Advisory #247 - Yahoo! Widgets, Safari, iPhone, Multiple News
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
Advisory #247 - Yahoo! Widgets, Safari, iPhone, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #246
You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, please contact info@... to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Yahoo! Widgets - Remote Hacker Automatic Control - Time Since Discovery - 7 Days 1.2 Safari - Remote Hacker Automatic Control - Time Since Discovery - 5 Days 1.3 iPhone - Remote Hacker Automatic Control - Time Since Discovery - 5 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Being Prepared is for More Than Just the Scouts 2.2 How has the iPhone Update Affected Research into the Device? 2.3 Worm Threat Forces Apple to Disable Software? 2.4 Beneficial Worm or Digital Menace? 2.5 Firewall Vendor Steps up After BlackICE Discontinued ===================================== 1. SECURITY 1.1 Yahoo! Widgets - Remote hacker automatic control -- Products Affected -- Yahoo! Widgets 4.0.3 and prior. -- Technical Description -- Boundary error in the YDPCTL.dll ActiveX control leading to stack buffer overflow and execution of arbitrary code. -- Description -- The ActiveX control used by Yahoo! Widgets has been found to be vulnerable to a memory error that can allow a remote attacker to take control over a vulnerable system. As this vulnerability affects the ActiveX control used by the Yahoo! Widgets / Konfabulator engine, only the Windows version is affected. -- Recommended Action -- Update to version 4.0.5 of the Yahoo! Widget / Konfabulator engine to avoid exploitation of this issue. Advanced users can disable the following CLSID for interim protection - 7EC7B6C5-25BD-4586-A641- D2ACBB6629DD -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 7 7 (Very High) Corporate 7 7 (Very High) 1.2 Safari - Remote hacker automatic control -- Products Affected -- Safari 3.0 -- Technical Description -- Numerous vulnerabilities addressed, including: Safari - Adding bookmarks may lead to denial of service or arbitrary code execution due to stack buffer overflow when long site titles are added to the bookmark list. WebKit - It is possible to operate Java applets even when Java is disabled. Another issue has also been addressed, where poor IDN support allows for obfuscation of URLs. Poor support for PCRE elements may also lead to arbitrary code execution. -- Description -- Last week Apple released version 3.0.3 of the Safari 3 Beta Internet browser, addressing a set of vulnerabilities that include issues that can allow a remote attacker to take control over a vulnerable system, prevent access to legitimate use of the application, or obfuscate website addresses. -- Recommended Action -- Update to version 3.0.3 via the Software Update application (OS X), or via the download link below. -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 9 9 (Critical) Corporate 9 9 (Critical) 1.3 iPhone - Remote hacker automatic control -- Products Affected -- iPhone 1.0 -- Technical Description -- Numerous vulnerabilities addressed, including: Safari - XSS vulnerability due to race condition in JavaScript implementation. Another issue, this time heap overflows in PCRE support can lead to arbitrary code execution. WebCore - HTTP injection in XMLHttpRequest allowing XSS. WebKit - Poor IDN support allows for URL obfuscation. An additional issue, this time affecting the handling of framesets may lead to arbitrary code execution. -- Description -- Last week Apple released Update 1.0.1 for the iPhone, addressing a number of serious vulnerabilities. Vulnerabilities addressed include issues that would allow for remote control over the iPhone by convincing a victim to view a malicious web page in the iPhone Safari browser and possible temporary loss of phone functionality. Due to the integration with iTunes, the only way that this update is available is to connect the phone to iTunes and allow its update process to run. -- Recommended Action -- Update to iPhone 1.0.1 via the iTunes updater. -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Being Prepared is for More Than Just the Scouts The need for a strong disaster recovery plan is one of the topics that has received previous coverage from Sûnnet Beskerming and it should be an essential component of any business plan. A recent power outage in San Francisco provides an excellent example of this need, when some of the largest sites on the Internet went dark after the co- lo facility where they were hosted was affected by the outage. When the San Francisco co-location (co-lo) facility for 365 Main was affected by a San Francisco power outage, sites such as Craigslist, Typepad, Yelp, LiveJournal, Linden Lab, Sun, and Technorati were amongst those that temporarily disappeared from the Internet. Initial reports suggested that someone had physically damaged numerous racks, though this was later corrected to indicate the power outage as the root cause for the shutdown. Embarrassingly for one company, Redenvelope, they were celebrating two years of 100% uptime with their hosting at 365 Main - sending out their press release on the same day that the power went out. Users of the online Second Life environment also found some increased instability with their online world. Despite having backup generators and power failover management systems in place, 365 Main found that they apparently did not function as advertised. Rather than using traditional battery bank- style Uninterruptible Power Supplies (UPSs), 365 Main used a mechanical flywheel-based stored energy system to provide coverage between when the mains cuts out and when the generators pick up the slack. Flywheels can only provide power for a short period and are a viable solution for avoiding the need to cycle power for the few seconds it takes power management systems to realise there is a problem and start the generators. This particular short power gap is more important to dynamic sites than static sites, where an unexpected short power outage / server reboot can lead to a lengthy site downtime as databases, hard drives, and supporting systems fail to recover gracefully. While geographically remote redundancy is not always something that can be achieved, it is something that is possible and becoming more cost effective with the large number of hosting providers spread across the globe. A load balanced website with multiple failover locations that are based on separate power grids, in separate countries, and even on separate host Operating Systems is well within the reach of most businesses that are paying for external hosting for their websites and other web services. If malware authors and spammers are busy using 'Fast Flux Networks' to remain an elusive target, then the average site owner can apply the same techniques and capabilities to obtain seamless continuity of operations when the unthinkable happens. This might be a fairly simple solution for sites that are relatively static in content terms (i.e. serving static HTML or simply generated PHP / ASP / Perl), but achieving the same with dynamic "Web 2.0" sites isn't that much more difficult. Databases that are primarily read only can be replicated relatively simply, while databases that are heavily written to require a little bit more effort with replication and co-ordination. It certainly isn't out of the realm of possibility to have proper replication no matter what type of website is being operated. To make the best of the available opportunities means that you have to be aware that they exist in the first place, and that you are paying the right people to develop and implement the right systems for your site / business. If you or your business aren't sure how you would cope with the sudden loss of availability for a critical business component, perhaps it is time to look at the various options available. Even if you are, perhaps it is time that you tested those processes. 2.2 How has the iPhone Update Affected Research into the Device? Apple's recent update for the iPhone has had some implications for those who are seeking to dig around inside the system. As reported by the team responsible for the most progress to date (#iphone @ irc.osx86.hu), the iPhone update does have an effect on what has been achieved to this point. It is known that the update will perform a system wipe on modified phones since they fail an integrity check, and that system downgrades (to 1.0) produce some mixed results (even if successful, the phone reports as 1.0.1). After the update has been applied, the researchers have identified that the previously known activation bypass methods (created by DVD Jon and others) will still work. Other code that was created for version 1.0 still works, such as Jailbreak 1.0, and newer versions of the iPhoneInterface (0.3.3 and later). Restore images and full diff files have also been created to assist those who are looking to poke around inside the system. More third party software has also been compiled and shown to work on the iPhone, with Ruby now available (version 1.8.6) from here. An interesting tool, named Webshell, has also been released which allows command line access to the iPhone through the Safari browser. Work on one of the remaining stumbling blocks, unlocking the Provider's Network lock, is progressing steadily. Several different approaches are under consideration at the moment, with the goal of eventually being able to unlock from within the system or get write access to the baseband memory. Gaining write access to this memory will have some interesting results, as it is basically a dedicated sub-system that is part of a multimedia engine called S-Gold2 (created by Infineon) and is used in other phones - sometimes as the primary chip as is the case with at least one Siemens phone (though using a different firmware). With the chip responsible for providing this support to the iPhone running a dedicated RTOS (Real Time Operating System) called Nucleus, the researchers have had to reverse engineer this system to understand the various options for opening up the baseband components. At this point in time, the researchers have reverse engineered most of the low level functions and they plan to release full documentation on their results once they have unlocked it. This will help future researchers / hackers / interested third parties when encountering S-Gold2 devices in the future. The release of a generic iPhone exploit at Black Hat is still expected for this Friday afternoon, but it is not certain at this stage whether the core vulnerability that is used to achieve the exploit has been addressed by the iPhone update. 2.3 Worm Threat Forces Apple to Disable Software? When an online identity (group of identities) known as InfoSec Sellout made grand claims of a proof of concept worm, dubbed Rape.osx, that targets OS X, it led to a lot of heated argument and drama - including anonymous death threats and an accidental deletion of their blog. While there has still been no external proof of their claims, or appearance of the worm outside of their testing environment, the information that accompanied the original claims pointed to a vulnerability in mDNSResponder as being the underlying vulnerability exploited by Rape.osx. Even though Apple had addressed various vulnerabilities within mDNSResponder in different Security Updates, the claims being made were that Apple had failed to adequately address a set of vulnerabilities - only patching specific attack vectors rather than the underlying problem. Although InfoSec Sellout has effectively disappeared from the Internet (their blog has been suspended by Google), it appears that the drama and initial disclosure may have forced Apple to disable an OS X system component with their most recent Security Update (Security Update 2007-007). Contained within Apple's knowledgebase article accompanying the release, is information about changes to mDNSResponder behaviour following the application of the Update. Seeming to closely follow the information disclosed by InfoSec Sellout, Apple's mDNSResponder update addresses a vulnerability that can be exploited by an attacker on the local network to gain a denial of service or arbitrary code execution condition. Apple go on to identify that the vulnerability that they are addressing exists within the support for UPnP IGD (Universal Plug 'n Play Internet Gateway Device - used in port mapping on NAT gateways) and that an attacker can exploit the vulnerability through simply sending a crafted network packet across the network. With the crafted network packet triggering a buffer overflow, it passes control of the vulnerable system to the attacker. Rather than patching the vulnerability and retaining the capability, Apple have completely disabled support for UPnP IGD (though there is no information about whether it is only a temporary disablement until vulnerabilities can be addressed). There has already been some chatter on various mailing lists about this seemingly-odd move by Apple, with the responses primarily indicating that observers have found this particular method of addressing a vulnerability to be humorous. It is interesting to note that Apple have not attributed any external party for the identification and reporting of the vulnerability, and the relevant CVE entry (CVE-ID: CVE-2007-3744) shows only that it is a reserved entry - with no information about who might have registered the CVE ID and no information about what the entry relates to. If the information reported by MITRE is accurate, then it points to the CVE entry being created prior to the public disclosure of the existence of Rape.osx (12 July versus 16 July). This may be coincidental, but it might provide some insight about the spread of information about the vulnerability if the party responsible for creating the ID is disclosed. 2.4 Beneficial Worm or Digital Menace? Via the team at GNUCitizen comes news of a newly discovered AJAX- based worm that targets Wordpress blogs. An independent researcher, beNi, discovered several vulnerabilities that affect the current version of the Wordpress blogging platform. Ranging from Cross Site Scripting (XSS), including persistent XSS, through to SQL injection and database errors. If combined, the threats would allow a malicious attacker to take over vulnerable blogs. Having been publicly disclosed, these are '0-day' vulnerabilities, with no current patching available. Well, almost. It seems that not only has beNi found the vulnerabilities, but he has written an AJAX-based worm to patch the issues. Although the initial response from some has been shock that the worm goes ahead and installs the patches silently, it has been pointed out that nothing is done without the administrator's permission - the worm automates the process of patching and updating once the admin allows it to. While it isn't the first beneficial (or attempted beneficial) worm in existence, it is one of the more interesting ones, appearing before any attack code that targets the vulnerabilities being patched. With the worm requiring semi-manual activation, there is little chance that it is going to rapidly spread and is most likely going to remain a useful tool for administrators seeking to update and protect their installations. The only risk is that with the code freely available it could be modified for malicious purposes to target unpatched blogs. 2.5 Firewall Vendor Steps up After BlackICE Discontinued After security vendor ISS was purchased by IBM, many thought that their popular software firewall BlackICE would continue as a leading product, especially with the resources of IBM to help sustain development and support of the software. That situation has now changed, with IBM Internet Security Systems announcing that BlackICE PC / Server Protection has now reached End of Sale (EOS), with the End of Life (EOL) for the products to come on September 29, 2008. What this means is that as of September 17, 2007, consumers are no longer able to purchase new copies of the above BlackICE products, and that existing customers will no longer be able to access support for their installed versions after the 29th of September next year. With the cancellation of these products coming as somewhat of a surprise, at least one firewall vendor has already made a move to provide services to the BlackICE userbase. Florida-based antimalware vendor, SunBelt Software has created an online program at http://www.saveblackice.com/ where current BlackICE users can obtain a free copy of the Sunbelt Personal Firewall product (formerly the Kerio Personal Firewall), along with complimentary support and updates for 12 months. Although no end-date has been identified for this offer, SunBelt have identified that it is only available for a limited time. ======================================= Sincerely, Sûnnet Beskerming Team info@... Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** Sûnnet Beskerming Pty. Ltd. ** Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis. _______________________________________________ Alertmailinglist mailing list Alertmailinglist@... http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com |
| Free Forum Powered by Nabble | Forum Help |
