so, along with Spectre / Meltdown developments, a tax season scam alert from the feds, and an apparent solution to the Winter Olympics’ hack whodunit. In addition, researchers warned about a new trend of using Memcached servers to significantly boost DDoS attacks, as GitHub became a victim of this new tactic.
Apple under siege
The second half of February was intense for Apple on the security front. A digital forensics vendor claimed having the ability to unlock all iPhone models, including the X, while a researcher warned about a Trojan targeting MacOs computers that’s not detected by anti-virus products. Oh, and Apple had to squash another one of those pesky bugs that let people crash iPhones via texting.
Forbes dropped a news bomb on Monday when it reported that Cellebrite recently started telling its customers — which are primarily government, military and corporate investigative teams — that it’s able to unlock and extract data from devices running iOS 11, such the iPhone X, as well as other iPhones, iPads and iPods.
While Cellebrite isn’t publicly trumpeting this capability, anonymous sources told Forbes that in recent months the company “has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe.”
As Forbes noted, Cellebrite has posted a brochure on its website where it details its ability to unlock these Apple products as well as several Android devices, and extract data from them. The way it works is that customers ship the devices to Cellebrite, where its engineers work their magic. Cellebrite can’t (or won’t) crack devices remotely.
Apple today published a security update for Mac OS X 10.7 (Lion), 10.8 (Mountain Lion) and 10.9 (Mavericks). The update addresses 13 distinct vulnerabilities in many of the aspects of Apple’s Mac OS X, for example:
CVE-2014-1319 – an overflow in JPEG handling that can lead to Remote Code Execution (RCE) in 10.9 (Mavericks)
CVE-2014-1315 – a format string issue in the URL handling can lead to RCE in 10.9 (Mavericks)
CVE-2014-1314 – a Sandbox escape vulnerability in 10.8 (Mountain Lion) and 10.9 (Mavericks)
CVE-2013-5170 – a PDF parsing vulnerability can lead to RCE in 10.8 (Mountain Lion)
An SSL bug was also addressed in CVE-2014-1295 but it is unrelated to the Heartbleed bug in OpenSSL. Apple ships with OpenSSL 0.9.8, a version that is not affected by Heartbleed.
Not surprisingly due to their similar heritage Apple also published a new version of iOS that addresses some of the same issues. Version 7.1.1. fixes three CVes in common plus another 16 in Webkit the basis for the Safari browser. Apple had addresses similar vulnerabilities with Safari 7.0.3 and 6.1.3 in early April.
We recommend installing the new versions both for Mac OS X and iOS as quickly as possible.
On Friday, Apple released patches for iOS 6.x and 7.x, addressing a mysterious bug that affected TLS authentication. Although no further details were made available, a large-scale bug hunt ensued. This post on Hacker News pointed to the problem, and Adam Langley followed up with a complete analysis.
I’ve just released an update for the SSL Labs Client Test, which enables you to test your user agents for this vulnerability.
This bug affects all applications that rely on Apple’s SSL/TLS stack, which probably means most of them. Applications that carry with them their own TLS implementations (for example, Chrome and Firefox) are not vulnerable. For iOS, it’s not clear when the bug had been introduced exactly. For OS X, it appears that only OS X 10.9 Mavericks is vulnerable.
What you should do:
iOS 6.x and 7.x: Patches are available, so you should update your devices immediately.
OS X 10.9.x:Apple promised a fix would be available soon. Update as soon as it is released. The vulnerability has been fixed in 10.9.2. Update immediately.
Today Oracle released its June 2013 Java SE Critical Patch Update (CPU) which fixed 40 new security issues. All vulnerabilities except three can be exploited remotely by an attacker, and in most cases, the attacker can take complete control of the system. An attacker can achieve this by using a variety of drive-by techniques letting a Java applet run arbitrary code outside of the Java sandbox. Todays CPU affects JDK and JRE versions 5, 6 and 7. We highly recommend applying these patches as soon as possible.
For Patch Tuesday this month, we are receiving critical updates from both Microsoft and Adobe. Microsoft has five bulletins, bringing the six-month total up to 51 bulletins, about 20% more than we had in 2012.
The most important Microsoft bulletin is MS13-047, a fix for Internet Explorer (IE).The bulletin is rated “critical,” addresses 19 vulnerabilities and affects all versions of IE, from IE6 to IE10, running on all versions of Windows, from XP to RT. Given the large number of vulnerabilities fixed, this will be the main target for attackers to reverse engineer and construct an exploit that can be delivered through a malicious webpage. Apply this bulletin as quickly as possible on all workstations that use IE for Internet access.
Apple published security patches to its Mac OS X operating system (OS) today. The three currently maintained releases of the OS 10.8 (Mountain Lion), 10.7 (Lion) and 10.6 (Snow Leopard) are receiving patches with Lion’s version being updated to 10.8.3. In total 21 vulnerabilites are addressed including the high profile CVE-2013-0156 that patches an issue in the Ruby on Rails implementation in Mac OS X Lion server.
Apple also released a new verion of the Safari web browser which fixes 17 vulnerabilities, all of them located in the WebKit rendering engine.
It is the second week of November – time for our monthly software updates from Microsoft and increasingly from other vendors. Microsoft is publishing six updates this month, which brings the total year-to-date number to 76. That means we will stay well below the 100 number for the year, which has been reached in both in 2011 and 2010 – definitely a win for IT administrators.
Four of the six updates are rated "critical"; there is also one "important" and one "moderate". We rank the Internet Explorer update MS12-071 as the most urgent. It allows an attacker to gain control over a machine running on IE by setting up a web page that hosts the exploit code. Microsoft rates its exploitability as "1," which means that it is relatively easy to develop the code necessary to take advantage of one of the four fixed vulnerabilities. However, the problem only affects IE 9, and anybody that is running a different version (7,8 or 10), which is 90% of all enterprise IE users, can move on to the next vulnerability.
MS12-076 addresses a file format vulnerability in Microsoft Excel, which Microsoft rates as "important." We think any vulnerability in a popular application that allows Remote Code Execution should be high on any IT administrator’s list to fix. Excel 2013, Microsoft’s newest version, published just this year, is the only version of Excel not affected. All other versions of Excel should apply this patch.
MS12-074 addresses five vulnerabilities in the .NET framework; one of them is critical. The critical vulnerability allows an attacker who is controlling the contents of the the Proxy Auto Config (PAC) file to execute code in .NET applications, such as XBAP and .NET ActiveX. The potential for widespread code execution through this mechanism is limited because .NET applications are turned off by default. As of June 2011, they require user agreement to run, however if you have update MS11-044 installed. Microsoft has a blog post with further technical details.
MS12-075 addresses three vulnerabilities in the Windows kernel. One of the vulnerabilities is critical, located in the font handling module and could potentially be triggered by a file format attack through applications, such as Office, a third party browser or PDF reader.
Microsoft’s latest version of the Windows Operating System, Windows 8, came out last month in October and has a number of improvements in the security area that address the majority of known attack vectors in the existing versions of Windows. However, researchers at VUPEN recently tweeted that they found a way to achieve remote code execution, and this month the new OS is affected by three vulnerabilities.
Do not forget to look into last week’s releases of Adobe Flash and Apple Quicktime. Both have been targeted by attackers before, and you should always be on the latest versions of both products to avoid being exposed to exploits against known vulnerabilities that are included in toolkits, such as BlackHole, Crimepack and Phoenix.
One way to always keep Adobe Flash updated is to upgrade to IE 10, which Microsoft is making available for Windows 7 in a special preview today. Similar to Google Chrome, IE 10 now includes Adobe Flash running in a special Sandbox, providing an encapsulated execution environment and assuming the responsibility to deliver updates for the third party Adobe Flash as part of IE. This is a first for Microsoft, but certainly a step in the right direction and a sign of things to come. As we migrate applications delivery to App Stores, a model proven in the mobile space where malware is at much lower levels, updates will be centrally delivered through a single update mechanism, and security will improve significantly.
Apple today released a security update for Mac OS X 10.8, 10.7 and 10.6 (Mountain Lion, Lion and Snow Leopard) that addresses over 30 vulnerabilities, including CVE-2012-0671 originally discovered by Rodrigo Branco (@bsdaemon), Qualys Director of Vulnerability Research.
In addition, Apple released a new version of its Safari browser. Version 6.0.1 addresses over 60 vulnerabilities contained mostly in the WebKit HTML rendering framework.
We recommend installing the updates as soon as possible.
Guest post from Rodrigo Branco, Director of Vulnerability and Malware Research at Qualys
Apple just released an advisory addressing 17 security flaws in QuickTime Media Player. The update is rated critical as several of the fixed vulnerabilities can be used to achieve "Remote Code Execution". One of the critical vulnerabilities addressed is CVE-2012-0671, which I discovered and reported to Apple earlier this year.
How was the vulnerability discovered?
I found the vulnerability by manually investigating and reverse engineering the binary code of QuickTime and created a fuzzer to cover specific portions of the Apple media formats. In this particular vulnerability, QuickTime does not parse .pct media files properly, which causes a corruption in the module DllMain through a malformed file with an invalid value located at offset 0x20E. In my testing I used QuickTime Player version 7.7.1 (1680.42) on Windows XP SP 3 – PT_BR, but most likely other versions on Windows affected as well.
A PoC repro01.pct is available for interested parties and was shared with Apple on February 22, 2012 to help them locate and fix the problem.
What does this vulnerability mean?
If you use QuickTime, attackers can take total control of your machine through this vulnerability, which is triggered by playing a malicious media file that uses overly large values in the PCT image format. A typical attack would embed such a file into a webpage and use social engineering to drive users into viewing the page. So far, there have been no reports of attackers exploiting this vulnerability yet.
To put this into context, QuickTime is used by 61% of all internet enabled PCs, including 49% of all Windows PCs and 98% of all Apple computers (numbers courtesy of Qualys BrowserCheck). Even if you don’t use QuickTime by default to play movies and videos, it can be used as the media player for the PCT format on all web browsers, including Chrome, Safari, Internet Explorer and Firefox.
All users, consumers and businesses alike, should download the security update as soon as possible since simply browsing to a malicious web page on any web browser can activate this vulnerability. If you’re not sure whether your QuickTime plug-in is updated, you can use Qualys BrowserCheck, a free service, to check if you need to download the update.
Throughout the whole process, Apple was very professional in handling this issue and provided constant status updates upon my request. It was great to see a company of Apple’s size taking a proactive role to ensure that their software and their users are protected from major vulnerabilities like this one.
Apple just published three new software releases for Safari, OS X and iOS:
Safari 5.1.7 is described by Apple as an update that enhances performance in low memory conditions. In terms of security, Apple has made the Safari installation process plug-in aware and now disables outdated versions of the Adobe Flash plugin when they are found. After Apple’s recent auto-disabling Java release, this is Apple’s second action reaching across normal vendor boundaries and experimenting with common sense, best practice guidelines. Adobe’s Brad Arkin agrees in his blog post, and I believe this is a good and refreshing initiative.
Mac OS X 10.7.4 is the newest version of Apple’s Lion Operating System. This release fixes more than 30 vulnerabilities in the core OS, Apple Applications such as Quicktime and some included software such as Samba, Ruby and PHP. It also addresses the legacy FileVault password issue introduced in Lion 10.7.3 where a inadvertent debug flag was causing the user’s password to be logged in cleartext. A update for Snow Leopard 10.6.8 that carries its applicable fixes is available as Security Update 2012-0002
iOS 5.1.1 is a new version of the Apple Operating system for iPad, iPhones, and iPods. It addresses three vulnerabilities, updating Safari and WebKit. One of the vulnerabilities in WebKit was found during Google’s PWNIUM contest in March of 2012.
We recommend installing the updates as quickly as possible.