Recognize-Security

Posted by Trancer on Jun 12 2007

In less then 24 hours since Apple released a Windows version of Safari web browser (v3 Beta), security researches already disclosed some high risk vulnerabilities.
This is the findings so far:

1. Apple Safari for Windows Unspecified Denial of Service Vulnerability by Aviv Raff (Bugtraq ID: 24431).
2. Apple Safari for Windows Memory Corruption Vulnerability by David Maynor (Bugtraq ID: 24433).
3. Apple Safari for Windows URL Protocol Handler Command Injection by Thor Larholm (Bugtraq ID: 24434).
4. Apple Safari for Windows Unspecified SVG Parse Engine Multiple Unspecified Vulnerabilities by Tom Ferris (Bugtraq ID: 24446).
5. Apple Safari for Windows Window.setTimeout Content Spoofing Vulnerability by Robert Swiecki (Bugtraq ID: 24457 – PoC).
6. Apple Safari for Windows “ROWSPAN” Denial of Service (Null Pointer) Vulnerability by Yannick von Arx (Bugtraq ID: 17674 – PoC).
7. Apple Safari Password Manager Cross-Site Information Disclosure Weakness (Reverse Cross-Site Request) by David Teare (Bugtraq ID: 21329 – PoC).
8. Apple Safari for Windows Content and URL Bar Spoofing Vulnerability by Robert Swiecki (Bugtraq ID: 24484 – PoC).
9. Apple Safari for Windows Corefoundation.DLL Denial of Service Vulnerability by Lostmon (Bugtraq ID: 24497 – PoC).
10. Apple Safari for Windows Document.Location Denial of Service Vulnerability by azizov@itdefence.ru (Bugtraq ID: 24499 – PoC).
11. Apple Webkit Invalid Type Conversion Remote Code Execution Vulnerability by Rhys Kidd (Bugtraq ID: 24597).
12. Apple WebCore XMLHTTPRequest Cross-Site Scripting Vulnerability by Richard Moore of Westpoint Ltd (Bugtraq ID: 24598).
13. Apple Safari Cross-Domain Race Condition Information Disclosure Vulnerability by Lawrence Lai, Stan Switzer, Ed Rowe of Adobe Systems (Bugtraq ID: 24599).

Cool ain’t it? Here’s my 2 cents –

Apple Safari for Windows feed:// URI Denial of Service Vulnerability.

(click to enlarge)
Also on:
BID 24460
OSVDB 38864

Stay tuned for more updates.

UPDATE:
SecurityFocus – Flaw hunters go off on Safari

UPDATE 2:
14/06/2007 – Apple has released a new version of Safari for Windows – v3.0.1 Beta, check the security announcement.
There are additional vulnerabilities that has disclosed and reported to Apple, and hasn’t been fixed.

Fixed vulnerabilities:

• Bugtraq ID: 17674
• Bugtraq ID: 24431
• Bugtraq ID: 24433
• Bugtraq ID: 24434
• Bugtraq ID: 24446
• Bugtraq ID: 24457

Unfixed vulnerabilities:

• Bugtraq ID: 21329
• Bugtraq ID: 24460
• Bugtraq ID: 24484
• Bugtraq ID: 24497
• Bugtraq ID: 24499

It’s great that they respond quickly, but what’s the point in releasing a security patch without fixing all vulnerabilities?

UPDATE 3:
22/06/2007 – Apple has released a new version of Safari for Windows – v3.0.2 Beta – security announcement.

Fixed vulnerabilities:

• Bugtraq ID: 24460
• Bugtraq ID: 24484
• Bugtraq ID: 24497
• Bugtraq ID: 24499
• Bugtraq ID: 24597
• Bugtraq ID: 24598
• Bugtraq ID: 24599

Unfixed vulnerabilities:

• Bugtraq ID: 21329

Apple fixed the feed:// URI DoS (NULL pointer deference) vulnerability, found by us. Mentioned in the release notes.
Note that Safari 3.0.2 still vulnerable to the Reverse Cross-Site Request flaw, found by David Teare.

Categories: Vulnerabilities

7 Comments | Comments RSS | TrackBack URL

---

Posted by Trancer on Jun 05 2007

It’s been a long time since our last post.. what can we do? jsz and I have been really busy this month and I hope we can make time to post here. I promise we’ll post a lot of interesting stuff soon.
Every month we’ll post the latest month security news highlights. So, here we go:

Phrack Magazine #64

“As long as there is technology, there will be hackers. As long as there
are hackers, there will be PHRACK magazine. We look forward to the next
20 years”

That’s how Phrack #63 Introduction ended. Phrack magazine is revived with a new staff calling them selfs “The Circle of Lost Hackers”. Phrack is (was?) the best online hacking magazine in the world and a lot of people say that it can never be revived. The new issue, although it doesn’t have the regular amount of technical articles in it, seems like a good start. But to determine rather Phrack will continue to be the best, true underground hacking magazine or not, only time will say…

• Phrack Magazine
• Phrack #64

Uniformed vol.7
Three great articles on the latest vol of Uniformed:
Reducing the Effective Entropy of GS Cookies, and a Memalyze – Dynamic Analysis of Memory Access Behavior in Software by skape.
The last article by |)roid is about Mnemonic Password Formulas witch discuss easy and advanced ways for creating mnemonic passwords and its weaknesses.
If you never heard of mnemonic passwords, I strongly suggest you read the following research – Human selection of mnemonic phrase-based passwords (pdf).

• Uniformed
• Uniformed vol.7

the Month of ActiveX Bugs
May was announced to be the Month of ActiveX Bugs (MoAxB). You won’t find a lot of interesting vulnerabilities there.. most of them was found in 3rd party application.
Last year H D Moore presented some fuzzing techniques that disclosed more then 100 bugs in Windows XP default ActiveX controls. Of course not all of the bugs are exploitable but the point is that finding ActiveX bugs it’s not that big of a deal.
H D Moore also started the Month of [somthing] Bugs with the Month of Browser Bugs (MoBB) back on June 2006. Followed by the Month of Kernel Bugs (MoKB) on November and the Month of Apple Bugs (MoAB) on January this year, both by LMH.
Later on, on March, Stefan Esser who retired from the PHP Security Response Team because of slow response time to security holes (one of many reasons. Read more at Stefan’s blog), announced the Month of PHP Bugs (MoPB), in which he disclosed a lot of serious security issues in PHP core along with some bonus bugs in Mod Security and the Zend Platform.
On April, two weird dudes – Mondo Armando and M?¼staschio announced the Month of Myspace Bugs, Yuss! (MoMBY) which mostly included XSS vulnerabilities, different HTML Injections bugs and more, nothing fancy.
This month is the Month of Search Engine Bugs (MOSEB) which we’ll sum up at the end of the month.

Google Security Blog
Google launches a new, homemade security blog. Nothing much to see there for now except a paper regarding the dangerous in virtualizations. Very interesting subject, not so interesting paper (read with 90% caffeine in blood).

• Google Online Security Blog
• On virtualization paper (pdf)

BSD Rootkits
Joseph Kong published his first book Designing BSD Rootkits. I ordered a copy and I can’t wait to read it.
I think it’s about time someone publish this kind of book, this subject suffers from a serious lack of resources on the web.
Some of you might know Joseph from his article on Phrack #63 Games With Kernel Memory – FreeBSD Style.
Anyway, I’ll review the book when I finish reading it.

That’s it for now, have a great month!

Categories: Security News

1 Comments | Comments RSS | TrackBack URL

---