A security flaw was found in Safari, when you input a URL containing a special characters followed by “@” which indicates the actual hostname. The special characters was crafted long enough to hide the URL of the page.
Is there available security patch/fix ? None, at the moment. So, please refrain from clicking or browsing untrusted websites.
Juan Pablo Lopez Yacubian has recently discovered this vulnerability.
There was a series of reaction specifically those who understands information security, criticizing about Safari 3.1 piggybacking or stealth installation through Software Update.
Now, the interesting news is that Apple fixed this issue in Windows Apple Software Update version 2.1 [READ ZDNet]. I reckon earlier last week, the software update tool still includes Safari 3.1 in the list. However today, this is what i found out.
To manually update, click “Apple Software Update” from Windows Program menu.
Here’s the new look. Apple fixed the issue by creating two sections: (1) Updates (2) New Software. It simply shows that Safari 3.1 is no longer piggybacking in software updates since it has its own category as New Software. Good!
Perhaps, this update is a complete conformity to information security if they also changed this default behavior to “NO”.
Speaking of default behavior, the latest changes in RapidLibrary requires users to install Zango to access a free content but here’s the catch… Click “OK” to cancel and “Cancel” to continue.
Funny, this is Psychology of Security [Reference: Bruce Schneier].
The first quarter of this year has gone so fast but for Mac threats everything just started. Let’s take a review on Q1 notable threats, the overall perspective on malware categories and OS X reported vulnerabilities and fixes.
Q1 Notable Threats
Description: This is a malicious Trojan that uses social engineering technique to entice users to manually install the program. It arrives to users as a disguised video codec and associates itself with shared and downloadable videos. During installation, this Trojan modifies users’ DNS IP address to point to its own malicious servers. Infected user will suddenly experience unusual results in its entire web browsing activity.
This trojan is currently seen in-the-wild.
Description: MacSweeper is a rogue application which uses deceptive sales and marketing techniques to get onto the users’ system. It usually arrives to users as an pop-up advertisements, where it redirect users to download the file.
This is the first rogue application for Mac OS X.
Description: Imunizator is a re-branded version of MacSweeper. It is an exact copy of MacSweeper except for its new name.
Description: LogKext is a free and powerful kernel base Keylogger in Mac OS X. This keylogger has a full stealth capabilities and it is controlled by a command-line client called logKextClient. A new version was recently released in public.
- Zlob & Fake Codec History
- List of Zlob distribution domains
- Trojan DNSChanger checks whether the user is downloading in Windows or Mac.
- Network Information that leads to Russian Business Network(RBN)
January 10, when I posted “Analysis of OSX Trojan DNS Changer“.
Why I am discussing this again?
Unfortunately, it was the same story posted in ISC Diary “When is a DMG file not a DMG file“.
So, how to download DNSChanger DMG file in Windows?
To perform this task, you can either use Wget for Windows or Malzilla.
**Note: -U means user-agent
This site (jetcodec.com) is not available today. But there’s another site that is up today and I can show you how this works.
I just created a YouTube account and started to upload demo videos, hopefully this week I can upload a video for this one.
As shown in the figure above, the QuickTime program I installed checks for updates. Then, the server replied with the update information. However, it doesn’t end there, the server exploited the communication to perform an unauthorized task, which is to offer Safari 3.1 installer.
This is completely unacceptable behavior and a breach to information security.
March 18 – Apple Released Its Gigantic Update.
- Security Update 2008-002 fixes 95 security vulnerabilities found in different components of Mac OS X operating system.
- Safari 3.1 fixes 13 security vulnerabilities found in Safari for Mac (10) and Windows (3).
March 20 – “iMunizator” The 2nd Rogue In Mac
- iMunizator a rebranded version of MacSweeper.
- It was first seen in Apple Discussions web site, where someone asked this question “What is iMunizator?”
- Difference between the two:
- iMunizatorSetup.dmg file size is 1.49Mb while MacSweeper 1.52Mb.
- iMunizator company is iMunizator.com while MacSweeper is KiVVi Software.
- iMunizator executable file size is 407,036 bytes while MacSweeper 407,468 bytes.
- iMunizator resource folder does not contain TODO.txt.
- If Last time, MacSweeper is sharing NS server with Cleanator (a known rogue program in windows) this time iMunizator.com neighbor is AntiSpywaredeluxe.com [22.214.171.124] which is also a rogue program in Windows. iMunizator.com network information below:
March 27 – Mac OS X Hacked in 2 Minutes Read [CNET News]
- CanSecWest PWN2OWN 2008 contest targets Linux, Vista and OSX.
- VAIO VGN-TZ37CN running Ubuntu 7.10
- Fujitsu U810 running Vista Ultimate SP1
- MacBook Air running OSX 10.5.2
- VAIO VGN-TZ37CN running Ubuntu 7.10
- March 26 (1st Day) when the contest started. However, nobody was able to hacked any of these three operating systems in a limited resources and confined local network connection.
- March 27 (2nd Day) when the attackers were given internet connection.
- March 28 (3rd Day) when the attackers were allowed to use popular software to exploit.
- The results are as follows:
- On the 2nd day, Mac OS X was successfully hacked in 2 minutes using a zero-day exploit in Safari.
- On the 3rd day, Vista was successfully hacked after 7 hours using zero-day exploit in Adobe Flash.
- Linux stays intact and won against hackers.