Still using Windows 2000? you are at risk

As Microsoft gradually stops supporting Windows 2000, vendors of other products around them also stop supporting it. This is no big deal for those that moved to Windows XP, 2003 or Vista - but it could be a big deal to all those that simply don’t have the computer power to do the switch and want to stick to their working OS.

Microsoft has promised to release security related patches for Windows 2000 for a bit more, but this will eventually stop - what is more concerning is the fact that Adobe and Apple have done this quietly and are placing their users at risk.

It has been quite a while now that Adobe [Acrobat Reader] has not released an update for its software with the claim - you guessed it - unsupported OS, and even more than a while that Apple [QuickTime] has not released an update for Windows 2000.

With the emergence of new vulnerabilities for Acrobat Read and QuickTime people are not only left behind on the vulnerability prevention race track, they are not made aware of it - both programs don’t care enough to give their users adequate wanning they are at risk.

List of issues affecting QuickTime with no apparent fix for Windows 2000:

* QuickTime 7.2 issues, QuickTime 7.3 issues, QuickTime 7.4 issues, QuickTime 7.5 issues - all these probably affect QuickTime 7.1 too


The number of unpatched QuickTime flaws is: two

The number of recent QuickTime PoC’s is remarkable large and the active exploitation has begun as well, as many of the readers know.

However, the QuickTime RTSP vulnerability reported on 23th Nov is not the only one.

It appears that WabiSabiLabi team has reported that there is another (they call it zero-day vuln) flaw in Apple’s QuickTime player too.

This is what their blog post states:

We just want to specify that the vulnerability shown on those POCs IS NOT the one present in our marketplace.

They are pointing to PoCs listed at Milw0rm etc.

And a summary:

The first issue reported by Krystian Kloskowski (aka h07) is CVE-2007-6166 - CVSS score 9.3. For workarounds see US-CERT VU#659761.

The second issue reported by unknown person is CVE-2007-6238 - CVSS score 10.0. Reportedly ‘Affected system: Windows XP’.


Fact of the week: iPhone widgets doesn’t send IMEI

I’m sure there are people not aware of the recent state of Apple iPhone IMEI case.
It was reported by UNEASYsilence blog (pointing to the older forum post of Hackint0sh.org) that “Stocks” and “Weather” widgets send the IMEI number to Cupertino.

I.e. like this:

iphone-wu.apple.com/dgw?imei=%@&apptype=finance

The fact is, however, that the string being sent is not the International Mobile Equipment Identity code.

Reference: Docpool.org/iphone/The day after.en.html

What the widget sends is UUID code (Universally Unique Identifier).

Hey, IMEI has 15 characters (and only numbers) and UUID has 32 characters.


Mozilla’s JavaScript fuzzer - Opera’s best friend

Window Snyder, the head of security strategy at Mozilla Corporation wrote this week about the Opera’s way to use Mozilla’s fuzzer for JavaScript. Mrs. Snyder is pointing to the post of Claudio Santambrogio from Opera Software:

While running the tool, we found four crashers - one of which might have some security implications.

When we are reading news like this from Microsoft and Apple?


iPhone vulnerability video on YouTube

The following Exploiting the iPhone video (1:20) has been posted to YouTube to demonstrate the recent MobileSafari vulnerability reported by Independent Security Evaluators.

The technical document is located here [PDF].


New Worm Found In Apples?

A security researcher going by the name of InfoSec Sellout has claimed to have found an undisclosed security vulnerability in  mDNSResponder which he is claiming is remotely exploitable.

At present there is only a prrof-of-concept worm that will leave a file on the system to prove that it’s been exploited, apparently though modifying the payload on this one is a trivial task. This has currently only been tested on Intel Macs, as the author does not have any PPC hardware at his disposal at present.

As yet, the author has not notified Apple about this one, as he does not want to give incomplete research results, but more importantly he is also waiting for compensation from unnamed sources, so this really is an interesting one.

I’m going to try and set up an interview with the author and see what other info he is willing to disclose.

Here’s a few links on this one:

http://www.securityfocus.com/bid/24924

http://infosecsellout.blogspot.com/


Safari 3.0.1 fixes three flaws - what about the others?

The recent Safari update version 3.0.1 includes fixes for the following issues in Beta release:

Protocol Handler issue reported by Thor Larholm, CVE-2007-3186
DoS-type race condition issue reported by Aviv Raff, CVE-2007-3185
and
HTML handling issue reported by David Maynor, CVE-2007-2391

It took not many days to release a fixed version, but there are many other vulnerabilities reported in Safari 3.0 Beta (for Windows and OS X) too.

But the download link of Safari 3.0.1 Public Beta is
www.apple.com/safari/download/


No MS advisories? Apple to the rescue

Apple has released a “megapatch” that plugs 45 different security holes, these security holes range from vulnerabilities in Apple’s image viewing programs, vulnerabilities in the kernel, vulnerabilities in MySQL server, vulnerabilities in their AppleTalk network protocol and finally vulnerabilities in OpenSSH.

More details can be found here.


Apple fixed four issues of MoAB

Apple has released fixes for four vulnerabilities reported by Month of Apple Bugs (aka MoAB) in January.

The issues are buffer overflow in Finder when handling volume names, null pointer dereference in iChat’s Bonjour when handling drafted messages, format string vulnerability in iChat (related to AIM URL handler) and problem “UserNotificationCenter process running with elevated privileges in the context of a local user”.

Link to the advisory here:
docs.info.apple.com/article.html?artnum=305102


Apple: We have a fix for MOAB-01-01-2007!

Apple has released a fix for QuickTime rtsp:// URL Handler Stack-based Buffer Overflow - aka MOAB-01-01-2007.

There is no any other fixes included to Security Update 2007-001, link here:

docs.info.apple.com/article.html?artnum=304989

As we can see the ‘MOAB-01-01-2007′ was disclosed on 1st Jan as the very first Month of Apple Bugs advisory.

It is worth of noticing that Windows versions 7.1.3.100 and below are affected too.

Best,
Juha-Matti Laurio


Mac’s iAdware - not blocked by Security Update 2006-007

There have been some erroneous forum discussions that Apple’s Security Update 2006-007 released last week will block the Mac ad/spyware iAdware (or OSX/Cosmac).

The update - and the Install component - doesn’t prevent iAdware from working.

The PoC was originally listed here:

www.digitalmunition.com/dma.html

-> Advisory #44, “Macrocosm.tar.gz - ‘Macrocosm (detected as OSX.PopUp.gen

KF has posted the answer to Bugtraq list too.


Mac OS X 10.4 Security Checklist

Well, I know that this is a bit of a shameless plug, but I also think that it’ll help out anyone who tasked with securing OS X in any way or form. I’ve just finished working with a bunch of guys on putting this checklist together for the SANS S.C.O.R.E section on their website, so take a look and I hope it helps someone out. It covers all the basic parts of securing OS X, and is more than sufficient to get a lot of people started, and to end up with a much more secure OS X installation.
http://www.sans.org/score/macosxchecklist.php?

Any comments highly appreciated.


My name is Macarena and I’m PoC virus for OS X

The fact is that it is not so often when malware for Mac systems come to public.

There is new information about Proof of Concept virus for Macintosh systems available. From the new writeup:

Infects other files when they are executed in the current directory, regardless of file name or extension.

Additionally, the known infection length is 528 bytes, lists Symantec writeup.

The name of this new virus is OSX.Macarena.

Update: The following blog entry of Ryan Russell has a coverage list of recent Mac malware.


Apple Airport 802.11 Exploit Published and the Value of HD Moore

From HD Moore at Metasploit, the Apple Airport 802.11 exploit, which has just appeared on the month of kernel bugs site:

Apple Airport 802.11 Probe Response Kernel Memory Corruption
(more…)


Boys and girls, the AirPort update is out

It happened recently today. From the Apple Product Security mailing list:

APPLE-SA-2006-09-21 AirPort Update 2006-001 and
Security Update 2006-005

The security fixes described below are available in AirPort Update
2006-001 and Security Update 2006-005. AirPort Update 2006-001
contains an additional non-security fix to address a reliability
issue that occurs on a limited number of MacBook Pro systems.

AirPort version 4.2:
www.apple.com/support/downloads/airport42formacosx1033.html

About the security content of AirPort Update 2006-001 and Security Update 2006-005:

docs.info.apple.com/article.html?artnum=304420


NASA sites running OS X defaced

Zone-H lists the following NASA Web sites defaced today:

#1
http://avdc.gsfc.nasa.gov/phpgdv2

See mirror at zone-h.org/index2.php?option=com_mirrorwrp&Itemid=44&id=4402740

#2
http://avdc1.gsfc.nasa.gov/phpgdv2

See mirror and details at zone-h.org/index2.php?option=com_mirrorwrp&Itemid=44&id=4402742

Zone-H.org archive lists these as mass defacements of Byond Hackers Team.

WHOIS results for 128.183.103.227 are the following:

OrgName: National Aeronautics and Space Administration
OrgID: NASA
Address: IS05/Office of the Chief Information Officer
City: MSFC
StateProv: AL
PostalCode: 35812
Country: US

NetRange: 128.183.0.0 - 128.183.255.25

They have a separate “Cyberwar: the beginning” posting too:
www.zone-h.org/content/view/13932/30/



Vulnerability Scanner