vulnerability
Latest
There's a hole in Safari, dear Liza
Update: Thanks as well to everyone who pointed out that we got our sources mixed up! The article linked is the 2007 CanSecWest, and we apologize for the confusion. The winner of the 2009 competition was Charlie Miller (sorry Charlie), and you can read more about this year's competition here -- IE8 and Firefox have also been compromised in the competition. If you're curious about the state of Mac security and exploitation, be sure to check out Dino Dai Zovi's presentation here.Special thanks to Chris von Eitzen at The H, and to everyone else who let us know!---Another year, another Pwn2Own at CanSecWest and Safari falls... in a short time. Well, to be fair, Safari fell after 24 hours and "... a couple of seconds" give or take a few. On day two of the event the "attack surface" widens -- that is, hackers are given more ways to hijack the machine. In this case, it wound up being a hole in Safari. As the barrier was lowered, an email was sent to the judges, who clicked on it, and that link took them to a special page that exploited the vulnerability. The exploit was discovered by Dino Dai Zovi who, "wrote the exploit overnight in about 9 hours" as MacDailyNews reports. Dino was assisted on the ground by Shane Macaulay. As yet, we haven't seen this in the wild and the hole has been properly disclosed to Apple.As Download Squad notes, Firefox and Internet Explorer 8 were taken down some time later. Before declaring Safari "less secure" then those browsers, it is important to note that the hole has been reported to Apple, who need only issue a patch to fix it. Further, the exploit that took Dino 9 hours to write isn't publicly available. That said, it stresses the importance of installing browser patches and security updates for your machine. The best part about finding these exploits at events like CanSecWest is that they help make Safari, and every other browser, more secure.Thanks to everyone who sent this in!
The Pwn2Own trifecta: Safari, IE 8, and Firefox exploited on day 1
That didn't take long. One day into the Pwn2Own hacking competition at CanSecWest and already Apple, Microsoft, and Mozilla have been sent packing to their respective labs to work on security issues in their browsers. In a repeat performance, Charlie Miller pocketed a $5,000 cash prize and a fully-patched MacBook by splitting it wide, and gaining full control of the device after a user clicked on his malicious link. Another white-hatter by the name Nils (pictured) toppled Internet Explorer 8 running on a Windows 7 laptop -- again, the five grand and compromised VAIO P laptop are now his to keep as compensation for turning over the malicious code. So much for "protection that no other browser can match," eh Mr. Ballmer? Nils then demonstrated a second Safari exploit before hacking Firefox later in the afternoon netting him a cool $15k by the close of day one. Only Google's Chrome was left unscathed -- Opera isn't part of the contest. This year's contest will also offer a $10,000 prize for every vulnerability successfully exploited in Windows Mobile, Android, Symbian, and the iPhone and BlackBerry OSes. In other words: this contest that runs through Friday isn't over by any stretch. [Via ZDNET]
Acrobat vulnerability may affect Mac users
As if the baked-in security issues weren't enough to deal with, Adobe has announced today that all versions since v7 of Acrobat and Acrobat Reader on all platforms -- including Mac OS X -- are vulnerable to an Javascript exploit that can crash Acrobat. [Correction, per The Register and Shadowserver the vulnerability is not in Javascript per se but the circulating exploits use Javascript to leverage the actual flaw. Thanks to Adam Engst for the heads-up.] The same approach could possibly give an attacker unrestricted access to the target system. More from Download Squad on the scope of the problem; Adobe and others are reporting that there are already exploits in the wild for this problem.Mac users have, of course, a very solid option for handling PDF files other than Acrobat: Preview, installed on every Mac OS X machine. You can also turn off Javascript support in the Acrobat preferences to lock out exploits from proceeding beyond crashing the app to actually doing widespread damage.To change the default handler for PDF files, select any PDF file in the Finder and then select Get Info from the File menu. Under the Open With section, select Preview.app and then click Change All.
Security experts hating on Android browser until patch is released
Software vulnerabilities are no stranger to modern, highly-connected smartphones and feature phones alike, and fortunately, the big guys have been pretty good about staying on the ball and patching the serious stuff in a reasonable amount of time. The latest problem discovered in the Android browser's multimedia subsystem really sucks, though -- it's so bad, some security dudes are advising customers to "avoid" using the it altogether until it gets fixed -- and the most frustrating part about it is that it actually is fixed in the Android code trunk, it's just that no one's bothered to roll out an update to G1 users yet. In the meantime, the dude who discovered the problem is advising users to only visit trusted sites and avoid WiFi, so yeah, just don't browse or anything, okay?[Via ReadWriteWeb]
Evil WAP Push messages can reboot some Sony Ericsson handsets?
Some modern phones do a pretty good job of rebooting at random on their own without additional assistance from miscreants, but unfortunately, the real world is filled with people who'd like to make your gadgets just a little bit buggier than they already are. Enter this nifty little vulnerability recently discovered to affect a good number of Sony Ericsson models, involving a specially crafted WAP Push message carried via SMS that'll instantly restart the phone. That's not the best part, though -- in theory, an attacker could send you a string of these bad boys that would get queued up by your carrier, so the second the phone comes back online, it gets the next message and restarts once again -- potentially leading to a long, painful spell without a usable handset. Apparently, there isn't any known fix for this, so if you're carrying one of the affected models, just stay on the good side of any evil-doers you happen to know for now, okay? Follow the break for a video of the restarts in action (we understand the outgoing calls are just to demonstrate that the attack can be initiated at any time, though we can't say for sure).
Safari RSS vulnerability might reveal your personal data
This vulnerability is patched in the 2009-001 security updates.When reports of security issues in Apple's Safari browser come over the transom, they get our attention. When they're exploitable in both the Mac and Windows versions of Safari, they get our full and undivided attention. When the person reporting them is Brian Mastenbrook (credited with discovering multiple previous vulnerabilities in Mac OS X)... well, someone shut off that damn klaxon and let us get back to work. In this case, the issue is that a hole in Safari's handling of RSS feeds could allow an attacker (via a malicious web page) to capture a user's personal information, cookies or even passwords. While Brian has not posted more details of the vulnerability publicly, he has acknowledgment from Apple that the issue exists; hopefully we will see an update soon that closes this hole. In the meantime, although Windows Safari users are advised to use a different browser to avoid the vulnerability, Mac users can simply set an alternative RSS feed handler to work around the issue. Update 1/14: Per Brian's further research, the workaround below is not adequate to protect against the vulnerability, as Safari also handles URL types of 'feeds' and 'feedsearch,' which cannot be set to alternative handlers within Safari itself. The revised workaround calls for the RCDefaultApp preference pane, which does let you redirect the other URL types. To change your feed handler, go to Safari's Preferences and click the RSS button. If you have any other capable feed reader on your machine, you can select it from the list (if your menu looks like mine does in the screenshot, you have a serious problem with RSS reader addiction and you need immediate help). Don't have another feed reader available? NetNewsWire and NewsFire (and the open-source Vienna, cited repeatedly by our commenters) are free for the downloading, as is the Reader Notifier helper app that interacts with Google Reader -- for the purposes of getting around the vulnerability, it doesn't matter which application you choose as long as you don't leave it set to the default of having Safari do its own RSS chores. Note that the vulnerability apparently does not require you to open a feed in Safari to be affected -- a specially-constructed webpage is capable of triggering it.RCDefaultApp settings for "feeds" and "feedsearch" also need to be modified. Thanks to Brian for the heads up & everyone who sent this in.
Internet Explorer exploit targets game passwords
Is anyone still using Internet Explorer on a computer where they have control of the software? The browser is so targeted and so flawed, and there are so many worthwhile and free alternatives that it's almost silly to continue using Microsoft's monster of a browser. But if you still are, watch out -- the BBC says that Microsoft has announced another vulnerability, and this time it could be used to obtain "game passwords," like your account information for World of Warcraft.The good news is that, like most virus scares (ever notice that all of the virus warnings come from companies that happen to make their money on antivirus software? In this case, it's Trend Micro, spreading as much FUD as they can), this warning is probably overblown -- even if you are using a browser full of holes like IE, you have to wander off your beaten path of trusted sites to get in trouble. So don't click random links or follow spambait on the forums or in your email, and you'll probably be fine. But again, installing and using another browser is so easy (and will help you so much in the long run) that you might as well give up IE anyway.Thanks to everybody who sent this in! And yes, I used the old login screen for this post's picture. But don't you kind of miss it?
Epic Android bug interprets your typing as system commands
The philosophy goes something like this: the great thing about Linux is that it's secure, and the great thing about open-source software is that it's thoroughly and constantly vetted for robustness. So to that end, Android should be pretty rock solid, right? Perhaps, but the overwhelming enormity of this particular bug definitely gives us pause. It turns out that G1 firmware revisions RC29 and earlier literally interpret everything you type as command-line operations, so if you happen across a legit command, it's going to get executed -- with superuser permissions, no less. No, seriously. Just go to the messaging app, the browser, or anywhere else a text box is convenient, type "reboot," press the enter key, and watch magic happen. We've tested this on two G1s, both with RC29 firmware, and have gotten this to consistently work on one of the two, so your mileage may vary -- but either way, this needed to get patched on the double. Fortunately, Google's been quick about it, rolling a fix into the RC30 build that's being rapidly pushed to users as we speak, but man... how did that get through?
iPod touch firmware, Bonjour for Windows close security holes
It's not all new features and delight behind the scenes with the now-shipping iPod touch 2.1 firmware -- among the updates and changes are five patches to address security issues with the device. Frameworks that have been tweaked include the Application Sandbox, CoreGraphics, the mDNSResponder, Networking, and WebKit. The mDNS fix tackles the Dan Kaminsky DNS vulnerability that sparked controversy over the pace of Apple's patch releases... yet more proof that the iPod touch is a teensy little computer, with all the risks and challenges thereto. You can review the security notes for the update at Apple's security site, and of course you can download the update through iTunes.Also updated for security purposes today was the Bonjour for Windows package, now at version 1.0.5. This utility, which gives XP and Vista machines access to zero-configuration network resources such as printers or Mac OS X web sharing, now includes a couple of DNS-related patches including one for the vulnerability noted above. See here for the full details; Bonjour for Windows is downloadable from Apple as well.
New exploits target Flash
According to reports, a new wave of exploits has appeared taking advantage of a vulnerability Adobe Flash Player. Allegedly over 200,000 web sites now have redirects to malware, including keyloggers, through embedded Flash. And we all know how evil keyloggers can be. Flash Player 9.0.115.0 appear to be the affected version.Adobe quickly responded to the issue, saying that the vulnerability is fixed in 9.0.124.0, the latest version of the player, so to make yourself secure, all you need to do is update your Flash. To check what version you are running, go to this Adobe page. Keeping your software up-to-date is one of the best ways to close security holes; if you're truly paranoid, you could always go the route of adding Flashblock and/or No-Script into your browser. And be sure to keep an eye on our new Azeroth Security Advisor column for more tips on how to keep yourself from being compromised. Once again, to update your Flash and patch this vulnerability go to Adobe's "Get Flash" page.Update: It is possible that certain versions of 124 (namely, the standalone version for Linux and the standalone version with debug capabilities for Windows) are also affected by the exploits. At this time it is recommended to disable Flash if you are running those versions.Update 2: It is currently believed that all versions of 124 are safe. Nevertheless, caution is generally a good idea.
Adobe Reader and Acrobat security updates
Danger, Will Robinson! Adobe is warning that "critical vulnerabilities" have been found in Adobe Reader and Acrobat 8.1.1 and earlier. They are recommending that Acrobat 8 and Adobe Reader users install the 8.1.2 update as soon as possible. Those who are using Acrobat 7 are advised to install the 7.1.0 update quickly as well. A full summary of the security concerns and links to the update files can be yours by visiting the Adobe security update site. Note that while Acrobat & Reader 8.1.2 have been out for some time, the 7.1 update is fresh this week and the security issue is newly disclosed.[via Macintouch]
Major security vulnerability discovered for PlayStation Network, lock up your PS3s
Details are still sparse (and primarily in Japanese), but our Tokyo bureau just let us know that Sony's announced a fairly severe security vulnerability on the PlayStation Network, which would actually allow an attacker to access your account, personal information, and Wallet -- but not your credit card on file -- as well as change your password. Damn. More on this as it develops; in the mean time, keep a close eye on that account.Update: More information is on the US PS3 site. Apparently the issue has been resolved and "security is restored." Thanks, luckydude76.
Security exploit bricks HP and Compaq laptops
A Polish security researcher calling himself porkythepig is apparently gunning hard for HP this month, first exposing a slew of vulnerabilities that affected 83 different HP and Compaq models ten days ago, and today releasing an exploit that allows an attacker to brick any HP or Compaq laptop. The 'sploit takes advantage of a vulnerable ActiveX control in HP's Software Update, allowing a hacker to easily corrupt Windows kernel files, or even take control of the machine with a little more effort. Porkythepig says the bug affects HP and Compaq laptops running Windows 2000, XP, Server 2003 and Vista, and that simply disabling the Software Update mechanism may not prevent attackers from taking advantage of the vulnerability. Even still, those of you out there running HP / Compaq machines may want take a second to shut down Software Update until HP issues a patch.Update: Wow, we didn't realize how seriously everyone took their slang. For what it's worth, the definition of "bricked" has caused some amusingly serious discussion amongst Engadget editors today, and most agree that it should mean "dead beyond all repair" -- except for Nilay, who keeps stubbornly saying that people "un-brick" devices all the time. We'll stick to the most common definition for now, so no, this exploit didn't "brick" anything.[Via Slashdot]
OS X worm saga turns it up a notch with death threats
If you can keep track of the bad TV movie / high school drama that the OS X worm saga has become, hats off to you. In the latest round of confusing doublespeak from the underbelly of the security world, a few key players are (possibly) taking turns swapping identities -- and trading death threats. In the latest installment, Jon Ramsey is Infosec Sellout, David Maynor is LMH, anonymous commenters are promising to "put a bullet in your head for this!" and a spooky legion of "black hat" hackers known as the "Phrack High Council," (or PHC) are doing their best Freemasons impersonation. Now, with the Infosec site deletions, and Dave Maynor's supposed self-outing, calls being issued for the worm to be proven in the wild are increasingly mixed with the literal cries of bloody murder -- all over what can best be described as the lamest hoax for the biggest nerds in internet history. Check out the Computerworld article for some... insight?Update: As noted by a few commenters, David Maynor is now claiming on his blog that he isn't LMH, and that the admission "from" him had been faked. Of course, in this subterfuge-filled war of words, we'll take it with a grain of salt.[Via Slashdot]
Safari exploit gives hackers full control over iPhones and possibly PCs and Macs
Oops, researchers just unveiled a pretty serious security vulnerability in the iPhone. More specifically, it's Apple's Safari web browser which exhibits the vulnerability. Researchers at Independent Security Evaluators have used the vulnerability to take malicious control of the iPhone from rogue websites loaded with the exploit. Once in, researchers have full administrative access over the phone allowing them to listen in on room audio or snatch the SMS log, address book, call history, email passwords and more -- we're talking full access to your phone. Researchers note that the only way to stay safe is to check those URLs and only visit sites that you trust (which isn't very reassuring) and "may or may not be exploitable" from Mac and PC versions of Safari -- the same vulnerability exists only they haven't written the proof-of-concept exploit to test it yet. Apple has been notified of the vulnerability and a proposed fix with full public disclosure coming at the BlackHat conference on August 2nd. You listening InfoSec Sellout? That's how you report a bug. Check the exploit in video form after the break. [Via MacRumors]
Alleged OS X worm creator disappears
I'm not sure if you've been following the story of "Infosec Sellout" (it's a tough one to follow), but apparently the anonymous Mac hacker has given up blogging about OS X security-- his blog has been deleted and renamed on Blogspot. Just recently, he made headlines by claiming that he'd developed a worm for OS X called "Rape.osx," that hit a known vulnerability in the OS X mDNSResponder, an open source Internet protocol used by Apple. But apparently Infosec Sellout didn't think Apple responded appropriately to his warning (and/or his site was hacked itself), and he's gone quiet.Robert McMillian of the IDG news service has has contact with Infosec Sellout in the past, and heard from the hacker in an email that "it was a great experiment to see how the industry could handle some honesty, which they can't. They are quick to attack the credibility of others in order to hide their own flaws." From that comment, it sounds like Infosec thinks Apple is somehow claiming to be impenetrable, but as other security analysts say, that's far from true. Still another story is that Infosec's identity was close to being found out, and he quit because of that. Apparently Infosec says that the identity discovery was a factor, but not because he didn't want to be found out, just because he didn't want his employer to be approached by "crybabies."Strange story indeed. Unfortunately Infosec still hasn't revealed the hack, and says he won't reveal it to Apple until testing is completed.
New OS X vulnerability found: worm released in lab?
Look, we're fine with Apple gloating about the security of OS X in their Mac vs. PC adverts. After all, we have yet to see a large-scale worm released into the Macintosh community. However, the fact that a worm hasn't been released on a Windows-esque scale likely has less to do with Apple's superior coding than the size of their market share, i.e., OS X is a smaller target. That might soon change, however. A vulnerability has reportedly been found and more importantly, exploited by an "independent researcher" known only as "InfoSec Sellout." Apparently, a previously undisclosed vulnerability in the OS X mDNSResponder (which Apple has patched before) allowed Sir Sellout to cobble together a worm dubbed "Rape.osx." InfoSec Sellout claims to have released the worm into a controlled environment thereby infecting a network of about 1,500 OS X systems by nabbing root and dumping a text file as an evidentiary foot print. However, the worm's author claims that it can be broadly weaponised with a payload of choice across both PPC and Intel-class Macs with just a bit more work. InfoSec Sellout will disclose the vulnerability to Apple only after his/her "research is complete" and after an appropriate level of compensation (er, InfoSec Ransom?) received. Dubious as that sounds, for better or worse, it's the way the game's currently played. [Via Slashdot]
Microsoft's sneaky Xbox 360 "update"
In an underhanded move -- some would say, without honor -- Microsoft has covertly patched a security vulnerability in Xbox 360 that allowed hackers to run their own software. Disguised as an "operating system update," the patch seals off the console's non-privileged memory areas, which hackers are using to do such depraved things as write "Hello World" and try to run Linux. The update will be included with all games released after February 20 and is available to download via Xbox Live or the Xbox website (burnable onto CD or DVD). You best grab it before the uncontrollable urge to indulge in naughty hackery takes hold.Next time, Microsoft, tell us what we're downloading instead of slipping us a patch in an update's clothing. We're on to your shenanigans...[Via Engadget]
Infamous MacBook WiFi hack demonstrated, dubious code to go public
This on-again / off-again storyline surrounding the infamous MacBook WiFi hack has us all in a bit of a whirlwind, but it looks like the responsible party is finally coming clean. David Maynor, who is now the CTO at Errata Security, broke the silence regarding the questionable WiFi vulnerability that he claimed existed in Apple's MacBook by actually demonstrating his findings in front of the crowds at the Black Hat DC event. The meddlesome duo elicited all sorts of backlash from Apple after the story surfaced, and a showing at the ToorCon hacker convention in San Diego was actually axed after Cupertino threatened to sue Maynor's now-former employer, SecureWorks. Yesterday, however, Maynor streamed rogue code from a Toshiba laptop while his MacBook (running OS X 10.4.6) scanned for wireless networks; sure enough, the laptop crashed, and he insinuated that the code could actually be used to do far worse things, such as control functions of the computer -- but interestingly enough, it wasn't noted whether the MacBook's WiFi adapter was Apple's own or of the third-party variety. The angst still felt by Maynor primarily stems from Apple's outright denial of his claims, only to provide an elusive patch that fixed the issue in OS X 10.4.8, essentially making its operating system more secure without giving David his due credit. Mr. Maynor also said that he would no longer attempt to work with Apple and wouldn't report any further findings to them, and while most Macs have certainly done their duty and upgraded to the latest version of OS X, users can reportedly expect a public release of the rogue code to hit the web soon.
Unofficial patch for Treo vulnerability loosed
If you've been a bit paranoid of late after hearing that a blatant security hole was found in the now-deceased Palm OS, help has unofficially arrived. Reportedly discovered by Symantec, the vulnerability entailed a hole that allowed the operating system's Find functionality to be accessed even when the device was set to Locked, allowing ill-willed hackers to sift through text message history, calendar entries, tasks, etc. The hole had been confirmed on the Treo 650, 680, and 700p, but now users of the handsets can rest a bit easier after applying this patch. As expected, the update simply disables the Find feature, which essentially closes off the last remaining security loophole and protects prying eyes from seeing that backlog of steamy Valentine's Day texts. So if you're looking to unofficially patch things up with your Palm, be sure to hit the read link and get that install completed, but we're not the ones to come crying to if something goes awry.[Via PalmInfoCenter]
