Sophos Cloud Optix
Apple have released updated versions of OS X Lion (10.7.2), Snow Leopard (Security Update 2011-006), iOS (5), Numbers for iOS (1.5) and Pages for iOS (1.5) to resolve numerous security issues.
Beginning with OS X 10.7.2/Security Update 2011-006 for OS X 10.6 there are 75 known vulnerabilities that are fixed with these updates. Most could lead to arbitrary code execution, while others lead to denial of service or privilege escalation. It weighs in at a whopping 880MB with recovery download.
Vulnerabilities of note include:
- Improper storage and handling of web cookies
- File Vault 2 leaving 250MB of unencrypted data accessible if system used before encrypting
- Screen lock password bypass for Cinema Display users
- Firewire DMA access allowed password recovery during boot/shutdown
- Open Directory flaws allowed reading other users password hashes
- Open Directory flaws allowed changing password without old password
- Open Directory flaws allowed logging in without a password
Additionally Apple notes that Disk Image (.dmg) and installer packages (.pkg) files are no longer included in “safe” file types.
This is good news as Safari should no longer open these file types by default. This trust was abused by fake anti-virus distributors targeting OS X earlier this year.
In addition to introducing iCloud support and all kinds of other great features, iOS 5 also had a slew of security fixes. My count includes 98 vulnerabilities fixed in this release, including the following noteworthy fixes:
- CalDEV credentials could be intercepted due to invalid certificate checking
- AppleID password was logged to a plaintext file readable by applications
- Improper storage and handling of web cookies
- Revoked trust in DigiNotar root certificates
- iOS will no longer accept X.509 certificates using MD5 hashes (except trusted root certs)
- Support for TLS 1.2 (to support connections secured against BEAST attacks)
- Parental Controls password was stored in plaintext file and readable by applications
- 69 WebKit (HTML rendering/Browser) vulnerabilities including arbitrary code execution
- WiFi passphrases and encryption keys stored in plaintext and readable by applications
Other patches released include Safari 5.1.1 fixing 43 vulnerabilities, Numbers for iOS fixing 2 vulnerabilities, 1 fix for Pages for iOS and 8 fixes for AppleTV (including DigiNotar root certificates being removed).
Update: More details about some of the Safari vulnerabilities have been published. At least of few of these are scary dangerous. If you use Safari on Windows or Mac, apply these updates immediately.
While some users are reporting issues downloading these updates you should still apply them as soon as possible. It appears Apple is under a denial of service condition from the number of people attempting to update all at one.
Want to keep your precious Mac as pure and clean as when you opened the box? Download Sophos Anti-Virus for Mac Home Edition for free to keep it as good as new…
It’s about time the Directory Services password vulnerabilities such as the hash dump and the password change were fixed. One could change a user’s password without knowing their current one! Leave it to Apple to completely destroy a basic UNIX permissions rule; they replaced the original directory services with “opendirectoryd” and I believe this is where the fault lies, in the mechanism within there. Instead of requiring a user to authenticate via their own password it would just allow one to alter their shadowed entries without authentication.
If you run OS X 10.7.0 or 10.7.1 (pre-10.7.2, which fixed the bug; the patch this article describes), open a Terminal and try it yourself:
dscl localhost -passwd /Search/Users/`whoami`
It’ll ask for a new password; provide it one, and it’ll be changed! In OS X <= 10.6.8 (Snow Leopard and below), it would ask for a new password but would fail because of permissions and then prompt the user to enter their current password. The way it SHOULD be done.
I wrote a PoC that used dscl to grab the hash and then use dscl again to change the user's password, sudo to root and then write the hash obtained before-hand back to the shadow file thus preserving the user's password and not cluing him in whatsoever to the compromise; otherwise, one would have to reset the password to nothing (blank) lest the user be locked out of his machine. He may think it's odd that he now requires no password to login, but he may just figure it's something Apple did to make things easier! Oh boy.
One could easily leverage this via a Java applet embedded on a web page, signed as a (fake) "Apple, Inc." to encourage the user to accept it's execution request, and backdoor any Lion user.
Why is it always “Apple have released” or “Microsoft have released” or “[Name singular] have released…”, and yet it still says “Apple/Microsoft is/does/[verb]s/does something” but only “have’?! Why is it always “have” instead of “has”?! Please get your spellcheck right, Sophos!
Do you know if the the iOS final version is the same as the golden master version published a week ago?
I also have serious problems with iCloud as my MacBook moved my mobileme to iCloud whereas my phone set up my iTunes account as basis for a new iCloud account. Now I tried to log in with my iTunes account on my Mac. Now all my kalendars are gone on my Mac and iCloud doesn’t sync with my iPhone.
Other people report that iTunes doesn’t recognize their iPhone anymore after updating on iOS 5. I think we need some more updates for iTunes, iOS and Mac OS