Wednesday, August 25, 2010

Adobe 'Out Of Band' CRITICAL Update Parade:
Shockwave Player v11.5.8.612

--
Adobe continues their parade of CRITICAL security updates with Shockwave Player v11.5.8.612. Thankfully, you only have to make one click on one page to download it. (Someone over there is getting the clue). And get this! (Don't go into shock!) It's 64-bit! Here is the download page link:

Shockwave Player v11.5.8.612

You can read about the security patches HERE.

To quote Adobe:
The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.
My quick summary:

There are 20 security patches.

-> 16 patches are for memory corruption vulnerabilities (aka buffer overflow bugs).

-> 2 patches are for DOS (denial of service) attack issues.

-> 1 patch is for a pointer offset vulnerability.

-> 1 patch is for an integer overflow vulnerability (aka buffer...).

The update is for both Mac and Windows versions. Adobe don't note any in-the-wild exploits at this point. But as per usual, keep up to date with App and OS security patches!
--

Tuesday, August 24, 2010

Apple Security Update 2010-005

--
Apple have released FOUR versions of Security Update 2010-005. The versions are linked below:

Mac OS X Snow Leopard Client - 80.63 MB

Mac OS X Snow Leopard Server - 136.86 MB

Mac OS X Leopard Client - 211.88 MB

Mac OS X Leopard Server - 418.92 MB

The general downloads page can be found HERE.

You can read about the security patches HERE.

My quick summary:

There are 8 security patches.

-> 2 PHP patches: One patches a buffer overflow vulnerability regarding maliciously crafted PNG image files. The other updates PHP to version v5.3.2, which itself provides a variety of security patches to such things as further buffer overflow vulnerabilities.

-> 1 Samba patch: A buffer overflow...

-> 1 Apple Type Services (ATS) patch: A vulnerability to maliciously crafted embedded fonts due to a buffer overflow...

-> 1 CFNetwork patch: Prevents a man-in-the-middle attack that could redirect network connections and intercept a user's sensitive information such as their user credentials.

-> 1 ClamAV patch: Updates the versions of ClamAV in Mac OS X Server 10.5 and 10.6 to version 0.96.1, solving multiple vulnerabilities.

-> 1 CoreGraphics patch: A heap buffer overflow due to maliciously crafted PDF files. (Presumably this is related to a similar problem in iOS v4.0).

-> 1 libsecurity patch: Improves the handling of certificate host names, preventing a website impersonation attack.
--

Thursday, August 19, 2010

Adobe 'Out Of Band' CRITICAL Updates Parade:
Acrobat and Reader v9.3.4

--
And the parade marches on. At last we have the latest in CRITICAL Adobe security hole updates. This time the updates are for Adobe Acrobat and Adobe Reader. GET THEM NOW!

Because the process of getting to actual download links at the Adobe site is a huge PITA, here are direct URLs for English Intel Mac users. Send me virtual luv:

Acrobat Reader v9.3.4 update

Adobe Acrobat 9.3.4 Pro update

The general update page for all other users and versions is HERE.

What's so CRITICAL? The update's security bulletin is HERE.

To quote Adobe:

These updates address CVE-2010-2862, which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. They also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-16.
My summary:

1) The updates patch memory corruption vulnerabilities that could lead to hacked code execution on your Mac and/or program crashes. IOW its more of the same old buffer overflow problem that plagues current computer coding in general. (As found in CVE-2010-2862).

Quoting from the CVE:

Integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3, allows remote attackers to execute arbitrary code via a TrueType font with a large maxCompositePoints value in a Maximum Profile (maxp) table.

2) They solve a social engineering attack security hole via PDF files that could lead to hacked code execution on your Mac. (As found in CVE-2010-1240).

Quoting from the CVE:

Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message.
~~~~~~~~~~

BTW: Looking up CVE reports is easy, if snooze inducing. Just go to the National Vulnerability Database site (at the National Institute of Standards and Technology) and search on the CVE number. Here is the URL to get you started:

National Vulnerability Database (NVD) Search Vulnerabilities

And now for a rant:

If you're wondering why these simple and specific CVE searches take a long time (zzzzz) to resolve, it's the decrepit US government. It's Microsoft Windows. It's ancient old PCs the government is too cheap to replace, cranking away on stuff that takes any modern Mac a microsecond. (But of course, the government did manage to fund the infamous 'Bridge To Nowhere' in Alaska, hardy har har, porky pork, oinky oink, so long Ted Stevens you parasite).

I was once offered a job at the Department of Wildlife. I took one look at their computers and wondered what would be the appropriate response: Running away screaming OR sauntering out laughing?

In any case, if you've ever wondered why it's so incredibly easy for The Red Hacker Alliance in Red China and other such scum to hack into US government computers, look no further for your answer. Much as I hated the Bush League, much as I'd like to support the Obama Era, this stupid state of affairs continues. Note the fact that the Obama Administration hired ex-Microsoft executives and coders to help them solve their computer security crisis. That's right! They hired the CAUSE of the problem to SOLVE the problem.
(o_0)

Hmm. What would be the appropriate response? I'll leave it to you to decide.

CUL8R!
Stay safe.
Stay secure.
Don't touch my cookies.

;-Derek
--

Friday, August 13, 2010

Adobe Flash, AIR, PDF, Acrobat and Reader:
Security Statistics Sources

--
Earlier today, I was helping out a reader at MacDailyNews.com who had the following question:
'BSOD' asks: "Does anyone have statistics on exactly how many security holes have been opened up by Flash, Air, and PDF? I think that we need to see that stat."
My answer is of general interest. Therefore, I am posting it here for your reading pleasure:
You can dig around at the CVE site for each of them. CVE stands for Common Vulnerabilities and Exposures. It keeps track of each reported software security problem:

http://cve.mitre.org/

Wikipedia.org also covers each of them and gives a general description of their security:

Adobe Flash: "As of May 17, 2010, The Flash Player has 77 CVE entries, 34 of which have been ranked with a high severity (leading to arbitrary code execution), and 40 ranked medium."

Adobe PDF: "On March 30, 2010 security researcher Didier Stevens reported an "exploit" that causes an arbitrary executable to be run when a PDF file is opened, after the user accepts a warning prompt. The exploit works in several different PDF viewers including Adobe Reader and Foxit Reader."

And, earlier this year Adobe were embarrassed into creating the Adobe Product Security Incident Response Tearm (PSIRT). You can keep up with their blog here:

http://blogs.adobe.com/psirt/

Adobe maintain their Security Bulletins and Advisories page, going back to 2005, here:

http://www.adobe.com/support/security/

• There are approximately 88 Adobe Flash security bulletins.
• There are 6 Adobe PDF security bulletins.
• There are over 100 Adobe Acrobat security bulletins.
• There are over 100 Adobe Reader security bulletins.
• The only Adobe AIR related bulletin is the Adobe Flash bulletin from June 10, 2010.

Thursday, August 12, 2010

Update:
Secunia Half Year Report 2010
& QuickTime Hell

--
In a previous article, entitled "Desperate Propaganda..." I had a rant-fest regarding a PC World FUD-fest regarding Apple security. The author, Preston Gralla, managed to spew out this line of deceit:

:-Q****** "The security company Secunia reports that Apple products have more vulnerabilities than those of any other company."

This was clearly taken as a hit at all Apple products. What was missing was any reference to the context of the source Secunia report, which you can read HERE. I knew better, having been an avid Secunia reader since 2005. In fact, the only Apple products noted in the report were QuickTime and iTunes on Microsoft Windows. Secunia didn't cover any other Apple products.

When I read through the entire Secunia Report I found nothing of relevance to Mac OS X except the fact that the Apple apps discussed are prone to the same problems on Mac OS X as well as Windows.

QuickTime Hell

In previous articles I've covered the major problems with QuickTime, the biggest culprit of Apple security holes. It is used in iTunes, thus making iTunes just as vulnerable. In summary, QuickTime stumbles over malicious ECMAScript (aka 'JavaScript') and coding errors that allow malicious buffer overflows.

Supposedly Apple has been overhauling QuickTime. The first peak at it has been QuickTime Player X. But as far as any user can tell, the QuickTime X project is stalled at version 1.0.0. What we have on Snow Leopard is entirely inadequate, incomplete and buggy. Serious QuickTime users are required to also install QuickTime version 7, the current version of which is 7.6.6.

Hopefully Apple will get back to work on revising QuickTime now that iOS 4 has been completed and released.
--

Wednesday, August 11, 2010

To: 'hip'
Re: iMac_Sux.dmg

--
Recently a reader nicked as 'hip' sent me the URL to an evil crapware file entitled 'iMac_Sux.dmg'. Here is his full message with the exclusion of the URL for downloading the file:
Wanna crash an iMac?
Just mount this .dmg file, then have a look at what MassStorageCamera is doing.
It will be consuming all RAM and processors!!
I am not providing the URL in order to avoid being accused of distributing the thing.

Thank you 'hip'! I checked out the website where the file is located and enjoyed it. I particularly enjoyed the page quotations from The Hipcrime Vocab by Chad C. Mulligan. The insights are refreshing after living amidst the Neo-Con-Job / Tea Party / FuxNews / News Corp / Rupert Murdock Regime gibberish age within the USA where intelligent thoughts and verifiable facts are out of fashion.

I ran the .dmg and it did exactly as expected, without crashing my MacBook 2 GHz from 2006-11. It also auto-opened the 'CameraWindow' application that I installed for my Canon camera. I checked through the code within the .dmg and am going to 'guestimate' that the resource scripting near the end is instructing Mac OS X to treat the entire boot volume as a camera image volume. I was too bizy and lazy to dig further.

Clearly this is a very simple call being made within the .dmg that fools Mac OS X into thinking the opening .dmg volume is a camera. Fascinating. The fault of course is in MassStorageCamera for being allowed to eat your Mac alive. As I've pointed out previously, even Intego's VirusBarrier application has race condition bugs.

My POV: I've studied coding as well as code project management. Coding these days is typically for applications, etc., that are so vast that no single human being can comprehend them. The result is coding-by-committee which in and of itself is a guaranteed mess. There is also the eternal pressure of 'Do Less With Less' from clueless biznizz management and nagging clients, none of whom comprehend the escalating difficulties of coding. Then there is the basic crappiness of the archaic coding languages we still use these days. Anything based on 'C' coding is going to have plenty of problems if only from buffer overflows, the single largest coding plague of our day. We're also stuck with ECMAScript for Internet scripting (which incorporates LiveScript/JavaScript, the JScript abomination from Microsoft and the ActiveScript mess from Adobe). Java continues to FAIL to live up to the hype, causing its own security and memory problems. Then there are the eternal security holes in PHP and SMB on and on.

I'm not at all surprised that Apple missed the bug inherent in the 'iMac_Sux.dmg' file. I can easily see them being aware of it and tossing it on the back burner if only because it does not represent a security or major crashing problem. Similar CPU and RAM devouring buggy code has been around for many years. What sucks most is when system calls can crash the entire computer. Not having an iMac around to play with, I can't verify that this file crashes the machine. But I am going to guess that with current Intel iMacs it does not.

Dr. Charlie Miller and Dino Dai Zovi have the current best Mac hacking & cracking & pwning etc. book available for Mac OS X entitled 'The Mac Hacker's Handbook'. Both of them have Twitter accounts to follow. Both are very amusing to read. Dr. Miller is brilliant at coming up with methods for testing and breaking into Mac OS X. This past spring he won yet another Pwn2Own contest. He gave a presentation at Black Hat this last week where, among other things, he revealed yet-another security hole in Adobe Acrobat and Reader.

Here is a fun interview with Dr. Miller from March:

http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/

CONCLUSION: Expect security holes. Expect coding errors. There is no such thing as a perfect coder. There is no such thing as a perfect application or operating system.

I'll also add my usual coda: The only people I've ever heard or read saying that 'Macs never have security problems' are either NEWBIES or TROLLS. One of course never takes seriously the word of either of these species of human. It is well worth keeping track of Mac security. It is also well worth sorting out Mac security FUD from FACT.

BTW: Considering all of the above, what are the chances that humans will ever create Turing Test verifiable Artificial Intelligence? Not in my lifetime! No SkyNet worries.
;-D
--

New CRITICAL Adobe Flash Player v10.1.82.76
& Adobe Air v2.0.3 Updates

--
Today Adobe updated Flash Player to version 10.1.82.76 and Adobe Air to version 2.0.3. The updates patch 6 CRITICAL security holes. Here are the security patch details:
Critical vulnerabilities have been identified in Adobe Flash Player version 10.1.53.64 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-0209).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2188).

This update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2010-2213).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2214).

This update resolves a vulnerability that could lead to a click-jacking attack. (CVE-2010-2215).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2216).

Adobe recommends users of Adobe Flash Player 10.1.53.64 and earlier versions update to Adobe Flash Player 10.1.82.76. Adobe recommends users of Adobe AIR 2.0.2.12610 and earlier versions update to Adobe AIR 2.0.3.
The download links are provided on Adobe's Security Bulletin page HERE.

Lately, Adobe's Flash Player has been considered the most dangerous application for Mac OS X from a security point of view. It is important to keep track of ALL Adobe updates at this point in time. We are still waiting for NEW updates to Adobe Acrobat and Adobe Reader that patch security holes announced last week HERE.
--