Tuesday, November 25, 2014

Yet Another November Critical
Adobe Flash Patch

--

Today, Adobe updated Flash to version 15.0.0.239. It is a critical second patch for CVE-2-14-8439, involving bad memory management code. Adobe's Security Bulletin is available here:

http://helpx.adobe.com/security/products/flash-player/apsb14-26.html

These updates provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution (CVE-2014-8439).  A mitigation was previously introduced for this issue in the October 14, 2014 release. 
The update is available here:

http://get.adobe.com/flashplayer/


--


Monday, November 17, 2014

Security Patches: OS X 10.10.1, iOS 8.1.1
& Apple TV 7.0.2

--
Intro: I get all conflicted about what to do when ordinary old security updates are released. I don't want to write a diatribe. But I should highlight their release. So I decided to just announce them as they show up, without munificent exposition or graphical profundity (unless I feel like it).

Today Apple released software updates with the following security patches


OS X 10.10.1 Yosemite: 

APPLE-SA-2014-11-17-2 OS X Yosemite 10.10.1

OS X 10.10.1 is now available and addresses the following:

CFNetwork
Available for:  OS X Yosemite v10.10
Impact:  Website cache may not be fully cleared after leaving private browsing
Description:  A privacy issue existed where browsing data could remain in the cache after leaving private browsing. This issue was addressed through a change in caching behavior. 
CVE-ID
CVE-2014-4460

Spotlight
Available for:  OS X Yosemite v10.10
Impact:  Unnecessary information is included as part of the initial connection between Spotlight or Safari and the Spotlight Suggestions servers
Description:  The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user's approximate location before a user entered a query. This issue was addressed by removing this information from the initial connection and only sending the user's approximate location as part of queries. 
CVE-ID
CVE-2014-4453 : Ashkan Soltani

System Profiler About This Mac
Available for:  OS X Yosemite v10.10
Impact:  Unnecessary information is included as part of a connection to Apple to determine the system model
Description:  The request made by About This Mac to determine the model of the system and direct users to the correct help resources included unnecessary cookies. This issue was addressed by removing cookies from the connection.
CVE-ID
CVE-2014-4458 : Landon Fuller of Plausible Labs

WebKit
Available for:  OS X Yosemite v10.10
Impact:  Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description:  A use after free issue existed in the handling of page objects. This issue was addressed through improved memory management. 
CVE-ID
CVE-2014-4459

iOS 8.1.1: 

APPLE-SA-2014-11-17-1 iOS 8.1.1
iOS 8.1.1 is now available and addresses the following:CFNetwork

Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  Website cache may not be fully cleared after leaving private browsing
Description:  A privacy issue existed where browsing data could remain in the cache after leaving private browsing. This issue was addressed through a change in caching behavior. 
CVE-ID
CVE-2014-4460

dyld
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  A local user may be able to execute unsigned code Description:  A state management issue existed in the handling of Mach-O executable files with overlapping segments. This issue was addressed through improved validation of segment sizes. 
CVE-ID
CVE-2014-4455 : @PanguTeam

Kernel
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in the handling of certain metadata fields of IOSharedDataQueue objects. This issue was addressed through relocation of the metadata. 
CVE-ID
CVE-2014-4461 : @PanguTeam

Lock Screen
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  An attacker in possession of a device may exceed the maximum number of failed passcode attempts
Description:  In some circumstances, the failed passcode attempt limit was not enforced. This issue was addressed through additional enforcement of this limit.
CVE-ID
CVE-2014-4451 : Stuart Ryan of University of Technology, Sydney

Lock Screen
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  A person with physical access to the phone may be able to access photos in the Photo Library
Description:  The Leave a Message option in FaceTime may have allowed viewing and sending photos from the device. This issue was addressed through improved state management.
CVE-ID
CVE-2014-4463

Sandbox Profiles
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  A malicious application may be able to launch arbitrary binaries on a trusted device
Description:  A permissions issue existed with the debugging functionality for iOS that allowed the spawning of applications on trusted devices that were not being debugged. This was addressed by changes to debugserver's sandbox.
CVE-ID
CVE-2014-4457 : @PanguTeam

Spotlight
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  Unnecessary information is included as part of the initial connection between Spotlight or Safari and the Spotlight Suggestions servers
Description:  The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user's approximate location before a user entered a query. This issue was addressed by removing this information from the initial connection and only sending the user's approximate location as part of queries. CVE-ID
CVE-2014-4453 : Ashkan Soltani 
WebKit
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description:  Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
CVE-ID
CVE-2014-4452
CVE-2014-4462

Apple TV 7.0.2: 
APPLE-SA-2014-11-17-3 Apple TV 7.0.2
Apple TV 7.0.2 is now available and addresses the following:

Apple TV
Available for:  Apple TV 3rd generation and later Impact:  An attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution Description:  Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
CVE-ID
CVE-2014-4452
CVE-2014-4462

Apple TV
Available for:  Apple TV 3rd generation and later Impact:  A local user may be able to execute unsigned code Description:  A state management issue existed in the handling of Mach-O executable files with overlapping segments. This issue was addressed through improved validation of segment sizes.
CVE-ID
CVE-2014-4455 : @PanguTeam

Apple TV
Available for:  Apple TV 3rd generation and later Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in the handling of certain metadata fields of IOSharedDataQueue objects. This issue was addressed through relocation of the metadata.
CVE-ID
CVE-2014-4461 : @PanguTeam

Security documents for all Apple security patches can be found (eventually) at:


https://support.apple.com/kb/HT1222


[Happy news! Apple has revamped the Apple Security Updates page. Hopefully, this means they will be taking it more seriously in the future. That would be a good thing.]




--

Tuesday, November 11, 2014

Another MASSIVE CRITICAL
Adobe Flash / AIR Security Patch
Plus Shockwave Patch!

--

Today ('Patch Tuesday') Adobe pushed out a MASSIVE security patch for Adobe Flash (v15.0.0.223) and AIR (v15.0.0.356). They also pushed out an update to Adobe Shockwave (v12.1.4.154). Whether the Shockwave update includes an update to its out-dated Flash support remains unknown. We can wish.

Here is Adobe's Security Bulletin:


http://helpx.adobe.com/security/products/flash-player/apsb14-24.html


The 18 CVE's patched:


CVE-2014-0573
CVE-2014-0574
CVE-2014-0576
CVE-2014-0577
CVE-2014-0581
CVE-2014-0582
CVE-2014-0583
CVE-2014-0584
CVE-2014-0585
CVE-2014-0586
CVE-2014-0588
CVE-2014-0589
CVE-2014-0590
CVE-2014-8437
CVE-2014-8438
CVE-2014-8440
CVE-2014-8441
CVE-2014-8442

Adobe's summary:
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-0576, CVE-2014-0581, CVE-2014-8440, CVE-2014-8441). 
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2014-0573, CVE-2014-0588, CVE-2014-8438). 
These updates resolve a double free vulnerability that could lead to code execution (CVE-2014-0574). 
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2014-0577, CVE-2014-0584, CVE-2014-0585, CVE-2014-0586, CVE-2014-0590). 
These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2014-0582, CVE-2014-0589).
These updates resolve an information disclosure vulnerability that could be exploited to disclose session tokens (CVE-2014-8437).
These updates resolve a heap buffer overflow vulnerability that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-0583). 
These updates resolve a permission issue that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-8442).
Where to grab the updates:

https://get.adobe.com/flashplayer/

https://get.adobe.com/air/
https://get.adobe.com/shockwave/

Needless to say: 
Adobe freeware is some of the most DANGEROUS software you can install on your Mac. Just say NO unless you really need it. If you do need it, be happy that Apple has built into recent versions of OS X requirements that you update to the latest version. But to be extra safe, use a browser extension that keeps Flash and Shockwave content OFF until you personally approve it to run.

I am so sick of Adobe's security FAIL.
:-Q*****




--

Thursday, November 6, 2014

Wirelurker Malware's Butt Gets Kicked Good!
(Free Detection Script!)

--

Early this AM the net waves were abuzz about a discovery made by Palo Alto Networks. It's OS X malware named Wirelurker (aka 'MacHook') that is capable of cross-infecting both jailbroken AND non-jailbroken iOS devices. That's a new species of malware for the Apple community. 

Topher Kessler and Thomas Reed have excellent coverage of the Wirelurker malware at their websites:

New WireLurker malware infects Mac OS X and iOS

Apple responds to 'Wirelurker' threat, revokes developer certificates

What's great is how Apple responded and stomped this thing dead in less than 24 hours!

Free Wirelurker Detection

Palo Alto Networks has provided a FREE detection script that runs in the Terminal HERE.

If you're not used to working in the Terminal, please do not attempt this script. If you ARE used to working in the terminal, this is dirt easy. Be sure to read the ReadME first, follow the instructions and it starts cooking, seeking Wirelurker. It will likely take a few minutes as it searches through all your applications for infection. If you've got the bug, follow the result instructions.

The Moral Of The Story

There are two olde lessons to learn from Wirelurker:

1) Don't Install Warez
If the software you're downloading and installing has been compromised, you'll be compromised too. Welcome to infection. You've been Trojaned.

2) Don't Jailbreak Your iOS Gear!
Thanks to Apple's rapid response, all non-jailbroken iOS gear can no longer be infected with Wirelurker. HOWEVER, all jailbroken iOS gear is still susceptible to Wirelurker, as well as the handful of other jailbroken iOS malware out in-the-wild. If you care about the security of your iOS gear, you care not for jailbreaking software.

[UPDATE!] Here is a HIGHER VOLTAGE discussion of Wirelurker from Jonathan Zdziarski, for those interested. (Italics mine):

What You Need to Know About WireLurker
It would greatly behoove Apple to address this situation with more than a certificate revocation; I’m not scared of WireLurker, but I am concerned that this technique could be weaponized in the future, and be a viable means of attack on public and private sector machines. It could easily be attached to any software download in-transit across non-encrypted HTTP, such as an Adobe Flash download or other software download. Social engineering would also help to make juicy targets out of people likely to click on links from IT departments or install software on their Mac. There are a number of potentially more dangerous uses for WireLurker, and unfortunately many of them will go unnoticed by Apple in time to revoke a certificate. It would be a much better solution to address the underlying design issues that make this possible.



--