MacMegasite

Apple has released Safari 3.2, which adds several security fixes. It also fixes several bugs, including Twitter’s inability to remain logged in. Safari 3.2 is now available via Software Update and is recommended for all users. More information is available here.

Lorelle warns about a malicious fake WordPress site that looks like the real one, but isn’t. There is no WordPress 2.6.4. The latest version is 2.6.3. If you “upgraded” to “2.6.4″, then you have installed a fake trojan version (more details here and here). If you’ve “upgraded” to 2.6.4, delete your wp-admin and wp-includes folders and replace them with fresh copies from wordpress.org. More detailed instructions for cleaning up are available here.

Apple has released a new security update which fixes several critical vulnerabilities, including the widely publicized DNS flaw. Security Update 2008-005 is now available via Software Update and is recommended for all users.

The complete list of fixes includes:

[B]Open Scripting Architecture[/B]

CVE-ID: CVE-2008-2830

[B]Impact[/B]: A local user may execute commands with elevated privileges

[B]Description[/B]: A design issue exists in the Open Scripting Architecture libraries when determining whether to load scripting addition plugins into applications running with elevated privileges. Sending scripting addition commands to a privileged application may allow the execution of arbitrary code with those privileges. This update addresses the issue by not loading scripting addition plugins into applications running with system privileges. The recently reported ARDAgent and SecurityAgent issues are addressed by this update. Credit to Charles Srstka for reporting this issue.

[B]BIND[/B]

CVE-ID: CVE-2008-1447

[B]Impact[/B]: BIND is susceptible to DNS cache poisoning and may return forged information

[B]Description[/B]: The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this issue.

[B]CarbonCore[/B]

CVE-ID: CVE-2008-2320

[B]Impact[/B]: Processing long filenames may lead to an unexpected application termination or arbitrary code execution

[B]Description[/B]: A stack buffer overflow exists in the handling of long filenames. Processing long filenames may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Thomas Raffetseder of the International Secure Systems Lab and Sergio ’shadown’ Alvarez of n.runs AG for reporting this issue.

[B]CoreGraphics[/B]

CVE-ID: CVE-2008-2321

[B]Impact[/B]: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

[B]Description[/B]: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Michal Zalewski of Google for reporting this issue.

[B]CoreGraphics[/B]

CVE-ID: CVE-2008-2322

[B]Impact[/B]: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

[B]Description[/B]: An integer overflow in the handling of PDF files may result in a heap buffer overflow. Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through additional validation of PDF files. Credit to Pariente Kobi working with the iDefense VCP for reporting this issue.

[B]Data Detectors Engine[/B]

CVE-ID: CVE-2008-2323

[B]Impact[/B]: Viewing maliciously crafted messages with Data Detectors may lead to an unexpected application termination

[B]Description[/B]: Data Detectors are used to extract reference information from textual content or archives. A resource consumption issue exists in Data Detectors’ handling of textual content. Viewing maliciously crafted content in an application that uses Data Detectors may lead to a denial of service, but not arbitrary code execution. This issue does not affect systems prior to Mac OS X v10.5.

[B]Disk Utility[/B]

CVE-ID: CVE-2008-2324

[B]Impact[/B]: A local user may obtain system privileges

[B]Description[/B]: The “Repair Permissions” tool in Disk Utility makes /usr/bin/emacs setuid. After the Repair Permissions tool has been run, a local user may use emacs to run commands with system privileges. This update addresses the issue by correcting the permissions applied to emacs in the Repair Permissions tool. This issue does not affect systems running Mac OS X v10.5 and later. Credit to Anton Rang and Brian Timares for reporting this issue.

[B]OpenLDAP[/B]

CVE-ID: CVE-2008-2952

[B]Impact[/B]: A remote attacker may be able to cause an unexpected application termination

[B]Description[/B]: An issue exists in OpenLDAP’s ASN.1 BER decoding. Processing a maliciously crafted LDAP message may trigger an assertion and lead to an unexpected application termination of the OpenLDAP daemon, slapd. This update addresses the issue by performing additional validation of LDAP messages.

[B]OpenSSL[/B]

CVE-ID: CVE-2007-5135

[B]Impact[/B]: A remote attacker may be able to cause an unexpected application termination or arbitrary code execution

[B]Description[/B]: A range checking issue exists in the SSL_get_shared_ciphers() utility function within OpenSSL. In an application using this function, processing maliciously crafted packets may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

[B]PHP[/B]

CVE-ID: CVE-2008-2051, CVE-2008-2050, CVE-2007-4850, CVE-2008-0599, CVE-2008-0674

[B]Impact[/B]: Multiple vulnerabilities in PHP 5.2.5

[B]Description[/B]: PHP is updated to version 5.2.6 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ PHP version 5.2.x is only provided with Mac OS X v10.5 systems.

[B]QuickLook[/B]

CVE-ID: CVE-2008-2325

[B]Impact[/B]: Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution

[B]Description[/B]: Multiple memory corruption issues exist in QuickLook’s handling of Microsoft Office files. Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5.

[B]rsync[/B]

CVE-ID: CVE-2007-6199, CVE-2007-6200

[B]Impact[/B]: Files outside the module root may be accessed or overwritten remotely

[B]Description[/B]: Path validation issues exist in rsync’s handling of symbolic links when running in daemon mode. Placing symbolic links in an rsync module may allow files outside of the module root to be accessed or overwritten. This update addresses the issue through improved handling of symbolic links. Further information on the patches applied is available via the rsync web site at http://rsync.samba.org/

As you’ve probably heard, a vulnerability in Apple Remote Desktop allows remote users to execute commands as root when logged in as a regular user. The problem is that ARDAgent has its [B]setuid[/B] bit set and is owned by root, which means that it will run as root. Since it’s scriptable, any commands sent via AppleScript (including those sent remotely using the [B]osascript[/B] command) will also run as root. To demonstrate this, try the following:

osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘

It will say that you’re root!

A temporary fix is to clear the [B]setuid[/B] bit on ARDAgent, which will cause it to run as the logged in user rather than root:

sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

If you try it now, you’ll see that it’s no longer running as root. However, there may be other applications lurking around with the same problem.

Exploit: OSX.Trojan.PokerStealer
Discovered: June 20, 2008
Risk: Low

Description: A Trojan horse has been found in the wild masquerading as program for Mac OS X called “PokerGame”. The Trojan in question is a shell script encapsulated in an application, and is distributed in a 65 KB Zip archive; unzipped, it is 180 KB.

The Trojan horse, when run, activates ssh on the Mac on which it is running, then sends the user name and password hash, along with the IP address of the Mac, to a server. It asks for an administrator’s password after displaying a dialog saying, “A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.

Check Point Software Technologies Ltd. today announced the release of Check Point Full Disk Encryption for Mac OS X, the industry’s first full-disk encryption solution with pre-boot authentication to support the Mac OS. Check Point Full Disk Encryption now supports all major laptop and desktop operating systems, including Mac OS X version 10.4.5 Tiger through Mac OS X version 10.5 Leopard.

Check Point encryption products support more end-user platforms than any other solutions in the industry, from Windows, Linux and Mac OS based laptops to Symbian, Windows Mobile, Palm and PocketPC based smartphones and PDAs. Today, regardless of the operating systems, customers receive encryption technology from Check Point that is recognized as a data security leader in the latest Gartner Mobile Data Protection Magic Quadrant.

“Enterprises and organizations have to secure 100 percent of their laptops and desktops to be fully protected,” said Bob Egner vice president of product management at Check Point. “Check Point recognizes that Mac OS has an important and growing place in the enterprise and is proud to offer enterprise customers endpoint solutions that cover all platforms and work in mixed environments.”

“We’re delighted that Mac users in industries like government and healthcare who value high-quality encryption technologies have a strong solution that supports Leopard, the world’s most advanced operating system,” said Ron Okamoto, Apple’s vice president of Worldwide Developer Relations. “Leopard is Apple’s most secure OS release ever, and Check Point’s encryption solution nicely complements features already present in Mac OS X.”

Check Point Full Disk Encryption is quick and easy to deploy, scales to any size organization and is proven in every type of industry and government agency around the world. Customers benefit from easy to use features and centralized management across diverse operating systems, significantly simplifying the implementation and use of full-disk encryption in mixed environments.

“Rarely will large-scale businesses and organizations have just one endpoint operating system,” said Steve Snider, president at Cadre Computer Resources Co. “Security solutions, like Check Point Full Disk Encryption, that support multiple platforms not only are easier to deploy and manage, but improve the level of end point security throughout the organization.”

Features and benefits of Check Point Full Disk Encryption include:
[list]
[*] Industry-leading full-disk encryption protects lost or stolen data
[*] Pre-boot authentication requires username and password before the operating system loads, increasing security
[*] Automatic and transparent operation has minimal effect on end users’ productivity
[*] Centralized management simplifies setup and administration, providing lowest total cost of ownership
[*] Multi-certified cryptography engine addresses adherence to state and federal privacy laws
[*] Scalable deployment meets the needs of any size enterprise, business or government agency
[/list]
“Whether a mixed environment consisting of Windows, Linux and Mac based computers or a network comprised of a single OS, Check Point Full Disk Encryption provides total security to customers with the industry’s leading encryption technology,” concluded Egner. More information on Check Point data security solutions can be found at their website.

[B]Pricing and Availability:[/B]
Check Point Full Disk Encryption for the Mac is available immediately and can be purchased through the Check Point worldwide network of value-added resellers. For Check Point Full Disk Encryption pricing, visit [URL]https://pricelist.checkpoint.com[/URL]. To find a Check Point partner, visit their website.

Check Point’s pure focus is on information security. Through its NGX platform, Check Point delivers a unified security architecture to protect business communications and resources, including corporate networks and applications, remote employees, branch offices and partner extranets. The company also offers market-leading endpoint and data security solutions with Check Point Endpoint Security products, protecting and encrypting sensitive corporate information stored on PCs and other mobile computing devices.

Check Point’s award-winning ZoneAlarm solutions protect millions of consumer PCs from hackers, spyware and identity theft. Check Point solutions are sold, integrated and serviced by a network of Check Point partners around the world and its customers include 100 percent of Fortune 100 companies and tens of thousands of businesses and organizations of all sizes.

[B]Links:[/B]
[list]
[*] Check Point
[*] Full Disk Encryption
[*] Purchase Link
[*] Check Point Partners
[/list]

Check Point Software Technologies Ltd. is the leader in securing the Internet. Check Point offers total security solutions featuring a unified gateway, single endpoint agent and single management architecture, customized to fit customers’ dynamic business needs. This combination is unique and is a result of our leadership and innovation in the enterprise firewall, personal firewall/endpoint, data security and VPN markets.

Vancouver, Canada: April 2, 2008 – Absolute® Software Corporation (“Absolute”), (TSX: ABT), the leading provider of firmware-based, patented, Computer Theft Recovery, Data Protection and Secure Asset Tracking™ solutions today announced that its industry standard Computrace® IT asset management, data protection and theft recovery services will be integrated in support of Intel® Anti-Theft Technology later this year. Computrace will be available for select Intel® Centrino® processor technology based notebooks.

“For more than a decade, Absolute Software has single-handedly created and developed the market for BIOS-persistent, Internet-based tracking of mobile computers. Computrace is also capable of remotely deleting data and physically recovering lost or stolen computers – assisting customers in complying with data privacy regulations,” said John Livingston, Chairman and CEO of Absolute Software. “As the undisputed leader in this market, we look forward to bringing our industry expertise, 2.5 million subscriber base and scalable technology to our new relationship with Intel as we further evangelize this under-penetrated market together.”

Absolute Software and Intel Corporation will collaborate to deliver Absolute’s suite of IT asset management, data protection and computer theft recovery services on Intel® Anti-Theft Technology. As part of this collaboration, Absolute’s services will enhance the anti-theft layer that will be available for Intel’s upcoming Centrino processor technology based notebooks.
The new relationship was announced during a keynote address by David (Dadi) Perlmutter, Executive Vice President and General Manager of Intel’s Mobility Group during the company’s Intel Developer Forum (IDF) in Shanghai, China. Attending from Absolute Software was the company’s Vice President of Business Development, Ben Haidri.

“Mobility is accelerating and customers want to prevent theft, protect their data and have the ability to take action in the event of a computer theft or loss,” Mooly Eden, Vice President, Intel Mobile Platform Group, said. “Our new Intel® Anti-Theft Technology along with Absolute Software will help deliver the anti-theft capabilities to protect our customers’ valuable data and assets.”

Mac OS X is generally unappealing to malicious hackers. But since its popularity is bound to attract notice from the bad guys, the new version of Apple’s operating system sports several security features that users and IT departments should know about.
http://www.cio.com/article/165401

Mireth Technology Corp. has released version 4.1 of NetShred X, its easy to use internet track eraser that erases internet tracks, such as cache, history and email. NetShred X runs on Mac OS X. Version 4.1 adds support for Mac OS X 10.5 (Leopard), support for Safari 3 and support for most other browsers using the custom browser feature.

“NetShred supports all the major browsers and email programs available on the Mac,” said Donna Johnson, President. “But with the custom browser feature, the user can configure NetShred to erase tracks for almost any browser or email program on OS X.”

NetShred X is easy to use internet track eraser software for Mac OS X that erases files web browsers and email programs leave behind. And like all Mireth Technology products, it was designed to be easy to use. Because internet privacy software can’t be effective if it’s not used, NetShred X was designed to run automatically, without user intervention. And since erasing temporary internet files can take some time, NetShred X was designed to run in the background, so using the software doesn’t interfere with the user’s web browsing. Most importantly, NetShred X is an effective method of permanently deleting internet tracks. This is a cleaner solution than just deleting the files, because it ensures that the data can’t be recovered. This version adds the following features:

• Support for Mac OS X.5 Leopard
• Support for more Safari 3
• Added custom browser feature to add support for almost any browser or email program

Pricing and Availability

NetShred X is available for immediate download, or on CD-ROM, starting at $24.95. Registered users can take advantage of special upgrade pricing. Educational pricing and volume discounts are available. NetShred X runs on Mac OS X. NetShred is also available for Mac OS and Mac OS 9. For more information, visit www.mireth.com/pub/nxme.html

About Mireth Technology Corp.

Founded in 1991, Mireth Technology Corp. (www.mireth.com) produces easy-to-use and cost effective Macintosh software, including ShredIt, NetShred, iVCD, Music Man, and MacVCD, the best selling Macintosh VCD playing software in the world. Mireth is well-known in the industry for providing robust, well-tested products and outstanding customer support. A Vancouver based corporation, Mireth Technology produces “The right software for the job.”(TM)

[B]Exploit[/B]: OSX.RSPlug.A Trojan Horse
[B]Discovered[/B]: October 30, 2007
[B]Risk[/B]: Critical

[B]Description[/B]: A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs. A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:

Quicktime Player is unable to play movie file. Please click here to download new version of codec.

After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open “Safe” Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.

If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.

This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue.

Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system’s GUI. Under Mac OS X 10.5, this can be seen in the Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually. (Intego is currently testing previous versions of Mac OS X; it is likely that they can be infected as well, since all versions of Mac OS X have the scutil command.)

The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this cron job ensures that, in such a case, the malicious DNS server remains the active server.

This Trojan horse also provides different versions of itself, perhaps according to the country in which the user is located to provide country-specific spoofing. Repeated downloads of the disk image show that there are several different versions.