Apple has issued Security Update 2010-005, an 84 MB update that fixes a baker’s dozen flaws in Mac OS X 10.5 and 10.6, both client and server versions. One of the vulnerabilities that is corrected is described as follows:
A stack buffer overlow exists in Apple Type Services’ handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.
This flaw is similar to the “jailbreak vulnerability” that Apple fixed on its iOS. (We discussed the iOS update two weeks ago.)
Other fixes in this update cover networking, CoreGraphics, and update PHP to version 5.3.2.
Full information about the update is available here. You can get the update, as usual, through Software Update, or by download from Apple’s Downloads page.
With iPhones becoming more popular, one important aspect of whether companies adopt the device is how they can manage and secure such phones. A Macworld article examines the possibilities for doing such things in an enterprise environment, and discusses the new security features added to iOS 4. It covers native security features, but also looks at third-party management servers that can be used with the iPhone. This is a long, fairly complex article, but those who are faced with the challenge of integrating the iPhone into a broader corporate security policy will find that it offers many answers, as well as suggestions for how to go further and solve this problem.
Apple has released updates for its iOS devices to fix the recently discovered vulnerability that allows remote jailbreak without user intervention. The gravity of this flaw was such that Apple rushed out the fixes, which resolve two issues:
Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution
Malicious code running as the user may gain system privileges
More information is available from Apple’s Security Updates page.
These updates affect the iPhone and iPod touch running iOS 4.0 or later, and the iPad, running iOS 3.2 or later. The updates are only available through iTunes, when the devices are connected to a computer.
A web-based method for jailbreaking an iPhone has been made public, highlighting a critical vulnerability in Apple’s iOS. This vulnerability affects iOS versions 3.1.2 to 4.0.1, and all models of iPhone, iPod touch and iPad.
Visiting a web site set up to perform this jailbreak operation will lead to the download of a PDF file, which contains code that exploits this vulnerability. While this can be used to jailbreak a phone, it could also be used to compromise iOS devices. With a slight modification, this process could occur without any user notification or intervention.
The corrupted PDF file (there is one file per iOS version and hardware model; there are a total of 19 different files) is embedded into a web page in an IFRAME so Safari will display it automatically without any user interaction. The PDF file contains an embedded Type1c font that is corrupted and that contains exploit code necessary to download the jailbreak code. (This can also contain other malicious code.) This code is then executed in the kernel space through an IOSurface (IOKit) memory allocation bug, obtaining root privileges and bypassing code signing protection and sandboxing.
The executed shellcode downloads a 3.9 MB file from the jailbreak site and executes it with root privileges. The URL from where the file is downloaded is hard-coded in the corrupted font; this makes it trivial for any malicious person to change the URL so the same type of PDF could download and execute other types of payload.
Note that this PDF, with a slight modification, can also be sent by e-mail; the jailbreak process would begin when the user displays the PDF file. Malicious users could therefore create PDFs that are sent by e-mail, and that could cause damage to iOS devices when they are viewed.
Those who set up this jailbreak system are putting a large number of devices at risk. Previous jailbreak methods required the user to launch an application on their computer, while the device is connected. But this system, which requires little user intervention, opens up serious risks to iOS devices. The person who discovered this vulnerability should have kept it quiet and contacted Apple, rather than make it public enough that now others can exploit it.
Intego has updated VirusBarrier X6′s threat filters to detect files infected with this exploit under the name exploit:iPhone/Font as of August 3, 2010 to ensure that Mac users who may receive such infected PDFs don’t pass them on to others.
Apple has updated versions 4 and 5 of its Safari web browser to fix a total of 15 flaws, including one that could allow “Safari’s AutoFill feature [to] disclose information to websites without user interaction,” and one where “Accessing a maliciously crafted RSS feed may cause files from the user’s system to be sent to a remote server.” The new versions are 4.1.1 and 5.0.1.
This update also includes a number of other fixes, and turns on Safari’s new extensions feature. The new versions are available via Software Update, or from Apple’s Safari Download page.
Apple has released a security update to iTunes, which is now version 9.2.1. While the security content of this update is described as being Windows-only (“A buffer overflow exists in the handling of “itpc:” URLs. Accessing a maliciously crafted “itpc:” URL may lead to an unexpected application termination or arbitrary code execution,”) the Mac version has been updated as well, with a number of bug fixes.
Mac users can install the update using Software Update, or by visiting the iTunes download page.