iPod, iPhone and iPad users MUST immediately apply the security updates.
Visit Apple Security Updates for details.
iPhone and iPod http://support.apple.com/kb/HT4292
This will protect you from in-the-wild drive-by download hack attack!
JailBreakMe by comex (et al.) demonstrated a serious security hole that allows users to jailbreak their iOS devices simply by just visiting a website and/or tapping a link. This security hole is very dangerous, by just browsing the web users could be exposed from abusive sites that may harvest their credentials and information.
How it work?
Safari browser loads a crafted PDF that exploits the following vulnerabilities:
First, it is triggered by unrecognized font, the Compact Font Format (CFF ) Type 1C, which causes the second exploit code to execute. This vulnerability is referred as CVE-2010-1797.
Second, the value is too large for the integer data type to handle(refer example IOSurface property list below), resulting to execution of malicious code running as user to escalate to system or root privilege.
This vulnerability is referred as CVE-2010-2973.
So, an attacker entice a targeted user to open a URL. Upon opening the URL in Safari the PDF file will be automatically parsed and exploitation will occur. The file may also arrive as an email attachment.
Jeremiah Grossman has discovered a weakness in Apple Safari, which can be exploited by malicious people to disclose potentially sensitive information.
The weakness is caused due to the AutoFill feature being enabled to use information from the personal address book card by default. This can be exploited to secretly disclose personal information from the personal address book card when a user visits a specially crafted web page.
The weakness is confirmed in Safari version 5.0. Other versions may also be affected.
Impact : Exposure of sensitive information
Reference : Secunia Advisory SA40664
Disable the AutoFill feature for address book card information.
How? Show Safari preferences (press Command-comma or ⌘,) and uncheck the autofill web form.
Personal information exposed? It depends on the data, here’s my browser result.
Release Date : 2010-05-07
Criticality level : Highly critical
Impact : Remote code execution
Solution Status : Unpatched
A vulnerability has been discovered in Apple Safari, which can be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to an error in the handling of parent windows and can result in a function call using an invalid pointer. This can be exploited to execute arbitrary code when a user e.g. visits a specially crafted web page and closes opened pop-up windows.
The vulnerability is confirmed in Safari version 4.0.5 for Windows. Other versions may also be affected.
Do not visit untrusted web sites or follow links from untrusted sources.
PROVIDED AND/OR DISCOVERED BY:
Krystian Kloskowski (h07)
A vulnerability has been reported in Apple Mac OS X, which can be
exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to an indexing error in Apple Type
Services within the “TType1ParsingContext::SpecialEncoding()” method
in libFontParser.dylib when parsing embedded fonts. This can be
exploited to corrupt memory e.g. via a specially crafted PDF file
opened in Preview.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in Mac OS X Server 10.5, Mac OS X 10.5,
Mac OS X 10.6, and Mac OS X Server 10.6.
Apply Security Update 2010-003.
Reference: CVE-2010-1120 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1120
Unspecified vulnerability in Safari 4 on Apple Mac OS X 10.6 allows remote attackers to execute arbitrary code via unknown vectors, as demonstrated by Charlie Miller during a Pwn2Own competition at CanSecWest 2010.
There’s a 0-day vulnerability affecting Safari 4.x users, it’s not critical, but it is important to be aware of it.
<link rel="stylesheet" type="text/css" href="www.yahoo.com">
//setTimeout is used just to wait for page loading
Listing 01 – Apple Safari Stylesheet Redirection PoC
Cesar Cerrudo has discovered this vulnerability, and discussed that Safari wasn’t able to display the LINK specified in href value, instead it reads the stylesheets to redirect to a target URL.
Malicious user may take advantage of this vulnerability to steal sensitive information.
Be cautious when surfing the net!
Avoid phish bombing, Update your Safari version to 4.0.3!
This latest version also includes multiple fixes to critical vulnerabilities, that can be exploited by malicious people or evil websites to manipulate data, disclose sensitive information, perform spoofing attacks and/or compromise your system. Further information About the security content of Safari 4.0.3
What is Phish Bomb and how does it works?
Phishing is a fraudulent attempt that falsely claims to be from a legitimate known website or organization thus tricking the target victim into voluntarily provide sensitive information such as user name, password, credit card, social security and etc…
However, phish bombs is a just like an explosive of phishing attack, which in Safari 4 allows attacker to manipulate your Top Sites (keyboard shortcut press command+shift+1) . This vulnerability was discovered by Inferno of SecureThoughts.com.
Inferno published his PoC and explains:
“The two input parameters in this attack are the number of times the fake website should be visited (n)(default=28) and timeout(t)(default=2 sec) that triggers a switch between two fake websites. It is very simple and adds two fake websites for bankofamerica.com and gmail.com to your top sites.”
Update and stay safe!
PSIRT blogged an update saying that this vulnerability is still under investigation and updates will be available by 12th May:
We are in the process of fixing the issue, and expect to make available product updates for the relevant supported Adobe Reader and Acrobat versions and platforms by May 12th, 2009.
Release date: May 1, 2009
Vulnerability identifier: APSA09-02
CVE number: CVE-2009-1492, CVE-2009-1493
Platform: All Platforms
A severe critical flaw in Safari was recently discovered and NO available patch yet released as of writing. Brian Mastenbrook discovered this vulnerability last 13th January and disclosed the following information below: [Further reading]
I have discovered that Apple’s Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user’s hard drive without user intervention. This can be used to gain access to sensitive information stored on the user’s computer, such as emails, passwords, or cookies that could be used to gain access to the user’s accounts on some web sites. The vulnerability has been acknowledged by Apple.
All users of Mac OS X 10.5 Leopard who have not performed the workaround steps listed below are affected, regardless of whether they use any RSS feeds. Users of previous versions of Mac OS X are not affected.
Users of Firefox, Camino, and Opera on Mac OS X are substantially better protected against exploitation by a malicious web page than users of Safari or OmniWeb. If users of these browsers are asked to open a link in Safari, they should not allow the request and close the page which triggered the request immediately. All users of Mac OS X may still be affected by clicking on a malicious link from their email client, instant messaging program, or another application, and should perform the workaround steps given below.
Good thing, there was no technical details disclosed. For sure, nosy attackers would never let it slipped without jumping into this opportunity.
IE XML Parsing Remote Buffer OverFlow Exploit [Read Shadowserver Diary]
As many of you have seen, there is a new 0-day exploit in the wild affecting Internet Explorer 7 users. This is a new exploit that is being actively exploited and it was not patched yesterday (meaning there is no patch available, yet). Visiting a website with this exploit can result in a full compromise of an affected system. Currently most of the exploits out there will attempt to download a trojan onto the system.
Recommendation: Do NOT use IE until patch.
Microsoft Security Advisory (960906): Vulnerability in WordPad Text Converter Could Allow Remote Code Execution
Recommendation: Do not use WordPad to open files with .doc, .wri, or .rtf extensions that you receive from untrusted sources or receive unexpectedly from trusted sources. This vulnerability could be exploited when using WordPad to open a specially crafted file. We also recommend customers using Windows XP to upgrade to Windows XP Service Pack 3, which is not affected.
Affected Systems: Microsoft Windows 2000 Service Pack 4; Windows XP Service Pack 2 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 ;Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 ; Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems ; Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2