0day exploits for Internet Explorer, Firefox, and Safari were used to own machines at the Pwn2Own contest @ CanSecWest 2009. Is now the time for someone to port Windows 3.1 to MIPS and install a good telnet client? Roffles.

Credit www.dailygalaxy.com for the fierce FF/IE photo

A woman working in HP Israel sent an email to hundreds of co-workers accusing (falsely) that a snack made by Osem, one of the largest food manufacturers in Israel and the local subsidiary of the Nestle food giant, is causing infant death.

This email quickly spread and the immediate result was a 6% drop in Osem’s stock in just a few hours.

The email wasn’t very sophisticated. It wasn’t even remotely true and the ministry of health immediately issued a statement confirming the rumour is false. Still, Osem - one of the largest companies in Israel - will see its stock down a few percent over this rumor.

Earlier this month, Apple’s stock went down following rumors that Apple’s CEO Steve Jobs had a heart attack. The Apple stock takes a beating every time that rumor surfaces, and that happens regularly.

Stocks going up or down because of rumors is old as the invention of the stock market. But the Internet makes it easier to create a rumor that reaches far and wide within hours; there is just one more component that is missing: credibility.

Imagine if you saw a news item on Apple.com that discussed the death of CEO and chairman Steve Jobs. Imagine if you saw a clarification text on Osem’s web site explaining that the ‘bamba’ snack is indeed suspect of poisoning infants. This is not difficult to do - I don’t really need to break in or deface the web sites for this to happen - I just need to find a cross site scripting vulnerability and use it for attack.

In fact, we made a quick proof of concept to the Tel Aviv stock exchange a few years ago when we planted a false news item using a cross site scripting attack. The reaction from TASE was familiar to anyone who ever reported a XSS vulnerability: “oh, this is not really a problem as it does not permanently changes the page” (for something that is “not a problem” they sure fixed it within the hour, though).

We’ve repeated this exercise almost every time our vulnerability scanning service found a XSS vulnerability and we had to explain why the report claims it’s a serious issue. We planted false financial reports in the ‘investors’ section, altered news items and in almost all cases, met with the standard reaction: “this is not a real vulnerability” and “how can this really affect me?”

Most security researchers opt to explain XSS as an attack for stealing cookies. While this is true, I think there’s a greater risk in altering the information on the page to visitors which could be useful in a phishing attack, or like the examples above, a speculative attack.

I’m waiting for the first XSS attack that will tank a big company stock. If you’re reading this, make sure your company won’t be the one.

Xyberpix posted his challenge without giving us any advance notice, but being the ego-driven macho man that I am, even with mediocre writing skills, I can’t not accept it.

So here’s a random thought for the day. AppleTV is a useless brick unless hacked to run something like boxee or another front-end player for custom movie files. It’s safe to say most AppleTV users use it to play content outside iTunes.

The latest AppleTV update (version 2.3) has two interesting qualities.

One, it fixes several vulnerabilities involving playing malformed movie files (kuddos for ZDI for the finds). It shouldn’t be difficult to compare 2.3 to 2.2 and find where the problems are exactly. Some reverse-assembly requires, but definitely doable.

Two, it breaks many of the hacks like mounting external USB drives, and creates problems for applications like boxee.

From problem #2, I’m willing to guess many (most?) of the ATV users that hacked the machine haven’t upgraded. From problem #1 I know that those who haven’t upgraded are vulnerable. They will remain vulnerable for some time, until the hacks improve and find a way around this infamous update.

So will we see an attack targeting AppleTV any time soon? It’s a cute little linux-based device that sits in the network with a connection to the local home LAN. All it takes is the right AVI on the piratebay (or youtube?) to create a little AppleTV zombie net.

New Trojan horse for Mac environment has been discovered.

The Trojan is known as OSX.Lamzev.A by Symantec.

When it is executed it will create the file ezmal to the Applications folder (the name is Applications in localized installations too).

The names of earlier widely known OS X malware are Mac.Hovdy.a (June ‘08), OSX.Exploit.Launchd (June ‘06) and Leap.A (February ‘06). When saying ‘widely known’ it doesn’t mean that they were widely spreaded.

I remember the exact number of 63 when talking about known Mac malware.

There are no worms for Apple - yet.

Time to share information about three vulnerabilities reported in Apple iPhone recently.

There is a phishing vulnerability and a spamming vulnerability, which Aviv Raff has reported this month.

The phishing flaw exist in iPhone’s Mail application. With a specially drafted link it’s possible to convince the victim that the link is trusted. Including the address bar, naturally - see Raff’s screenshot here [.jpg].

The second problem is that downloading remote images is not disabled in Mail, i.e. the Web Bug flaw exists in the application and there is no ways to disable that “feature”.
The third one is a SMS security issue found by the son of blogger Karl Kraft, described below:

Those settings block the display of incoming text messages and show an alert saying “New Text Message” if an SMS comes through while the phone is locked. However, if the phone is set to emergency call mode the incoming text messages are previewed.

And then:

“Thus all I need to do to intercept the messages from his girlfriend is to place the phone in emergency mode and wait 30 seconds for the next sickly sweet message,” Kraft writes.

That was reported (yes, by his father) in iPhone version 2.1 (5F136) - the most recent version too.

As Microsoft gradually stops supporting Windows 2000, vendors of other products around them also stop supporting it. This is no big deal for those that moved to Windows XP, 2003 or Vista - but it could be a big deal to all those that simply don’t have the computer power to do the switch and want to stick to their working OS.

Microsoft has promised to release security related patches for Windows 2000 for a bit more, but this will eventually stop - what is more concerning is the fact that Adobe and Apple have done this quietly and are placing their users at risk.

It has been quite a while now that Adobe [Acrobat Reader] has not released an update for its software with the claim - you guessed it - unsupported OS, and even more than a while that Apple [QuickTime] has not released an update for Windows 2000.

With the emergence of new vulnerabilities for Acrobat Read and QuickTime people are not only left behind on the vulnerability prevention race track, they are not made aware of it - both programs don’t care enough to give their users adequate wanning they are at risk.

List of issues affecting QuickTime with no apparent fix for Windows 2000:

* QuickTime 7.2 issues, QuickTime 7.3 issues, QuickTime 7.4 issues, QuickTime 7.5 issues - all these probably affect QuickTime 7.1 too

The number of recent QuickTime PoC’s is remarkable large and the active exploitation has begun as well, as many of the readers know.

However, the QuickTime RTSP vulnerability reported on 23th Nov is not the only one.

It appears that WabiSabiLabi team has reported that there is another (they call it zero-day vuln) flaw in Apple’s QuickTime player too.

This is what their blog post states:

We just want to specify that the vulnerability shown on those POCs IS NOT the one present in our marketplace.

They are pointing to PoCs listed at Milw0rm etc.

And a summary:

The first issue reported by Krystian Kloskowski (aka h07) is CVE-2007-6166 - CVSS score 9.3. For workarounds see US-CERT VU#659761.

The second issue reported by unknown person is CVE-2007-6238 - CVSS score 10.0. Reportedly ‘Affected system: Windows XP’.

I’m sure there are people not aware of the recent state of Apple iPhone IMEI case.
It was reported by UNEASYsilence blog (pointing to the older forum post of Hackint0sh.org) that “Stocks” and “Weather” widgets send the IMEI number to Cupertino.

I.e. like this:

iphone-wu.apple.com/dgw?imei=%@&apptype=finance

The fact is, however, that the string being sent is not the International Mobile Equipment Identity code.

Reference: Docpool.org/iphone/The day after.en.html

What the widget sends is UUID code (Universally Unique Identifier).

Hey, IMEI has 15 characters (and only numbers) and UUID has 32 characters.

Window Snyder, the head of security strategy at Mozilla Corporation wrote this week about the Opera’s way to use Mozilla’s fuzzer for JavaScript. Mrs. Snyder is pointing to the post of Claudio Santambrogio from Opera Software:

While running the tool, we found four crashers - one of which might have some security implications.

When we are reading news like this from Microsoft and Apple?

The following Exploiting the iPhone video (1:20) has been posted to YouTube to demonstrate the recent MobileSafari vulnerability reported by Independent Security Evaluators.

The technical document is located here [PDF].

A security researcher going by the name of InfoSec Sellout has claimed to have found an undisclosed security vulnerability in  mDNSResponder which he is claiming is remotely exploitable.

At present there is only a prrof-of-concept worm that will leave a file on the system to prove that it’s been exploited, apparently though modifying the payload on this one is a trivial task. This has currently only been tested on Intel Macs, as the author does not have any PPC hardware at his disposal at present.

As yet, the author has not notified Apple about this one, as he does not want to give incomplete research results, but more importantly he is also waiting for compensation from unnamed sources, so this really is an interesting one.

I’m going to try and set up an interview with the author and see what other info he is willing to disclose.

Here’s a few links on this one:

http://www.securityfocus.com/bid/24924

http://infosecsellout.blogspot.com/

The recent Safari update version 3.0.1 includes fixes for the following issues in Beta release:

Protocol Handler issue reported by Thor Larholm, CVE-2007-3186
DoS-type race condition issue reported by Aviv Raff, CVE-2007-3185
and
HTML handling issue reported by David Maynor, CVE-2007-2391

It took not many days to release a fixed version, but there are many other vulnerabilities reported in Safari 3.0 Beta (for Windows and OS X) too.

But the download link of Safari 3.0.1 Public Beta is
www.apple.com/safari/download/

Apple has released a “megapatch” that plugs 45 different security holes, these security holes range from vulnerabilities in Apple’s image viewing programs, vulnerabilities in the kernel, vulnerabilities in MySQL server, vulnerabilities in their AppleTalk network protocol and finally vulnerabilities in OpenSSH.

More details can be found here.

Apple has released fixes for four vulnerabilities reported by Month of Apple Bugs (aka MoAB) in January.

The issues are buffer overflow in Finder when handling volume names, null pointer dereference in iChat’s Bonjour when handling drafted messages, format string vulnerability in iChat (related to AIM URL handler) and problem “UserNotificationCenter process running with elevated privileges in the context of a local user”.

Link to the advisory here:
docs.info.apple.com/article.html?artnum=305102

Apple has released a fix for QuickTime rtsp:// URL Handler Stack-based Buffer Overflow - aka MOAB-01-01-2007.

There is no any other fixes included to Security Update 2007-001, link here:

docs.info.apple.com/article.html?artnum=304989

As we can see the ‘MOAB-01-01-2007′ was disclosed on 1st Jan as the very first Month of Apple Bugs advisory.

It is worth of noticing that Windows versions 7.1.3.100 and below are affected too.

Best,
Juha-Matti Laurio

There have been some erroneous forum discussions that Apple’s Security Update 2006-007 released last week will block the Mac ad/spyware iAdware (or OSX/Cosmac).

The update - and the Install component - doesn’t prevent iAdware from working.

The PoC was originally listed here:

www.digitalmunition.com/dma.html

-> Advisory #44, “Macrocosm.tar.gz - ‘Macrocosm (detected as OSX.PopUp.gen”

KF has posted the answer to Bugtraq list too.