ISSSource White Papers

Posts Tagged ‘Mac’

Friday, October 16, 2015 @ 03:10 PM gHale

Google released Chrome 46, which patches vulnerabilities and simplifies the security icon displayed for each website.

The stable channel of Chrome 46 for Windows, Mac and Linux fixes 24 security problems.

Chrome Release Fixes Security Holes
Browsers Dropping Cipher
Firefox Update Fixes 2 Security Flaws
Zero Day Flaws in Browsers for Android

The list of high severity flaws patched by Google and discovered by outside researchers includes a cross-origin bypass in the Blink rendering engine, a use-after-free in PDFium, a use-after-free in ServiceWorker and a bad cast issue in PDFium.

The medium severity flaws found from outside researchers are an information leakage bug in LocalStorage, an improper error handling issue in libANGLE and memory corruption vulnerabilities in FFMpeg.

The work of Google’s own security team resulted in various fixes and the patching of multiple flaws in the V8 open source JavaScript engine.

Google said Chrome 46 changes the way users learn about page security. Under the old way, HTTPS sites that had minor errors had little yellow “caution triangle” badges.

From now on, though, the icon for HTTPS sites with minor errors will be the same as for HTTP websites. By doing so, Google wants to reduce the number of icons Chrome users have to learn, and encourage website operators to speed up migration to proper HTTPS.

“We’ve come to understand that our yellow ‘caution triangle’ badge can be confusing when compared to the HTTP page icon, and we believe that it is better not to emphasize the difference in security between these two states to most users. For developers and other interested users, it will still be possible to tell the difference by checking whether the URL begins with ‘https://’,” Chrome officials said in a blog post.

Wednesday, September 30, 2015 @ 04:09 PM gHale

BP renewed a global main automation contractor (MAC) pact with Yokogawa Electric Corporation.

Yokogawa first signed a global MAC services agreement with BP in 2007. The renewed agreement is for 10 years.

The Yokogawa products and services covered by this global agreement include the CENTUM VP integrated production control system, ProSafe-RS safety instrumented system, STARDOM network-based control system, Plant Resource Manager (PRM) plant asset management package, FAST/TOOLS SCADA software, Exaseries productivity solution software, field wireless and other types of field instruments, analyzers, project management and system integration engineering services, and operation and maintenance services.

“BP has been a Yokogawa customer for many years, and this agreement takes our relationship to a new level and underscores BP’s commitment to safe and reliable operations,” said Shuji Mori, a Yokogawa vice president and president of Yokogawa Electric International, a subsidiary that oversees Yokogawa’s IA and control business outside Japan. “This long-term partnership with BP will increase our presence in the oil and gas industry, which is one of the main sectors we are targeting under the Transformation 2017 mid-term business plan.”

Wednesday, September 23, 2015 @ 12:09 PM gHale

Apple eliminated apps from its store after they suffered infection from a tainted version of the company’s developer software.

The company removed apps from the App Store it knows uses the counterfeit software, said Christine Monaghan, an Apple spokeswoman.

Apple Releases iOS 9; Fixes Security Bugs
Malware Strikes iOS Devices
Apple Patches iOS Vulnerability
Apple Patches QuickTime

Palo Alto Networks reported last week that malware, called XcodeGhost, modified the Xcode integrated development environment for building apps for the Mac, iPhone and iPad.

The security firm found at least 40 apps, including popular Chinese apps, ended up infected by the malware. These included WeChat, a popular chat app from Tencent, Didi Chuxing, developed by Uber’s China rival, and business card scanner CamCard. Some of these apps see use outside of China.

Tencent said in a blog post the flaw only affects version 6.2.5 for iOS and not newer versions of WeChat. It said it fixed the issue and they found it during preliminary investigations and there was no theft or leakage of users’ information or money.

Palo Alto said it was cooperating with Apple on the breach and recommended all iOS developers be aware and take necessary actions. XcodeGhost, which targets compilers, collects information on devices and uploads the data to command and control servers.

The mode of attack can also end up used to target enterprise iOS or OS X apps in “much more dangerous ways,” Palo Alto researcher Claud Xiao wrote.

XcodeGhost was a “very harmful and dangerous” malware that could prompt fake phishing dialogs, open URLs, and read and write clipboard data, which in some cases can end up used to read passwords, Palo Alto said.

Friday, September 4, 2015 @ 04:09 PM gHale

Google released Chrome 45 for Windows, Mac, and Linux this week, patching 29 vulnerabilities.

Ten of the 29 security issues ended up reported by external researchers.

Browsers Dropping Cipher
Firefox Update Fixes 2 Security Flaws
Zero Day Flaws in Browsers for Android
Emergency Patch for IE

Six of the vulnerabilities reported by external researchers ended up rated high severity, Google said.

The list includes cross-origin bypass flaws in DOM (CVE-2015-1291, CVE-2015-1293), a cross-origin bypass in Service Worker (CVE-2015-1292), use-after-free flaws in Skia (CVE-2015-1294) and Printing (CVE-2015-1295), and a character spoofing bug in the Omnibox address bar (CVE-2015-1296).

Google has paid out $7,500 for each of the cross-origin bypass vulnerabilities, $5,000 for the use-after-free in Skia, $3,000 for the use-after-free in Printing, and $1,000 for the Omnibox spoofing issue.

The medium impact flaws patched with the release of Chrome 45.0.2454.85 are a permission scoping error in WebRequests, a URL validation error in extensions, and information leak and use-after-free bugs in the Blink web browser engine.

The vulnerabilities fixed in Chrome 45 ended up reported by anonymous researchers, Mariusz Mlynski, Rob Wu, Alexander Kashev, and experts using the online monikers, cgvwzq, cloudfuzzer, and zcorpan.

The amount of money paid out by Google so far to those who contributed to making Chrome more secure is $40,500, but not all vulnerabilities underwent review by the search giant’s reward panel.

Google’s own security team has also identified many flaws through internal audits, fuzzing and other initiatives.

With the release of Chrome 45, Google has also started killing Flash ads. The company decided to pause certain plugin content, including Flash ads, in an effort to improve performance and reduce power consumption.

Friday, July 24, 2015 @ 05:07 PM gHale

Google released Chrome version 44.0.2403.89 for Windows, Mac, and Linux to patch 43 security issues.

Exploitation of one of these vulnerabilities may allow an attacker to take control of an affected system.

Firefox Flash Block Lifted
Critical Holes Fixed in Firefox 39
High Severity Issues Fixed in Chrome
Unpatched IE11 Vulnerability Released

The most critical issues include universal cross-site scripting (UXSS) flaws in Chrome for Android and the Chrome Blink layout engine, heap-buffer-overflow errors, a flaw which allows executable files to run immediately after download and a content security policy (CSP) bypass in the Chrome browser.

As part of Google’s bug bounty program, researchers earned financial rewards based on the severity of the issue. A number of rewards remain up in the air, but the most critical flaws earned researchers cash rewards ranging from $500 to $7500. Around $40,000 went out to security researchers.

In addition to the outsiders finding issues, Chrome’s security team patched a variety of problems based on internal audits and fuzzing.

Tuesday, July 7, 2015 @ 01:07 PM gHale

There is absolutely no doubt wireless is continuing its huge growth curve throughout the industry, but the question of security always is one of the first areas end users ask about.

Now that should be an area of deeper questioning because of a vulnerability in the 802.11n wireless networking standard.

Safety from a Safe Distance
Security from an Executive Level
Realize IIoT Benefits
Connecting, Securing Substations to Smart Grid

The 802.11n standard helps hike the speed of wireless networks, improve their reliability and security, and extend the range of wireless transmissions. This version introduces a frame aggregation mechanism to the media access control (MAC) layer that increases throughput by sending two or more data frames in a single transmission.

The catch now is in the frame aggregation mechanism in 802.11n suffers from a vulnerability attackers can take advantage of via Packet-In-Packet (PIP) to inject arbitrary frames into wireless networks, said Pieter Robyns, Peter Quax and Wim Lamotte, researchers from the Expertise Centre for Digital Media at the Hasselt University in Belgium. This allows an attacker to interact with services on the internal network.

“We will show how the frame aggregation algorithm provided by the 802.11n standard introduces a remote arbitrary frame injection vulnerability on MAC hardware that implements this algorithm,” the authors said in their paper.

These PIP attacks work against almost any modern Wi-Fi chipset as long as the target ends up connected via an open network, the researchers said. They also pointed out the attack can launch without being in proximity of the targeted wireless networks and without requiring a wireless interface card.

An attacker can use PIP to inject malicious beacon frames, perform host and port scans, bypass firewall rules, and conduct Address Resolution Protocol (ARP) spoofing. In some cases, the attacker needs to know the MAC address of the targeted access point, researchers said.

On the defensive side, there are methods security professionals can use to mitigate injection attacks. The list includes the use of MAC layer encryption, disabling Aggregated Mac Protocol Data Unit (A-MPDU) frame aggregation, configuring the system to drop corrupted A-MPDUs, the use of Language-theoretic security (LangSec) stacks, modulation switching, and the use of deep packet inspection.

A proof-of-concept (PoC) implementation of this attack and the complete research paper are available online.

Thursday, June 18, 2015 @ 01:06 PM gHale

The network backup utility for Mac, Linux, and Windows, Retrospect, mitigated a password hashing hole where attackers could gain access to a user’s backed-up files.

Only users who employed password protection for their backup files ended up affected by the vulnerability.

Patch Fills Ubuntu Hole
Ubuntu Patches Linux Kernel Holes
Help Desk Software Needs Help
Trojan Invisible to AV

A password hash allowed attackers access to the backed-up information. Attackers were able to take advantage of the bad application design. It allowed for weak password hashes to generate only from certain portions of the password strings.

Password hash collision attacks work by generating a hash out of strings until one matches the hash of the real password, this allowed the attacker to authenticate himself on Retrospect clients and access the backup files.

To get in, the attacker would need access to a network Retrospect clients ended up connected to.

The vulnerability detailed in CVE-2015-2864 affects all Retrospect clients. There is a patch for the hole in Retrospect 10.0.2 for Windows, Retrospect Client 10.0.2 for Windows, Retrospect 12.0.2 for Mac, Retrospect Client 12.0.2 for Mac, and Retrospect Client 10.0.2 for Linux.

Considering how only password-protected backup archives ended up affected, Retrospect said clients should use their public key authentication method instead. To go that route, the company set up a page with step-by-step instructions on the company’s support website.

Thursday, April 16, 2015 @ 03:04 PM gHale

Chrome 42 for Windows, Mac and Linux is now up and running and this latest release fixes 45 security issues and removes NPAPI support, said Google officials.

The most serious vulnerability fixed in Chrome 42 is a cross-origin bypass flaw in the HTML parser (CVE-2015-1235). The discovery of this high severity bug earned an anonymous researcher $7,500.

Google Bans Bad Extensions from Chrome
Google Disavows CNNIC Certificates
Apple Fixes Safari Holes
Google Fixes Holes in Chrome Release

The list of high severity vulnerabilities also includes a type confusion in V8 (CVE-2015-1242) reported by Cole Forrester of Onshape, a use-after-free in IPC (CVE-2015-1237) reported by Khalil Zhani, and an out-of-bounds write bug in the Skia graphics engine (CVE-2015-1238) identified by cloudfuzzer.

The medium severity security issues reported by external researchers are a cross-origin-bypass in the Blink web browser engine, an out-of-bounds read in WebGL, a use-after-free in PDFium, a tap-jacking flaw, an HSTS bypass in WebSockets, an out-of-bounds read in Blink, scheme issues in OpenSearch, and a SafeBrowsing bypass.

The researchers who contributed to making Chrome more secure gained $21,500, according to Google blog post.

“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said Alex Mineer of the Google Chrome team.

In September 2013, Google said it would phase out support for the Netscape Plugin API (NPAPI). The company noted at the time the API’s 90s-era architecture was causing crashes, security issues and other problems.

In January 2014, Google blocked web page-instantiated NPAPI plugins by default, but whitelisted some of the most popular applications, such as Silverlight, Unity, Google Earth, Google Talk, and Facebook Video. Java was also on the list of most popular plugins using NPAPI, but it ended up disabled earlier for security reasons.

Now, NPAPI support is out by default in Chrome and extensions requiring NPAPI plugins will end up removed from the Chrome Web Store. Advanced users and enterprises can temporarily re-enable NPAPI until the plugins they use transition to alternative technologies.

Starting with Chrome 45, scheduled to release in September, this override will end up removed and NPAPI support will go away forever.

Wednesday, September 3, 2014 @ 03:09 PM gHale

Mozilla launched Firefox 32 for Windows, Mac, Linux, and Android which includes a new HTTP cache for improved performance, public key pinning support, and easy language switching on Android.

Firefox 32 released over on and all existing users should be able to upgrade to it automatically. The Android version is trickling out slowly on Google Play.

Chrome Update Brings 50 Security Fixes
Google Fixes 12 Chrome Vulnerabilities
Security Updates for Firefox
IE Browser of Choice for Attacks

Here is how Mozilla described the new HTTP cache back-end:

“The new HTTP cache back end has many improvements like request prioritization optimized for first-paint time, ahead of read data preloading to speed up large content load, delayed writes to not block first paint time, pool of most recently used response headers to allow 0ms decisions on reuse or re-validation of a cached payload, 0ms miss-time look-up via an index, smarter eviction policies using frecency algorithm, resilience to crashes and zero main thread hangs or jank. Also it eats less memory, but this may be subject to change based on my manual measurements with my favorite microSD card which shows that keeping at least data of html, css and js files critical for rendering in memory may be wise.”

The biggest addition for the desktop platforms is public key pinning, a security feature that helps ensure people are connecting to the sites they intend. Pinning allows webmasters to specify which certificate authorities (CAs) issue valid certificates for their sites, rather than accepting any one of the hundreds of built-in root certificates that ship with Firefox.

This means pinning can protect Firefox users from man-in-the-middle-attacks and rogue certificate authorities. Whether a CA mis-issues a certificate, or when the root cert for a pinned site does not match one of the known good CAs, Firefox will reject the connection.

Pinned domains include and Twitter in Firefox 32. Google domains will add in with Firefox 33, with more domains to come.

Cache and pinning aside, the new desktop version has a sizeable list of changes. Here are some of the new offerings in Firefox 32:
• New: New HTTP cache provides improved performance including crash recovery.
• New: Integration of generational garbage collection.
• New: Public key pinning support enabled.
• Changed: Removed and turned off trust bit for some 1024-bit root certificates.
• Changed: Performance improvements to Password Manager and Add-on Manager.
• HTML5: drawFocusIfNeeded enabled by default.
• HTML5: CSS position:sticky enabled by default.
• Developer: HiDPI support in Developer Tools UI.
• Developer: Inspector button moved to the top left.
• Developer: Hidden nodes displayed differently in the markup-view.
• Fixed: Mac OS X: cmd-L does not open a new window when no window is available.
• Fixed: Text Rendering Issues on Windows 7 with Platform Update KB2670838 (MSIE 10 Prerequisite) or on Windows 8.1.

There are quite a few HTML5 additions in this release. If you’re a Web developer, you should probably check out Firefox 32 for developers.

New versions of Firefox release every six weeks. Firefox 33 will be out in mid-October.

Friday, August 15, 2014 @ 03:08 PM gHale

Google rolled out version 36 of the Chrome browser for Windows, Mac and Linux, including a set of security fixes, along with the latest revision of Flash Player.

Twelve vulnerabilities ended up fixed in this release, with some found by external security researchers, who earned cash for their efforts through Google’s bug bounty program.

Security Updates for Firefox
IE Browser of Choice for Attacks
Flaw in Chrome Speech Recognition API
Chrome Update Includes 31 Security Fixes

For a use-after-free security flaw (CVE-2014-3165) in web sockets, Google paid $2,000 to researcher Collin Payne; additional information about this flaw is not available right now.

From another external researcher, the Google team received details about a security glitch that could lead to information disclosure in SPDY. Identified as CVE-2014-3166, the discovery goes to Antoine Delignat-Lavaud, second year PhD student in team Prosecco at Inria Paris.

In order to prevent the information leakage, Chrome developers decided to disable SPDY and QUIC session pooling in the latest revision of the web browser.

SPDY is a network protocol designed to increase page load speed and security, by manipulating HTTP traffic.

Disabling it translates to the user into slower page loads on websites using this protocol, but the latency is not as significant as to affect browsing at all.

Additional input came from the internal security team, who discovered an undisclosed number of glitches through internal audits or code fuzzing operations.

Build 36.0.1985.143 of the web browser also updates the Adobe Flash Player plug-in to the recently released version

Adobe patched seven critical vulnerabilities, most of them referring to memory leaks that could end up taken advantage of for bypassing memory protection mechanisms (address randomization).

Archived Entries