[IS&T Security-FYI] Newsletter, June 27, 2008
Monique Yeaton
myeaton at MIT.EDU
Fri Jun 27 14:08:13 EDT 2008
In this issue:
1. Mac OS X Root Access Vulnerability
2. Microsoft Thwarts Password Stealers
3. Apple Patches Safari for Windows
-------------------------------------------------
1. Mac OS X Root Access Vulnerability
-------------------------------------------------
There appears to be a serious flaw in Mac OS X's implementation of
AppleScript. This flaw affects users of Mac OS X 10.4 and 10.5.
ARDAgent is the application that responds to Apple Remote Desktop
remote administration requests, screen sharing and the like; you can
find it in /System/Library/CoreServices/RemoteManagement on 10.5
machines.
When you're administering remote Macs, ARDAgent needs to be 'setuid
root' -- it needs to run with the privileges and access that belong to
the system administrator, the same way you do temporarily whenever you
unlock a system preference or install an application with Apple's
installer. This is normal and expected behavior.
What's not so normal and expected is that ARDAgent will execute the
'do shell script' AppleScript command (on behalf of remote admins, who
need to run Unix commands from time to time). The problem here is that
since ARDAgent is setuid root, any subprocess it launches is running
with administrator permissions, and in fact with the right malicious
scripting here it would be possible to do a great deal of damage.
In order to activate this vulnerability the attacker would either have
to be at the machine, or logged in remotely with the same account that
is currently in use... or just convince the user to run a malicious
downloaded application.
Bad news: Trojans exploiting this vulnerability have already been
sighted:
<http://www.scmagazineus.com/Two-in-the-wild-trojans-target-Mac-OS-X/article/111551/
>
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101898&intsrc=hm_list
>
Good news: there is a work around. These articles go into more detail:
<http://www.macnn.com/articles/08/06/25/applescript.flaw/>
<http://www.tuaw.com/2008/06/19/ardagent-setuid-allows-root-access-but-theres-an-easy-fix/
>
Source: TUAW.com
--------------------------------------------------
2. Microsoft Thwarts Password Stealers
--------------------------------------------------
According to ComputerWorld.com, Microsoft's June security updates were
bad news for online criminals who make their living stealing password
information from online gamers.
The company's Malicious Software Removal Tool -- a program that
detects and removes viruses and other undesirable programs from
Windows machines -- zapped game password-stealing software from more
than 2 million PCs in the first week after it was updated to detect
these programs on June 10.
Password stealers such as Taterf are among the most common types of
malicious software on the Internet. That's because there's big money
to be made selling the virtual currencies used in online games for
real-world cash. Once a criminal learns a gamer's username and
password, he can log into the game and sell the victim's virtual
possessions for virtual gold coins. Those coins are then handed to
another character in the game who sells the gold for real-world
dollars at an online exchange. Effectively, they are money laundering.
Read full article:
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101878&intsrc=hm_list
>
Learn more about Malicious Software Removal Tool:
<http://www.microsoft.com/security/malwareremove/default.mspx>
----------------------------------------------
3. Apple Patches Safari for Windows
----------------------------------------------
As mentioned in the June 6 issue of this Security-FYI newsletter, a
flaw that was detected in Safari for Windows, but which was not seen
as a security issue by Apple at the time, caused Microsoft to
recommend users to avoid using the web browser until a patch was
released.
The flaw has since been patched. The fix stymies the kind of attacks
that security researcher Nitesh Dhanjani disclosed last month.
Dhanjani dubbed them "carpet bomb" attacks because they could litter
the Windows desktop with malware files by taking advantage of the
Safari flaw. Safari 3.1.2 now notifies the user before downloading a
file, according to Apple in the advisory that accompanied the fixes.
"Also," said Apple, "the default download location is changed to the
user's Downloads folder on Windows Vista, and to the user's Documents
folder on Windows XP."
Read full article:
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101239&intsrc=hm_list
>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
More information about the ist-security-fyi
mailing list