[Sunnet Alert] Advisory #247 - Yahoo! Widgets, Safari, iPhone, Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Tue Aug 7 07:27:40 EST 2007
Sûnnet Beskerming Alert List Advisory #246
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info at beskerming.com to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Yahoo! Widgets
- Remote Hacker Automatic Control
- Time Since Discovery - 7 Days
1.2 Safari
- Remote Hacker Automatic Control
- Time Since Discovery - 5 Days
1.3 iPhone
- Remote Hacker Automatic Control
- Time Since Discovery - 5 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Being Prepared is for More Than Just the Scouts
2.2 How has the iPhone Update Affected Research into the Device?
2.3 Worm Threat Forces Apple to Disable Software?
2.4 Beneficial Worm or Digital Menace?
2.5 Firewall Vendor Steps up After BlackICE Discontinued
=====================================
1. SECURITY
1.1 Yahoo! Widgets - Remote hacker automatic control
-- Products Affected --
Yahoo! Widgets 4.0.3 and prior.
-- Technical Description --
Boundary error in the YDPCTL.dll ActiveX control leading to stack
buffer overflow and execution of arbitrary code.
-- Description --
The ActiveX control used by Yahoo! Widgets has been found to be
vulnerable to a memory error that can allow a remote attacker to take
control over a vulnerable system. As this vulnerability affects the
ActiveX control used by the Yahoo! Widgets / Konfabulator engine,
only the Windows version is affected.
-- Recommended Action --
Update to version 4.0.5 of the Yahoo! Widget / Konfabulator engine
to avoid exploitation of this issue. Advanced users can disable the
following CLSID for interim protection - 7EC7B6C5-25BD-4586-A641-
D2ACBB6629DD
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 7 7 (Very High)
Corporate 7 7 (Very High)
1.2 Safari - Remote hacker automatic control
-- Products Affected --
Safari 3.0
-- Technical Description --
Numerous vulnerabilities addressed, including: Safari - Adding
bookmarks may lead to denial of service or arbitrary code execution
due to stack buffer overflow when long site titles are added to the
bookmark list. WebKit - It is possible to operate Java applets even
when Java is disabled. Another issue has also been addressed, where
poor IDN support allows for obfuscation of URLs. Poor support for
PCRE elements may also lead to arbitrary code execution.
-- Description --
Last week Apple released version 3.0.3 of the Safari 3 Beta Internet
browser, addressing a set of vulnerabilities that include issues that
can allow a remote attacker to take control over a vulnerable system,
prevent access to legitimate use of the application, or obfuscate
website addresses.
-- Recommended Action --
Update to version 3.0.3 via the Software Update application (OS X),
or via the download link below.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
1.3 iPhone - Remote hacker automatic control
-- Products Affected --
iPhone 1.0
-- Technical Description --
Numerous vulnerabilities addressed, including: Safari - XSS
vulnerability due to race condition in JavaScript implementation.
Another issue, this time heap overflows in PCRE support can lead to
arbitrary code execution. WebCore - HTTP injection in XMLHttpRequest
allowing XSS. WebKit - Poor IDN support allows for URL obfuscation.
An additional issue, this time affecting the handling of framesets
may lead to arbitrary code execution.
-- Description --
Last week Apple released Update 1.0.1 for the iPhone, addressing a
number of serious vulnerabilities. Vulnerabilities addressed include
issues that would allow for remote control over the iPhone by
convincing a victim to view a malicious web page in the iPhone Safari
browser and possible temporary loss of phone functionality. Due to
the integration with iTunes, the only way that this update is
available is to connect the phone to iTunes and allow its update
process to run.
-- Recommended Action --
Update to iPhone 1.0.1 via the iTunes updater.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Being Prepared is for More Than Just the Scouts
The need for a strong disaster recovery plan is one of the topics
that has received previous coverage from Sûnnet Beskerming and it
should be an essential component of any business plan. A recent power
outage in San Francisco provides an excellent example of this need,
when some of the largest sites on the Internet went dark after the co-
lo facility where they were hosted was affected by the outage.
When the San Francisco co-location (co-lo) facility for 365 Main was
affected by a San Francisco power outage, sites such as Craigslist,
Typepad, Yelp, LiveJournal, Linden Lab, Sun, and Technorati were
amongst those that temporarily disappeared from the Internet. Initial
reports suggested that someone had physically damaged numerous racks,
though this was later corrected to indicate the power outage as the
root cause for the shutdown.
Embarrassingly for one company, Redenvelope, they were celebrating
two years of 100% uptime with their hosting at 365 Main - sending out
their press release on the same day that the power went out. Users of
the online Second Life environment also found some increased
instability with their online world.
Despite having backup generators and power failover management
systems in place, 365 Main found that they apparently did not
function as advertised. Rather than using traditional battery bank-
style Uninterruptible Power Supplies (UPSs), 365 Main used a
mechanical flywheel-based stored energy system to provide coverage
between when the mains cuts out and when the generators pick up the
slack. Flywheels can only provide power for a short period and are a
viable solution for avoiding the need to cycle power for the few
seconds it takes power management systems to realise there is a
problem and start the generators.
This particular short power gap is more important to dynamic sites
than static sites, where an unexpected short power outage / server
reboot can lead to a lengthy site downtime as databases, hard drives,
and supporting systems fail to recover gracefully.
While geographically remote redundancy is not always something that
can be achieved, it is something that is possible and becoming more
cost effective with the large number of hosting providers spread
across the globe. A load balanced website with multiple failover
locations that are based on separate power grids, in separate
countries, and even on separate host Operating Systems is well within
the reach of most businesses that are paying for external hosting for
their websites and other web services.
If malware authors and spammers are busy using 'Fast Flux Networks'
to remain an elusive target, then the average site owner can apply
the same techniques and capabilities to obtain seamless continuity of
operations when the unthinkable happens.
This might be a fairly simple solution for sites that are relatively
static in content terms (i.e. serving static HTML or simply generated
PHP / ASP / Perl), but achieving the same with dynamic "Web 2.0"
sites isn't that much more difficult. Databases that are primarily
read only can be replicated relatively simply, while databases that
are heavily written to require a little bit more effort with
replication and co-ordination. It certainly isn't out of the realm of
possibility to have proper replication no matter what type of website
is being operated.
To make the best of the available opportunities means that you have
to be aware that they exist in the first place, and that you are
paying the right people to develop and implement the right systems
for your site / business.
If you or your business aren't sure how you would cope with the
sudden loss of availability for a critical business component,
perhaps it is time to look at the various options available. Even if
you are, perhaps it is time that you tested those processes.
2.2 How has the iPhone Update Affected Research into the Device?
Apple's recent update for the iPhone has had some implications for
those who are seeking to dig around inside the system. As reported by
the team responsible for the most progress to date (#iphone @
irc.osx86.hu), the iPhone update does have an effect on what has been
achieved to this point. It is known that the update will perform a
system wipe on modified phones since they fail an integrity check,
and that system downgrades (to 1.0) produce some mixed results (even
if successful, the phone reports as 1.0.1).
After the update has been applied, the researchers have identified
that the previously known activation bypass methods (created by DVD
Jon and others) will still work. Other code that was created for
version 1.0 still works, such as Jailbreak 1.0, and newer versions of
the iPhoneInterface (0.3.3 and later).
Restore images and full diff files have also been created to assist
those who are looking to poke around inside the system.
More third party software has also been compiled and shown to work on
the iPhone, with Ruby now available (version 1.8.6) from here. An
interesting tool, named Webshell, has also been released which allows
command line access to the iPhone through the Safari browser.
Work on one of the remaining stumbling blocks, unlocking the
Provider's Network lock, is progressing steadily. Several different
approaches are under consideration at the moment, with the goal of
eventually being able to unlock from within the system or get write
access to the baseband memory. Gaining write access to this memory
will have some interesting results, as it is basically a dedicated
sub-system that is part of a multimedia engine called S-Gold2
(created by Infineon) and is used in other phones - sometimes as the
primary chip as is the case with at least one Siemens phone (though
using a different firmware).
With the chip responsible for providing this support to the iPhone
running a dedicated RTOS (Real Time Operating System) called Nucleus,
the researchers have had to reverse engineer this system to
understand the various options for opening up the baseband components.
At this point in time, the researchers have reverse engineered most
of the low level functions and they plan to release full
documentation on their results once they have unlocked it. This will
help future researchers / hackers / interested third parties when
encountering S-Gold2 devices in the future.
The release of a generic iPhone exploit at Black Hat is still
expected for this Friday afternoon, but it is not certain at this
stage whether the core vulnerability that is used to achieve the
exploit has been addressed by the iPhone update.
2.3 Worm Threat Forces Apple to Disable Software?
When an online identity (group of identities) known as InfoSec
Sellout made grand claims of a proof of concept worm, dubbed
Rape.osx, that targets OS X, it led to a lot of heated argument and
drama - including anonymous death threats and an accidental deletion
of their blog. While there has still been no external proof of their
claims, or appearance of the worm outside of their testing
environment, the information that accompanied the original claims
pointed to a vulnerability in mDNSResponder as being the underlying
vulnerability exploited by Rape.osx.
Even though Apple had addressed various vulnerabilities within
mDNSResponder in different Security Updates, the claims being made
were that Apple had failed to adequately address a set of
vulnerabilities - only patching specific attack vectors rather than
the underlying problem.
Although InfoSec Sellout has effectively disappeared from the
Internet (their blog has been suspended by Google), it appears that
the drama and initial disclosure may have forced Apple to disable an
OS X system component with their most recent Security Update
(Security Update 2007-007). Contained within Apple's knowledgebase
article accompanying the release, is information about changes to
mDNSResponder behaviour following the application of the Update.
Seeming to closely follow the information disclosed by InfoSec
Sellout, Apple's mDNSResponder update addresses a vulnerability that
can be exploited by an attacker on the local network to gain a denial
of service or arbitrary code execution condition. Apple go on to
identify that the vulnerability that they are addressing exists
within the support for UPnP IGD (Universal Plug 'n Play Internet
Gateway Device - used in port mapping on NAT gateways) and that an
attacker can exploit the vulnerability through simply sending a
crafted network packet across the network. With the crafted network
packet triggering a buffer overflow, it passes control of the
vulnerable system to the attacker.
Rather than patching the vulnerability and retaining the capability,
Apple have completely disabled support for UPnP IGD (though there is
no information about whether it is only a temporary disablement until
vulnerabilities can be addressed).
There has already been some chatter on various mailing lists about
this seemingly-odd move by Apple, with the responses primarily
indicating that observers have found this particular method of
addressing a vulnerability to be humorous.
It is interesting to note that Apple have not attributed any external
party for the identification and reporting of the vulnerability, and
the relevant CVE entry (CVE-ID: CVE-2007-3744) shows only that it is
a reserved entry - with no information about who might have
registered the CVE ID and no information about what the entry relates
to. If the information reported by MITRE is accurate, then it points
to the CVE entry being created prior to the public disclosure of the
existence of Rape.osx (12 July versus 16 July). This may be
coincidental, but it might provide some insight about the spread of
information about the vulnerability if the party responsible for
creating the ID is disclosed.
2.4 Beneficial Worm or Digital Menace?
Via the team at GNUCitizen comes news of a newly discovered AJAX-
based worm that targets Wordpress blogs. An independent researcher,
beNi, discovered several vulnerabilities that affect the current
version of the Wordpress blogging platform.
Ranging from Cross Site Scripting (XSS), including persistent XSS,
through to SQL injection and database errors. If combined, the
threats would allow a malicious attacker to take over vulnerable
blogs. Having been publicly disclosed, these are '0-day'
vulnerabilities, with no current patching available.
Well, almost.
It seems that not only has beNi found the vulnerabilities, but he has
written an AJAX-based worm to patch the issues. Although the initial
response from some has been shock that the worm goes ahead and
installs the patches silently, it has been pointed out that nothing
is done without the administrator's permission - the worm automates
the process of patching and updating once the admin allows it to.
While it isn't the first beneficial (or attempted beneficial) worm in
existence, it is one of the more interesting ones, appearing before
any attack code that targets the vulnerabilities being patched. With
the worm requiring semi-manual activation, there is little chance
that it is going to rapidly spread and is most likely going to remain
a useful tool for administrators seeking to update and protect their
installations. The only risk is that with the code freely available
it could be modified for malicious purposes to target unpatched blogs.
2.5 Firewall Vendor Steps up After BlackICE Discontinued
After security vendor ISS was purchased by IBM, many thought that
their popular software firewall BlackICE would continue as a leading
product, especially with the resources of IBM to help sustain
development and support of the software.
That situation has now changed, with IBM Internet Security Systems
announcing that BlackICE PC / Server Protection has now reached End
of Sale (EOS), with the End of Life (EOL) for the products to come on
September 29, 2008. What this means is that as of September 17, 2007,
consumers are no longer able to purchase new copies of the above
BlackICE products, and that existing customers will no longer be able
to access support for their installed versions after the 29th of
September next year.
With the cancellation of these products coming as somewhat of a
surprise, at least one firewall vendor has already made a move to
provide services to the BlackICE userbase.
Florida-based antimalware vendor, SunBelt Software has created an
online program at http://www.saveblackice.com/ where current BlackICE
users can obtain a free copy of the Sunbelt Personal Firewall product
(formerly the Kerio Personal Firewall), along with complimentary
support and updates for 12 months.
Although no end-date has been identified for this offer, SunBelt have
identified that it is only available for a limited time.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list