[IS&T Security-FYI] Newsletter, June 27, 2008

Monique Yeaton myeaton at MIT.EDU
Fri Jun 27 14:08:13 EDT 2008 

In this issue:

1. Mac OS X Root Access Vulnerability
2. Microsoft Thwarts Password Stealers
3. Apple Patches Safari for Windows


-------------------------------------------------
1. Mac OS X Root Access Vulnerability
-------------------------------------------------

There appears to be a serious flaw in Mac OS X's implementation of  
AppleScript. This flaw affects users of Mac OS X 10.4 and 10.5.

ARDAgent is the application that responds to Apple Remote Desktop  
remote administration requests, screen sharing and the like; you can  
find it in /System/Library/CoreServices/RemoteManagement on 10.5  
machines.

When you're administering remote Macs, ARDAgent needs to be 'setuid  
root' -- it needs to run with the privileges and access that belong to  
the system administrator, the same way you do temporarily whenever you  
unlock a system preference or install an application with Apple's  
installer. This is normal and expected behavior.

What's not so normal and expected is that ARDAgent will execute the  
'do shell script' AppleScript command (on behalf of remote admins, who  
need to run Unix commands from time to time). The problem here is that  
since ARDAgent is setuid root, any subprocess it launches is running  
with administrator permissions, and in fact with the right malicious  
scripting here it would be possible to do a great deal of damage.

In order to activate this vulnerability the attacker would either have  
to be at the machine, or logged in remotely with the same account that  
is currently in use... or just convince the user to run a malicious  
downloaded application.

Bad news: Trojans exploiting this vulnerability have already been  
sighted:

<http://www.scmagazineus.com/Two-in-the-wild-trojans-target-Mac-OS-X/article/111551/ 
 >
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101898&intsrc=hm_list 
 >

Good news: there is a work around. These articles go into more detail:

<http://www.macnn.com/articles/08/06/25/applescript.flaw/>
<http://www.tuaw.com/2008/06/19/ardagent-setuid-allows-root-access-but-theres-an-easy-fix/ 
 >

Source: TUAW.com


--------------------------------------------------
2. Microsoft Thwarts Password Stealers
--------------------------------------------------

According to ComputerWorld.com, Microsoft's June security updates were  
bad news for online criminals who make their living stealing password  
information from online gamers.

The company's Malicious Software Removal Tool -- a program that  
detects and removes viruses and other undesirable programs from  
Windows machines -- zapped game password-stealing software from more  
than 2 million PCs in the first week after it was updated to detect  
these programs on June 10.

Password stealers such as Taterf are among the most common types of  
malicious software on the Internet. That's because there's big money  
to be made selling the virtual currencies used in online games for  
real-world cash. Once a criminal learns a gamer's username and  
password, he can log into the game and sell the victim's virtual  
possessions for virtual gold coins. Those coins are then handed to  
another character in the game who sells the gold for real-world  
dollars at an online exchange. Effectively, they are money laundering.

Read full article:
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101878&intsrc=hm_list 
 >

Learn more about Malicious Software Removal Tool:
<http://www.microsoft.com/security/malwareremove/default.mspx>


----------------------------------------------
3. Apple Patches Safari for Windows
----------------------------------------------

As mentioned in the June 6 issue of this Security-FYI newsletter, a  
flaw that was detected in Safari for Windows, but which was not seen  
as a security issue by Apple at the time, caused Microsoft to  
recommend users to avoid using the web browser until a patch was  
released.

The flaw has since been patched. The fix stymies the kind of attacks  
that security researcher Nitesh Dhanjani disclosed last month.  
Dhanjani dubbed them "carpet bomb" attacks because they could litter  
the Windows desktop with malware files by taking advantage of the  
Safari flaw. Safari 3.1.2 now notifies the user before downloading a  
file, according to Apple in the advisory that accompanied the fixes.  
"Also," said Apple, "the default download location is changed to the  
user's Downloads folder on Windows Vista, and to the user's Documents  
folder on Windows XP."

Read full article:
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101239&intsrc=hm_list 
 >



=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

More information about the ist-security-fyi mailing list