MacSecure.com » Vulnerabilities

Apple Security Update 2007-009

john — Tue, 18 Dec 2007 16:32:10 +0000

Fixing some of the known issues with cups, tar, Safari, samba, etc. Lots of updates in this one.

Apple has more info with CVE’s listed here. SANS also has a blurb about it here. I’ll install tonight and take some notes. Also, coming soon — more tool discussions.

Leopard Crash “Risk”

john — Tue, 11 Dec 2007 18:06:33 +0000

I’d say it’s less ‘risk’ and more ‘real’ at this point — but I’m traveling and I haven’t had much time to look into it yet. Heise has more info available here.

Firewall Rules for Quicktime RTSP Vulnerability

john — Thu, 06 Dec 2007 05:20:15 +0000

See here. Just a quick note: if you read the Symantec advisory regarding the Quicktime RTSP Header Vunerability, they mention blocking certain traffic if you’re worried about the exploit — which appears to be Windows specific at this point. In the interest of being safe though, here is a set of ipfw rules for blocking access as suggested:

01000   0     0 deny tcp from me to not me dst-port 554 out
01100   0     0 deny tcp from me to 85.255.117.212 out
01200   0     0 deny tcp from me to 85.255.117.213 out
01300   0     0 deny tcp from me to 216.255.183.59 out
01400   0     0 deny tcp from me to 69.50.190.135 out
01500   0     0 deny tcp from me to 58.65.238.116 out
01600   0     0 deny tcp from me to 208.113.154.34 out

You can put these in on a command line (via Terminal or iTerm) using ‘ipfw’ or using WaterRoof.

Quicktime Vulnerability – RTSP Headers

john — Tue, 04 Dec 2007 15:16:22 +0000

Symantec is reporting details of a vulnerability in Quicktime 7.2 and 7.3 that is currently unpatched by Apple. Right now the exploits in the wild for this vulnerability appear to only be loading Windows executables, but the suggestion is that OS X systems could potentially be vulnerable as well. Recommended steps until there is a patch include blocking outbound TCP traffic on port 554, or even blocking certain IP blocks that the Windows exploit is known to be sending data back to. The CERT page for this vulnerability is here with tons of details. As a note for anyone running OS X in a corporate environment — SourceFire’s SEU 118 has the Snort signatures for this vulnerability.

Quicktime Vulnerabilities

john — Tue, 06 Nov 2007 15:35:51 +0000

The Tipping Point / 3com funded Zero Day Initiative posted a whole batch of Quicktime vulnerabilities yesterday:

While all of them are interesting, the 65 and 68 items stand out to me as the less important ones, as exploitation of the issue requires that a user open a specific file. The more nefarious items in 66 and 67 can be exploited by simply visiting a malicious website that has specially crafted images.

These vulnerabilities are part of what prompted the upgrade to the new Quicktime 7.3 that was released on Monday, and Apple has an updated page with notes about each vulnerability as well as a number of other CVE’s that were outstanding. As of today, Apple doesn’t have any outstanding issues on the ZDI Upcoming Advisories list.

This fall has largely been about image rendering flaws — from iPhone jailbreaks to this, it’s been almost non-stop. ‘Tis the season!