SecurityFeed.info » Apple Fun

Feeds

57036 items (57036 unread) in 90 feeds

• Aviv Raff On .NET (29 unread)
• Bugtraq (bugtraq) Mailing List (2860 unread)
• CGISecurity.com: Your Web Site and Application Security Resource (415 unread)
• christian's weblog (25 unread)
• Irongeek's Security Site (344 unread)
• Jeremiah Grossman (191 unread)
• Heorot.net (19 unread)
• milw0rm.com (1332 unread)
• Nmap Hackers (nmap-hackers) Mailing List (27 unread)
• Rootsecure.net (3262 unread)
• SecuriTeam.com (645 unread)
• Security Vulnerability Research & Defense (147 unread)
• SecurityFocus News (435 unread)
• SecurityFocus Vulnerabilities (2707 unread)
• Securityvulns news channel (1735 unread)
• SecWatch - Latest Exploit Alerts (10 unread)
• Taking Network Security to the Streets (28 unread)
• The One And Only Matt Parnell.com (86 unread)
• The Register - Security (2360 unread)
• The Register - Software (2742 unread)
• VulnWatch (vulnwatch) Mailing List (19 unread)
• Web App Security (webappsec) Mailing List (433 unread)
• IceСμbeς (15 unread)
• Linmagazine (757 unread)
• ‫netcraft Bytes :) (130 unread)
• Blonde 2.0 (218 unread)
• The Microsoft Security Response Center (MSRC) (175 unread)
• (IN)SECURE Magazine Notifications RSS (45 unread)
• 0x000000 Security (95 unread)
• ----- Anti-Malware ----- Analysis and Defense (16 unread)
• Apple Fun (25 unread)
• Technorati Search for: aviv.raffon.net (368 unread)
• C.I.S.R.T. (25 unread)
• Determina Zero-Day Protection (6 unread)
• Didier Stevens (157 unread)
• eEye Digital Security - Research Blog (12 unread)
• Ryan Naraine's Security Watch (488 unread)
• Security - RSS Feeds (1100 unread)
• Exploit Prevention Labs (28 unread)
• Software Vulnerability Exploitation Blog (22 unread)
• F-Secure Antivirus Research Weblog (470 unread)
• Full Disclosure (1289 unread)
• George Ou (10 unread)
• GNUCITIZEN Media Portfolio (157 unread)
• ha.ckers.org web application security lab (135 unread)
• heise security (1864 unread)
• invisiblethings' blog (57 unread)
• Jeff Jones's blog (13 unread)
• JScript Blog (26 unread)
• Matasano Chargen (74 unread)
• McAfee Avert Labs (354 unread)
• Michael Howard's Web Log (46 unread)
• PandaLabs (227 unread)
• Zero Day (867 unread)
• SANS Internet Storm Center, InfoCON: green (1115 unread)
• Latest Secunia Security Watchdog Blog Entries (71 unread)
• SecuriTeam Blogs (248 unread)
• Security Fix (494 unread)
• HP ASC Portal (30 unread)
• Strike Center (12 unread)
• Sunbelt Blog (909 unread)
• Sunnet Beskerming Security Advisories (149 unread)
• Technobabylon
• The Recurity Lablog (34 unread)
• Wired: Threat Level (1460 unread)
• TrendLabs | Malware Blog - by Trend Micro (636 unread)
• Uninformed Journal (49 unread)
• WabiSabiLabi's blog (23 unread)
• WatchGuard Wire (134 unread)
• Latest Blog Entires From WebSense Security Labs (164 unread)
• Hackszine.com (664 unread)
• DVLabs: Blogs (145 unread)
• Errata Security (177 unread)
• Robert Hensing's Blog (93 unread)
• PaulDotCom Community Blog (14 unread)
• David LeBlanc's Web Log (34 unread)
• Billy (BK) Rios (29 unread)
• David Litchfield's blog (22 unread)
• Farfromr00tin (27 unread)
• aut disce, aut discede (17 unread)
• pwn* (26 unread)
• hackademix.net (106 unread)
• SecurityDot Vulnerabilities (1939 unread)
• Vulnerabilities & Exploits (87 unread)
• Malicious Code (100 unread)
• Security Risks (66 unread)
• Digg / Security / upcoming (17371 unread)
• digg.com: News / Security / Popular (395 unread)
• DarkReading - Security News (926 unread)
• DarkReading - All Stories (148 unread)

Apple Fun (10 unread)

• February 01, 2007
• 1:59

  MOAB-31-01-2007: Stay tuned (and farewell)

   » ‎ Apple Fun
  We thank everyone who has contributed, as well as those who donated to the project and sent nice feedback. We also thank the zealots, who made our day every time they blogged and commented about us. We would like to thank Apple for making this month a smooth one.
  
  Last but not least, we will stop disclosing (although KF might continue releasing issues) any further information related to OS X security. Full disclosure isn't good. Feeding the security industry neither.
  
  OS X remains insecure. But now there will be less 'publicity hogging' about it. Finally, you can always keep an eye on our well respected friends at Matasano, who might keep the a-bug-per-decade campaign.
  
  Have fun.
  

  • MOAB-31-01-2007: Stay tuned?

  
• January 31, 2007
• 4:50

  MOAB-30-01-2007: Multiple Apple Software Format String Vulnerabilities

   » ‎ Apple Fun

  Multiple developers of Apple based software including Apples own developers seem to have a misunderstanding of how to properly use NSBeginAlertSheet, NSBeginCriticalAlertSheet, NSBeginInformationalAlertSheet, NSGetAlertPanel, NSGetCriticalAlertPanel, NSGetInformationalAlertPanel, NSReleaseAlertPanel, NSRunAlertPanel, NSRunCriticalAlertPanel, NSRunInformationalAlertPanel, and NSLog.

  
  Further information:
  
  

  • Multiple Apple Software Format String Vulnerabilities
  • Application Kit Functions Reference

  
• January 30, 2007
• 6:48

  MOAB-29-01-2007: Apple iChat Bonjour Multiple Denial of Service Vulnerabilities

   » ‎ Apple Fun
  
  

  Apple iChat Bonjour functionality is affected by several remotely exploitable denial of service flaws which can be triggered via advertising presence services over multicast DNS.

  
  Further information:
  

  • Apple iChat Bonjour Multiple Denial of Service Vulnerabilities
  • Exploit: MOAB-29-01-2007.rb

  In other news, "Craig Seeman cseeman (at) optonline.net" (author of Flip4Mac reviews) contacted us:
  

  
  Hi,
  regarding http://projects.info-pull.com/moab/MOAB-27-01-2007.html
  This is what they're testing have found at this point: Flip4Mac has received reports of a QuickTime crash when playing a deliberately modified/damaged Windows Media file. There is no evidence that this has been or could be exploited to produce a security vulnerability. We have reproduced the crash and will include a fix for this in our next release.
  

  
  Hmm, even Mr. Keller has kept out of his business (prolly learnt that integer overflows are useful to pop shells around, long after the initial DMG-related lessons). So anyway, better saved EIP overwrite for you:
  

  
  Program received signal EXC_BAD_ACCESS, Could not access memory.
  Reason: KERN_INVALID_ADDRESS at address: 0xff806aa5
  0xffff0ac7 in ___memcpy () at .../PrivateHeaders/i386/cpu_capabilities.h:228
  228     in /.../PrivateHeaders/i386/cpu_capabilities.h
  (gdb) i f
  Stack level 0, frame at 0xbfffdc78:
  eip = 0xffff0ac7 in ___memcpy (/.../PrivateHeaders/i386/cpu_capabilities.h:228); saved eip 0xdddeface
  called by frame at 0xbfffdc80
  source language unknown.
  Arglist at 0xbfffdc70, args:
  Locals at 0xbfffdc70, Previous frame's sp is 0xbfffdc74
  Saved registers:
  eip at 0xbfffdc70
  (gdb) bt
  #0  0xffff0ac7 in ___memcpy () at /.../PrivateHeaders/i386/cpu_capabilities.h:228
  #1  0xdddeface in ?? ()
  

  
  Sure we can fake the output. But we seriously have better stuff to do around. Like releasing a working exploit while you keep eating peanuts. Enjoy.
  
• January 29, 2007
• 1:54

  MOAB-28-01-2007: Apple crashdump Privilege Escalation Vulnerability

   » ‎ Apple Fun

  crashdump follows symlinks within the /Library/Logs/CrashReporter/ directory, allowing admin-group users to execute arbitrary code and overwrite files with elevated privileges. In couple with a specially crafted Mach-O binary, this can be used to write a malicious crontab entry, which will run with root privileges.

  • Apple crashdump Privilege Escalation Vulnerability
  • Exploit: MOAB-28-01-2007.rb and vuln
    

  
• January 27, 2007
• 10:00

  MOAB-27-01-2007: Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability

   » ‎ Apple Fun

  Flip4Mac fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.

  
  Further information:
  

  • Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability
  • Proof of concept: MOAB-27-01-2007.wmv

  This can be abused remotely even via Mail.app (sending the movie attached in the message), Safari, etc.
• 8:49

  MOAB-26-01-2007: Apple Installer Package Filename Format String Vulnerability

   » ‎ Apple Fun
  
  

  Apple Installer fails to properly handle package filename strings. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.

  
  Further information:
  

  • Apple Installer Package Filename Format String Vulnerability
  • Petition Online: Assure OSX authentication dialog box authenticity
  • Petition Online: Remove all admin->root authorization prompts from OSX

  See: Sarcasm.
  
  Also, many thanks to an anonymous supporter for donating to the project. We are at $568.73 USD now. We would like to note also that we don't endorse any actions taken against anyone who openly criticizes or disagrees with the project. Let's keep out of personal attacks, they don't bring anything interesting to the playground, and after all, there are plenty of ways to poke fun out of someone without resorting to dirty tricks. For instance, give a exploit a good use.
• January 26, 2007
• 2:17

  MOAB-25-01-2007: Apple CFNetwork HTTP Response Denial of Service

   » ‎ Apple Fun

  CFNetwork fails to handle certain HTTP responses properly, causing the _CFNetConnectionWillEnqueueRequests() function to dereference a NULL pointer, leading to a denial of service condition.
  

  
  Further information:
  

  • Apple CFNetwork HTTP Response Denial of Service
  • Proof of concept: MOAB-25-01-2007.rb and MOAB-25-01-2007.c

  Many thanks to Craig Loomis, Greg Slepak and a previous supporter for donating to the project. The mark is at $472.93 USD now, so we are very close to the goal. Again, many thanks to everyone who has contributed, with both donations and feedback.
• January 25, 2007
• 3:27

  MOAB-24-01-2007: Apple Software Update Catalog Filename Format String Vulnerability

   » ‎ Apple Fun
  
  

  Software Update fails to properly handle the filename strings containing the swutmp extension. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.

  
  Further information:
  

  • Apple Software Update Catalog Filename Format String Vulnerability
    

  
• January 24, 2007
• 3:08

  MOAB-23-01-2007: Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability

   » ‎ Apple Fun
  
  

  QuickDraw is integrated in Mac OS X since very early versions, used by Quicktime and any other application that needs to handle PICT images. A vulnerability exists in the handling of ARGB records (Alpha RGB) within PICT images, that leads to an exploitable memory corruption condition (ex. denial of service, so-called crash, which can be used to gain root privileges in combination with MOAB-22-01-2007).

  
  For further information:
  

  • Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability
  • Proof of concept: MOAB-23-01-2007.pct

  Apple has released a fix to MOAB-01-01-2007: Security Update 2007-001. They finally acknowledge the MoAB, with some PR crediting wizardry, aka 'let's mention but not explicitly say we are broken'. 22 days to fix a remote arbitrary code execution issue in one of their most extended products, distributed with working exploits for both Microsoft Windows and Mac OS X versions can be considered acceptable timing. Come on, it's not that difficult to change a strcpy() call... is it?
• January 23, 2007
• 6:05

  MOAB-22-01-2007: Apple UserNotificationCenter Privilege Escalation Vulnerability

   » ‎ Apple Fun

  UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it> will attempt to run any InputManager provided by the user. Code within the input manager will run under wheel privileges. In combination with diskutil and a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.

  Further information:
  

  • Apple UserNotificationCenter Privilege Escalation Vulnerability
  • Exploit: MOAB-22-01-2007.rb

  Update: updated exploit (now fat binaries are used, thus exploit should work on a system without XCode and related developer tools; source code is provided to avoid the usual FUD about alleged 'root kits' and non-sense), release information, etc. KF worked hard on getting stuff up due to connectivity issues. He deserves a thumbs-up from everyone.