Larry Dignan at ZDnet has posted a comparison of the numbers of vulnerabilities between Mac OS X and Windows, both XP and Vista, and while the numbers look like Microsoft has a big lead on security, it certainly does not mean that. It just says that Mac OS X has 5 times the flaws of XP and Vista every month in 2007.
Windows XP, Vista, and Mac OS X vulnerability stats for 2007 XP Vista XP + Vista Mac OS X Total extremely critical 3 1 4 0 Total highly critical 19 12 23 234 Total moderately critical 2 1 3 2 Total less critical 3 1 4 7 Total flaws 34 20 44 243 Average flaws per month 2.83 1.67 3.67 20.25
Now, before everyone does the Mac versus PC thing, this is just a comparison of the vulnerabilities and in no way does it say that Windows is more secure, now, if they did a comparison of the actual number of exploits taking advantage of the same vulnerabilities, I am sure the number would be severely tilted to Microsoft as they have the larger installed base. Plus, after reading some of the comments, it doesn’t take into account how many of these are actually from Apple for their software, as they distribute patches for the software that comes with their OS as well, lots of it being open source.
Some interesting security related stories.
U.S. Database Exposes Social Security Numbers The Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations.
Google draws privacy complaint to FTC “Google’s proposed acquisition of DoubleClick will give one company access to more information about the Internet activities of consumers than any other company in the world,” the complaint reads. “Moreover, Google will operate with virtually no legal obligation to ensure the privacy, security and accuracy of the personal data that it collects.”
This one could potentially be big, if the data that Google collects from the browsing habits of people with their toolbar, the information they gather from people searching their site(s), the data they collect from their ads on a major portion of the internet, the data they collect from their online programs, like Gmail, Google Docs & Spreadsheets, etc, the data they collect from people using Google Checkout, the data they collect from Youtube and all of the embedded videos, if this data is used by people working for Google or by someone who is able to access it from the outside, it is staggering, I am sure, the amount of information they could compile and use on people.
Depends on your definition I guess, sitting there with nothing running, no one could get into them, on the second day, they sent contestants urls via email and one hacker was able to exploit a vulnerability in Safari and open a back door that gave him access to everything. While they did not crack the OS itself, it did crack a tool that many people use on such a system, it’s the same as all of the IE vulnerabilities that get exploited, though they certainly have the better track record over Windows. Here is more from zdnet.
MacBook Pro hijacked with Safari zero-day Hackers Dino Dai Zovi and Shane Macaulay teamed up to hijack a MacBook Pro laptop at the CanSecWest security conference here, effectively pouring cold water on the Mac faithful’s belief that the machines are impenetrable. Dai Zovi, a former Matasano researcher who has been credited in the past with finding Mac OS X vulnerabilities, exploited a zero-day flaw in the built-in Safari browser to take complete control of the machine.
Seeing through walls Have you considered that someone could be reading what’s on your monitor from a few rooms away? It’s unlikely, but possible, as work by Cambridge University computer security researcher Markus Kuhn shows.
ISP Kicks Out User Who Exposed Vulnerability; Doesn’t Fix Vulnerability Apparently, a college student discovered and published a pretty major vulnerability found in the routers the company uses, allowing anyone to access the routers remotely. Rather than thank the customer for finding and highlighting a pretty serious vulnerability, the company has cut off his service and threatened him with lawsuits. Oh yeah, they also haven’t bothered to fix the vulnerability — despite it being published 7 weeks ago. The reasoning from the ISP is astounding. They claim that since they can’t find any evidence that anyone ever used the vulnerability, he must have discovered it by “illegal” means. Who knew that simply probing for security vulnerabilities was illegal? And, of course, the ISP told the guy he’s not allowed to talk about its legal threat to him — which isn’t actually legally binding. It’s not clear if the ISP doesn’t understand what it’s done or simply doesn’t want to fix the vulnerability.
Interact with the security community CanSecWest, the world’s most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference lasts for three days and features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field. We give preference to new and innovative material, highlighting important, emergent technologies, techniques, or best industry practices.
More news about windows vista.
Microsoft makes copying Vista a monster task With Windows XP, antipiracy measures were a bit of an afterthought. But with Windows Vista, Microsoft had pirates in its sights from the get-go.
Apple Adds Vista Support to Boot Camp Apple on Wednesday pushed an update to its Boot Camp dual booting feature, providing support for the 32-bit version of Windows Vista, as well as updated drivers for various hardware included with Intel Macs.
Update on Microsoft Security Advisory 935423 Little more info from Microsoft on the Windows animated cursor vulnerability, how long they have known, time of the first attack, how they are fixing it, etc.
Microsoft: Rise in attacks on Vista loophole Just a day after release, the vulnerability in the ani files has caused hackers to pick up the pace on their attacks on some versions of Windows.
3 reasons Vista lets down gamers Hardware incompatibilities, backward incompatibility and lack of directX 10 games, visit the site for details.
3rd Party Patches Critical Windows Flaw Not content to wait for Microsoft to remedy the issue, independent security firm eEye released a temporary patch for a critical flaw affecting Windows that can lead to a crash-restart-crash loop. But Microsoft does not recommend such third-party patches.
Windows Vista ATI Radeon Kernel Mode Driver Denial of Service A weakness has been reported in Windows Vista, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
Living With Vista: First 30 Days With the new version of Windows finally out, early users say they’re bedeviled by hardware and software problems–but some love the OS anyway.
Cisco announced this week that their Cisco Unified CallManager and Cisco Unified Presence Servers are vulnerable to remote attacks by using specially crafted ICMP and UDP packets. Cisco has already released patches for them, here.
CallManager servers, which process VoIP calls on a network, can be crashed by sending attack traffic to TCP ports 2000 or 2443 to the server; these ports are used by Cisco’s proprietary call control protocols ? Skinny Call Control Protocol (SCCP, or “Skinny”) and Secure SCCP. This vulnerability exists in CallManager versions 3.x, 4.x and 5.0 (CUCM 6.0, the latest version (announced this month), is not affected, nor is the Presence Server).
Cisco says CallManager and the Presence Server are affected by attacks involving floods of ICMP Echo Requests (pings), or specially crafted UDP packets. The ping-flood vulnerability, which affects only CallManager 5.0 and Presence Server 1.x, could be used to crash call-processing or presence services on the respective servers.
The UDP vulnerability affects the IPSec Manager Service on CallManager and Presence Server, which uses UDP Port 8500. With this less severe vulnerability, an attack could not stop calls from being placed or received on a Cisco VoIP network, but could cause the loss of some features, such as the ability to forward calls or deploy configuration changes to clusters of CallManager and Presence Servers. Source: Cisco VoIP and presence servers vulnerable to new attacks
If you don’t want to load the patches yet, you can block these things at your router on the outside connections to your networks.
Permit TCP Port 2000 (SCCP) and TCP Port 2443 (Secure SCCP) to CallManager systems only from VoIP endpoints.
ICMP Echo Requests, Type 8, should be blocked for CallManager and Presence Server systems (although this could affect network management applications and troubleshooting).
UDP Port 8500 for IPSec Manager should be permitted only between CallManager/Presence Server systems configured in a cluster deployment.
The Register says,
CallManager versions 3.3, 4.1, 4.2 and 5.0, as well as Presence Server version 1.0, are affected by a number of security bugs. The vulnerabilities involve unspecified errors in the handling of large amounts of ICMP Echo packets and within IPSec Manager service, both of which might be used to launch denial of service attacks against vulnerable Cisco Unified CallManager and Presence Server software installations.
A separate bug means that CallManager software PBX systems might be taken down by port scanning. Source: Cisco wraps up against VoIP DoS bugs
Lots of security stuff to comment on today, so I thought I would do a news post with links to them all, save us all some time.
Spamdexing “R” Us A researcher is curious as to how many times a user can get hit with a driveby download and malware infection just by clicking on a Google search result. He took the AOL search data that was released accidentally by AOL and tried to figure it out.
A Fresh Look at Password Thieves Security Fix is still looking at the damage caused by VisualBreeze or “Vbriz” Trojan, it’s also known as “Dimpy.Win32VB.” Thousands of people are affected.
Malicious Web Site / Malicious Code: MS07-009 Exploit Code Released A full exploit was released for MDAC vulnerability MS07-009. Patch is available here.
Windows weakness can lead to network traffic hijacks IE still looks for proxy servers when it starts up, a malicious employee inside your network could take advantage it, here is how and how you can avoid it.
Many net users ‘not safety-aware’ Less than half of the UK’s internet users believe they are responsible for protecting their personal information online.
SANS to certify programmers for security nous The SANS Institute has assembled security vendors to create a secure coding assessment and certification exam for programmers. Participants have the option to sit through four exams leading to GIAC Secure Software Programmer (GSSP) status. The four examinations cover a specific programming language suite: C/C++, Java/J2EE, Perl/PHP and .NET/ASP. Visit here for the new website.
Trend Micro Moves Security into the Cloud Trend Micro’s products rely on a dynamic database of IP addresses that are updated constantly to prevent users from accessing sites that are known to distribute the malware used to build botnets. This domain reputation database maps over 300 million domains daily, and every five minutes there is a new entry.
OpenOffice.org Security Several security vulnerabilities have been reported on in the media in the last week, where users’ PCs could be open to attack if they opened certain documents or websites.
Vulnerability Summary for the Week of March 19, 2007 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.
Cisco has posted a notice on three vulnerabilities they just patched concerning routers and switches running their Cisco IOS or Cisco IOS XR software, that could enable someone to craft an IP option Denial of Service (DoS) attack. You can view all of Cisco’s security advisories here Cisco Security Advisories and Notices. Here is a quote from the most dangerous flaw,
Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet’s IP header. No other IP protocols are affected by this issue.
To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as “Internetwork Operating System Software” or simply “IOS”. On the next line of output, the image name will be displayed between parentheses, followed by “Version” and the IOS release name. Cisco IOS XR software will identify itself as “Cisco IOS XR Software” followed by “Version” and the version number. Other Cisco devices will not have the show version command or will give different output. Source: Cisco Security Advisory: Crafted IP Option Vulnerability
Sans Internet Storm Center has released an article describing all three,
Crafted TCP Packet can cause denial of service (cisco-sa-20070124-crafted-tcp)
A remotely-exploitable memory leak in the Cisco IOS software could lead to a denial of service condition. This vulnerability applies to much of the IOS 12.0, 12.1 and 12.2 code base.
Crafted IP Option vulnerability (cisco-sa-20070124-crafted-ip-option)
By sending certain ICMP, PIMv2, PGM or URD packets with a specific IP option set to a Cisco IOS or IOS XR device, an attacker could cause the device to reload or even execute arbitrary code. This applies to a wide variety of releases.
IPv6 Routing Header vulnerability (cisco-sa-20070124-IOS-IPv6)
Certain crafted IPv6 Type 0 routing headers could crash a device running IOS. Source: Cisco vulnerabilities
Cisco has released Applied Intelligence Response bulletins for each vulnerability, which could help you detect someone trying to exploit these vulnerabilities.
As Brian Krebs of Security Fix said, it’s time to reboot the Internet again,
Cisco Systems Inc., the company whose hardware routers are responsible for handling the majority of the world’s Internet traffic, today issued patches to fix at least three very serious security holes in its products. This is generally not something that the average user needs to worry about, but I’m blogging on it because the flaws do have the potential to cause some problems that Internet users could experience in a very real way (i.e. e-mail and Internet access temporarily goes bye-bye).
Most Internet service providers will stagger the installation of these patches so as not to disrupt customers’ online connectivity, but one of these flaws appears to be so easy to exploit that if the bad guys figure out how before ISP get around to patching then we could very likely see portions of the Internet go dark soon. source: Time to Reboot the Internet Again
Ah, such is the Internet, if it wasn’t for security vulnerabilities all we’d have left to talk about would be which platform is better, Windows, Linux or OS X.
the Month of Apple Bugs website posted their first vulnerability for this month, and it affects Windows as well, BAM!! KAPOW!! The double whammy. I’m sure the message boards will be heated up, my OS is better than your OS, can’t we all just get along?
The following description of the software is provided by vendor (Apple):
QuickTime 7 makes the future of video crystal clear with new features including user-friendly controls and pristine H.264 video. Upgrade to QuickTime 7 Pro and capture your own movies, then share them with friends and family via email or .Mac.
From Cnet, QuickTime zero-day bug threatens Macs, PCs,
The vulnerability affects QuickTime 7.1.3, the latest version of the media player software released in September, on both Apple Mac OS X and Microsoft Windows, according to the Month of the Apple Bugs advisory. Previous versions could also be vulnerable, according to the advisory.
Security-monitoring companies Secunia and the French Security Incidence Response Team, or FrSIRT, rate the QuickTime flaw as “highly critical” and “critical,” respectively. Source: News.com
As usual, this will be more dangerous to Windows users, as most users run under administrator accounts, Apple has not released any info on when a patch could be released.
They released the second vulnerability today, they are promising one a day,
A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC.
This issue has been successfully exploited in VLC version 0.8.6 for Mac OS X. Previous versions and other platforms might be affected (thanks to David Maynor for confirming the issue in the Microsoft Windows version). Source: VLC Media Player udp:// Format String Vulnerability
The poster with the handle LMH and independent researcher Kevin Finisterre say a positive side effect will, probably, be a more concerned user base and better practices from Apple management. Makes for interesting reading at least, although this QuickTime vulnerability could affect a large percentage of the internet, especially Windows users.
An exploit involving a wireless driver created by Broadcom Corp. that is built into millions of new laptops created by HP, Dell, Gateway and other computer makers as well as some devices made by Linksys and Zonet, has been released, it is for a specific version, but the writer says it could easily be modified to different versions from different manufacturers. The flaw could be used to take complete control of any vulnerable machine that is within a few hundred feet. This flaw is active on most of these machines because of the background checking it does for wireless networks, so even if it is not connected to a wireless network, it is vulnerable.
A security researcher has released a set of instructions for exploiting a security flaw in the wireless Internet devices built into millions of new laptops from HP, Dell, Gateway and other computer makers. An attacker could use the flaw to take complete control over any vulnerable machine located within a few hundred feet, so be forewarned that reading the rest of this post could make you awfully leery of that guy sitting in the corner booth at Starbucks gleefully clacking away on his laptop.
According to the latest addition to the Month of Kernel Bugs project, the vulnerability resides in a flawed device driver from Broadcom Corp. that is bundled with many different laptops and built in to some devices made by Linksys and Zonet. The flaw is exploitable on vulnerable Windows machines whether or not the machine is connected to a wireless network. In fact, it is the wireless card’s background scan for available wireless networks that apparently triggers the flaw. Source: Exploit Targets Widely Deployed Wireless Flaw from SecurityFix via Faill.com
Here is a quote from the original post and a link to it.
The Broadcom BCMWL5.SYS wireless device driver is vulnerable to a stack-based buffer overflow that can lead to arbitrary kernel-mode code execution. This particular vulnerability is caused by improper handling of 802.11 probe responses containing a long SSID field. The BCMWL5.SYS driver is bundled with new PCs from HP, Dell, Gateway, eMachines, and other computer manufacturers. Broadcom has released a fixed driver to their partners, which are in turn providing updates for the affected products. Linksys, Zonet, and other wireless card manufactures also provide devices that ship with this driver. Source: Broadcom Wireless Driver Probe Response SSID Overflow
This could be a SERIOUS problem in the future, some organizations use Dell exclusively for their laptops, if they don’t come up with an easy way to update these laptops to the latest driver, lots of people could be exploited. I can see a whole new crop of botnets springing from Internet cafes, and places that allow free wireless internet access. Someone setting outside with a better antenna could seriously take advantage of some organizations, this could get ugly. Ask your resellers about it now, not later, and get them working on an easy solution for you.
Update: George OU, who writes Real World IT blog at zdnet, has some more information and a fix posted using an updated Linksys driver. The exploit no longer functions with this driver, but they have only tested it on a couple devices, while it should on work on most, I would think, there is always a chance something could go wrong.
Yes this is an UGLY solution but it’s all we have at this point. Broadcom should have provided certified drivers to Microsoft for inclusion in Windows Update but they didn’t. But even then, Microsoft device driver updates are never pushed out as automatic critical updates and we all know that if it isn’t automatic and seamless it probably won’t get done. This is something Microsoft needs to address with the PC industry in general because driver exploits are becoming very common and very dangerous. Source: Real World IT
Security researcher HD Moore has released code that shows how attackers can exploit an unpatched flaw present in some Apple wireless drivers. Moore said he tested this on a 1.0Ghz PowerBook running Mac OS X 10.4.8 with the latest updates, and while Apple released updates to fix three other problems with these wireless drivers, this flaw is still unpatched.
“With all the hype and buzz about the now infamous Apple wireless device driver bugs (brought to attention at Black Hat, by Johnny Cache and David Maynor, covered up and FUD’ed by others), hopefully this will bring some light (better said, proof) about the existence of such flaws in the Airport device drivers,” said LMH (the alias of the hacker who runs the Kernelfun blog) — referring to an Apple wireless driver issue covered by Security Fix earlier this year (the links in the quote are his). Source: Security Fix
To see the exploit code and the release, click here Apple Airport 802.11 Probe Response Kernel Memory Corruption,
The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution. This vulnerability is triggered when a probe response frame is received that does not contain valid information element (IE) fields after the fixed-length header. The data following the fixed-length header is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values.
A spokesman from Apple had this to say,
We were recently made aware of this security issue in our first generation AirPort card, which has not shipped since October 2003. This issue affects a small percentage of previous generation AirPort enabled Macs and does not affect currently shipping or AirPort Extreme enabled Macs. We are currently investigating the issue.” Source: Security Fix
Fun, fun, fun.
Secunia has posted another vulnerability in Internet Exlorer 7, this one is called Internet Explorer 7 Window Injection Vulnerability, and this is related to a previous vulnerability from IE 6.0, here.
A vulnerability has been discovered in Internet Explorer 7, which can be exploited by malicious people to spoof the content of websites.
The problem is that a website can inject content into another site’s window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website. Source: Secunia via Faill.com
They have constructed a vulnerability test here, and this has been tested on a fully patched system running Windows XP SP2 and IE7.