All Posts

5 posts

Apple Security Update for Mac OS X and iOS

Apple today published a security update for Mac OS X 10.7 (Lion), 10.8 (Mountain Lion) and 10.9 (Mavericks). The update addresses 13 distinct vulnerabilities in many of the aspects of Apple’s Mac OS X, for example:

  • CVE-2014-1319 – an overflow in JPEG handling that can lead to Remote Code Execution (RCE) in 10.9 (Mavericks)
  • CVE-2014-1315 – a format string issue in the URL handling can lead to RCE in 10.9 (Mavericks)
  • CVE-2014-1314 – a Sandbox escape vulnerability in 10.8 (Mountain Lion) and 10.9 (Mavericks)
  • CVE-2013-5170 – a PDF parsing vulnerability can lead to RCE in 10.8 (Mountain Lion)

An SSL bug was also addressed in CVE-2014-1295 but it is unrelated to the Heartbleed bug in OpenSSL. Apple ships with OpenSSL 0.9.8, a version that is not affected by Heartbleed.

Not surprisingly due to their similar heritage Apple also published a new version of iOS that addresses some of the same issues. Version 7.1.1. fixes three CVes in common plus another 16 in Webkit the basis for the Safari browser. Apple had addresses similar vulnerabilities with Safari 7.0.3 and 6.1.3 in early April.

We recommend installing the new versions both for Mac OS X and iOS as quickly as possible.

New 0-day out for Microsoft Word – Update2

Update2: McAfee published an analysis of an exploit for CVE-2014-1761. Very interesting and eye-opening, as everything is controlled through the RTF document itself:

  • The attackers use an listoverridecount level of 25, which is outside of the 0,1 or 9 specified in the standard. This confuses the RTF handler in Word and makes it possible to control the content of the program counter of the processor.
  • This gives the attacker the basis for arbitrary code execution. In this case the attackers are able to point the program counter to machine code that is included in the document itself, which makes the exploit very self-contained, no additional setup files are needed.

Conclusion: Patch this as quickly as possible, i.e. next Tuesday. The attacks are real and happening now. The exploit does not look that hard to replicate with the information provided. Beyond patching it makes sense to disable RTF opening any way, which is what the FixIt in KB2953095 does. It certainly looks as if there is more potential for this type of vulnerability that can be found with relatively little investment into file fuzzing. See Charlie Miller’s presentation on "dumb fuzzing" for some initial reading.

Continue reading …

Disabling IPv6 – Updated

Update: As Mike pointed out in the comments to disable IPv6 completely on the host, rather than on just the adapter selected one needs to change the HKLM\SYSTEM\CurrentControlSet\
Services\Tcpip6\Parameters\
DisabledComponents and set it to 0xffffffff.

Continue reading …

Apple updates Mac OS X and Safari

Apple published security patches to its Mac OS X operating system (OS) today. The three currently maintained releases of the OS 10.8 (Mountain Lion), 10.7 (Lion) and 10.6 (Snow Leopard) are receiving patches with Lion’s version being updated to 10.8.3. In total 21 vulnerabilites are addressed including the high profile CVE-2013-0156 that patches an issue in the Ruby on Rails implementation in Mac OS X Lion server.

Apple also released a new verion of the Safari web browser which fixes 17 vulnerabilities, all of them located in the WebKit rendering engine.

We recommend installing as soon as possible.

March 2013 Patch Tuesday Preview – Update

Update:

Google and Mozilla patched their browsers within 24 hours of the receipt of the vulnerabilities found through PWN2OWN .

Original:

It is the beginning of March and Microsoft just published the Advance Notice for this month’s Patch Tuesday.

We will get seven bulletins next week, affecting all versions of Windows, some Office components and also Mac OS X, through Silverlight and Office. Four of the bulletins carry the highest severity rating of “critical”.

Bulletin 1 will be on the top of our list next week. It fixes critical vulnerabilities that could be used for machine takeover in all versions of Internet Explorer from 6 to 10, on all platforms including Windows 8 and Windows RT. Bulletin 2 addresses critical vulnerabilities in Microsoft Silverlight, both on Windows and Mac OS X, and is widely installed at least on end-user workstations to run media applications, for example Netflix. Bulletin 3 is a vulnerability in Visio and the Microsoft Office Filter Pack. It is puzzling to see such a high rating for this software that typically requires opening of an infected file in order for the attack to work. It will be interesting to see the attack vector for this vulnerability that warrants the “critical” rating. The last critical bulletin is for Sharepoint server.

The three remaining bulletins are all rated “important” and apply to OneNote, Office 2010 for Mac and Windows itself.

In other security news, the ZDI’s PWN2OWN competition is currently going on at the CanSecWest security conference in Vancouver. PWN2OWN awards prizes ranging from US$ 20,000 to US$ 100,000 to security researchers who can demonstrate vulnerabilities in the following products: Adobe Flash, Adobe Reader, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Oracle Java. In yesterday’s run, prizes have been claimed for Oracle Java by James Forshaw, Oracle Java again by Joshua Drake, IE10 on Windows 8 by VUPEN, Google Chrome on Windows 7 by a team from MWR Labs, John and Nils and finally Mozilla Firefox and finally Oracle Java, both by the team at VUPEN.  Today the competition continues with attacks on Adobe Reader, Adobe Flash and IE10, and is then followed by Google’s Pwnium3, which awards prizes of over US$ 100,000 for vulnerabilities in Google’s ChromeOS.

You can expect patches for these vulnerabilities to be released over the coming weeks. We will keep you updated here, so stay tuned.