Security firm Skycure illustrates possible hacking attacks through iOS’ use of Provisioning Profiles

Posted by:
Date: Tuesday, March 12th, 2013, 07:41
Category: iOS, iPhone, News, security, Software

In the words of assorted security analysts, Apple may be setting itself up for a malware fall thanks to its Provisioning Profiles.

Per The Next Web, while iOS users have been relatively safe from malware on their devices, researchers from security company Skycure say they’re concerned about a feature of iOS that could be used by malicious actors to read information, passwords and even encrypted data from devices without customers knowledge. They’ve detailed the new vulnerability in a presentation at the Herzliya Conference and a company blog post.

It’s worth noting at the beginning that Skycure’s product, still in development, is a mobile firewall with a cloud component designed to secure devices against attacks just like these. This isn’t all that unusual, though, as many security firms like Sophos and Intego produce research reports along with consulting and security products.

Provisioning Profiles (mobileconfigs) are small files installed with a single tap on iOS devices. They essentially function as instruction lists which can alter many settings, including network configurations and they’re used by thousands of companies around the world including app developers, corporations with IT departments and more.

Their use is officially approved by Apple and there is nothing innately malicious about any given profile. But, if put to the right uses, they do open up the ability to read usernames and passwords right off of a screen, transmit data that would normally be secure (over HTTPS) to a malicious server where it can be read and a lot more.

In a demonstration, Skycure’s CTO Yair Amit and CEO Adi Sharabani sent the author to a website where a link was offered. A provisioning profile was presented, installed and led to a screen that looked a lot like a phishing attempt, which requires an action on the part of a user in order to infect or grant access to a hacker.

After the profile was installed, Sharabani demonstrated that he could not only read exactly which websites the author had visited, but also scrape keystrokes, searches and login data from apps like Facebook and LinkedIn. To be perfectly clear, this is not a vulnerability within iOS, instead it uses standardized frameworks to deliver a profile that has malicious intent.

iOS has typically been far more secure than other platforms because of its heavy use of curation on the App Store, but also because it has been built from the ground up to use sandboxing. This means that apps are cordoned off, unable to reach outside of their data box or to affect any other apps that have not given them explicit permission to do so.

Provisioning Profiles step outside of that protection and can do things like route all of a victim’s traffic through a third-party server, install root certificates allowing for interception and decryption of secure HTTPS traffic and more.

Sharabani provides a couple of scenarios by which people could be convinced to install what seems like a harmless provisioning profile, only to be a victim of a traffic re-routing attack:

- Victims browse to an attacker-controlled website, which promises them free access to popular movies and TV shows. In order to get the free access, “all they have to do” is to install an iOS profile that will “configure” their devices accordingly.

- Victims receive a mail that promises them a “better battery performance” or just “something cool to watch” upon installation.

The attacks, Sharabani stated, can be configured to use a VPN, APN proxy or a wireless proxy (WiFi), so just because you’re not on a WiFi network doesn’t mean that the profile can’t send your traffic to a third-party. This also means that (unlike a VPN, where there is an indicator in your status bar), you could also be affected by the hack without your knowledge. Of course, you would still have had to install a profile in the first place.

For the third attack scenario, Skycure came up with a list of cellular carriers that ask clients to install a special profile that configures their device to work with that network’s data servers. Of course, those sites could end up being compromised to deliver corrupted profiles, but it’s bound to be harder to do if it’s the carrier’s own servers doing the distribution.

As of now, no evidence has been found of a Provisioning Profile attack in the wild. And, to be extremely blunt once again, you are not at risk at all if you don’t install any profiles to your device, period. And if you have to, make sure that those profiles are from a trusted source and are verified. You should also only download and install profiles from ‘secure’ HTTPS links.

The disclosure of the issue, Sharabani says, is really about raising awareness, rather than starting a panic. While the attacks can be powerful and harmful, the Provisioning Profile attack, much like phishing, relies on user ignorance. Just as you wouldn’t type your password into a page provided as a random link, don’t install profiles from websites that you don’t know and avoid them completely if at all possible.

Because of the deep integration of Provisioning Profiles into the workflows of IT departments and other companies, it’s unlikely that they’ll be going away any time soon. So the best defense for now is knowledge and care.

Stay tuned for additional details as they become available.

Google Chrome updated to 25.0.1364.160

Posted by:
Date: Friday, March 8th, 2013, 07:52
Category: News, security, Software

google-chrome-logo

You can’t fault a company for regularly updating its software.

On Friday, Google released version 25.0.1364.160 of its Chrome web browser. The update, a 48.8 megabyte download, adds the following fixes and changes:

- [Fixed] High CVE-2013-0912: Type confusion in WebKit.

Google Chrome 25.0.1364.160 requires an Intel-based Mac with Mac OS X 10.6 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Oracle releases emergency Java patch, advises users to update to latest version

Posted by:
Date: Tuesday, March 5th, 2013, 08:58
Category: News, security, Software

javaicon

This is why updates were invented.

Per CNET, in response to discovering that hackers were actively exploiting two vulnerabilities in Java running in Web browsers, Oracle has released an emergency patch that it says should deal with the problem.

“These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password,” Oracle wrote in a security alert on Monday. “For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.”

Hackers were recently found using one of the vulnerabilities to get into users’ computers and install McRAT malware. Once installed, McRAT works to contact command, control servers, and copy itself into all files in Windows systems.

Only days after scheduling its last zero-day vulnerability in February, Oracle found these two new exploits. Rather than wait to include the patch in its scheduled quarterly April update, Oracle issued the emergency patch on Monday.

“In order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible,” Oracle software security assurance director Eric Maurice wrote in a blog post today.

According to Oracle, the most recent vulnerabilities are only applicable to Java running in Web browsers — they don’t affect Java running on servers, standalone Java desktop applications, or embedded Java applications. They also do not affect Oracle server-based software.

Users can install and update their Java software by going to the Java Web site or through the Java auto update.

Stay tuned for additional details as they become available.

Apple releases Java 2013-002 update for Mac OS X 10.7, 10.8 operating systems, Java for Mac OS X 10.6 Update 14

Posted by:
Date: Tuesday, March 5th, 2013, 07:38
Category: News, security, Software

applelogo_silver

A security update never truly goes unappreciated.

Following up on recently discovered zero-day Java security holes, Apple releases Java updates for its Mac OS X 10.6, 10.7 and 10.8 operating systems.

The first update, Java for Mac OS X 10.6 Update 14, stands as a 72.8 megabyte download and offers the following fixes and changes:

- Delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_41.

The update requires an Intel-based Mac running Mac OS X 10.6.8 or later to install and run.

The second update, Apple Java 2013-002, stands as a 68.3 megabyte download and offers the following fixes and changes:

- Uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled “Missing plug-in” to go download the latest version of the Java applet plug-in from Oracle.

- Removes the Java Preferences application, which is no longer required to configure applet settings.

The update requires an Intel-based Mac running Mac OS X 10.7 or later to install and run.

The updates can be located, snagged and installed via the Software Update feature built into the Mac OS X operating system.

If you’ve tried the updates and have any feedback to offer, please let us know in the comments.

Researcher locates HTML 5 exploit, floods hard drive with cat images in proof of concept video

Posted by:
Date: Monday, March 4th, 2013, 07:32
Category: News, security, Software

HTML5_Logo_256

In as much as Java and Adobe Flash Player have taken recent beatings where security is concerned, apparently no platform is safe.

Per the BBC, a recently discovered flaw in the HTML 5 coding language could allow websites to bombard users with gigabytes of junk data, with a number of popular browsers being open to the vulnerability.

According to developer Feross Aboukhadijeh, who uncovered the bug this week and posted it to his blog, data dumps can be performed on most major Web browsers, including Apple’s Safari, Google’s Chrome, Microsoft’s Internet Explorer and Opera, the BBC reported. The only browser to stop data dump tests was Mozilla’s Firefox, which capped storage at 5MB.

If in doubt, this proof of concept video sorta says it all…:



The problem is rooted in how HTML 5 handles local data storage. While each browser has different storage parameters, many of which support user-definable limits, all provide for at least 2.5 megabytes of data to be stored on a user’s computer.

Aboukhadijeh discovered a loophole that bypasses the imposed data cap by creating numerous temporary websites that are linked to a user-visited site. Because most browsers don’t account for the contingency, the secondary sites were allowed local storage provisions in amounts equal to the primary site’s limit. By generating a multitude of linked websites, the bug can dump enormous amounts of data onto affected computers.

In testing the flaw, Aboukhadijeh was able to dump 1GB of data every 16 seconds on his SSD-equipped MacBook Pro with Retina display. He noted that 32-bit browsers like Chrome may crash before a disk is filled.

“Cleverly coded websites have effectively unlimited storage space on visitor’s computers,” Aboukhadijeh wrote in a blogpost.

The developer has released code to exploit the bug and has created a dedicated website called Filldisk to highlight the flaw. In true internet meme fashion, the site dumps images of cats on to an affected machine’s hard drive.

Bug reports have already been sent to makers of the affected Web browsers, and Aboukhadijeh said malicious use of his code has yet to been seen in the wild.

Stay tuned for additional details as they become available.

Second lockscreen bypass exploit discovered in iOS 6.1, data vulnerable via USB connection

Posted by:
Date: Tuesday, February 26th, 2013, 07:07
Category: Hack, iOS, News, security, Software

Apple either needs to assign its iOS security people some business hammocks or take their current ones away…

A second iOS 6.1 bug has been discovered that gives access to contacts, photos and more. The vulnerability uses a similar method as the one disclosed previously, though it apparently gives access to more user data when the phone is plugged into a computer.

Per MacRumors and Kaspersky’s Threatpost, the exploit involves manipulating the phone’s screenshot function, its emergency call function and its power button. Users can make an emergency call (911 for example) on the phone and then cancel it while toggling the power on and off to get temporary access to the phone. A video posted by the group shows a user flipping through the phone’s voicemail list and contacts list while holding down the power button. From there an attacker could get the phone’s screen to turn black before it can be connected to a computer via a USB cord. The device’s photos, contacts and more “will be available directly from the device hard drive without the pin to access,” according to the advisory.

Apple was expected to fix the lock screen bug in iOS 6.1.2, but that small release fixed a different bug. Instead, it appears a fix for at least one of the lock screen vulnerabilities will be coming in iOS 6.1.3, currently in the hands of developers.

Stay tuned for additional details as they become available.

Apple’s iOS 6.1.3 beta could fix security holes, disable Evasi0n jailbreak

Posted by:
Date: Tuesday, February 26th, 2013, 07:02
Category: Hack, iOS, News, security, Software

evasi0n-icon

It was awesome while it lasted.

Per Forbes,

Late last week Apple released an update for iOS to developers in beta that prevents the use of the popular jailbreak software evasi0n, according to one of evasi0n’s creators who tested the patch over the weekend, David Wang.

Wang has stated that he’s analyzed the 6.1.3 beta 2 update and found that it patches at least one of the five bugs the jailbreak exploits, namely a flaw in the operating system’s time zone settings. The beta update likely signals the end of using evasi0n to hack new or updated devices after the update is released to users, says Wang, who says he’s still testing the patch to see which other vulnerabilities exploited by the jailbreak might no longer exist in the new operating system.

That impending patch doesn’t mean evasi0n’s time is up, says Wang. Judging by Apple’s usual schedule of releasing beta updates to users, he predicts that it may take as long as another month before the patch is widely released.

When evasi0n hit the Web earlier this month, it quickly became the most popular jailbreak of all time as users jumped at their first chance to jailbreak the iPhone 5 and other most-recent versions of Apple’s hardware. The hacking tool was used on close to seven million devices in just its first four days online.

Apple already has a more pressing security reason to push out its latest update. The patch also fixes a bug discovered earlier this month that allows anyone who gains physical access to a phone to bypass its lockscreen in seconds and access contacts and photos.

When Apple’s update arrives, the team of jailbreakers known as the evad3rs may still have more tricks in store. Wang has stated that the group has discovered enough bugs in Apple’s mobile operating system to nearly build a new iOS jailbreak even if all the bugs they currently use are fixed.

Stay tuned for additional details as they become available.

Apple releases iOS 6.1.3 beta 2 build to developer community, looks to resolve recently-discovered lock screen security hole

Posted by:
Date: Friday, February 22nd, 2013, 07:21
Category: iOS, News, security, Software

This could be useful.

Per MacNN, Apple on Thursday pushed a new beta build to the developer community of its iOS mobile operating system designed to address a bug that can allow users to get past an iPhone lock screen even when a secure passcode is enabled.

iOS 6.1.3 beta 2 is available to members of Apple’s development community for testing prior to the software’s official release. Sources familiar with the latest build indicated it addresses the security hole discovered last week that could allow anyone to bypass an iPhone lock screen.

Those with access to the new software indicated it is identified as “Build 10B318.”

The software also reportedly includes a number of improvements related to the Maps application in Japan. Specifically, they are:
- Improved pronunciation of roads during turn-by-turn navigation.

- Optimized directions to more strongly prefer highways over narrower roads.

- Now indicates upcoming toll roads during turn-by-turn navigation.

- Added labels for junctions, interchanges, on-ramps, off-ramps, and intersections.

- Added indicators for transit station buildings, subway lines, and traffic lights.

- Updated freeway color to green.

- Updated icons for some location categories including fire stations, hospitals, and post offices Added 3D buildings including Tokyo Station, Japan Imperial Palace, and Tokyo Tower.

The new beta comes only two days after Apple released iOS 6.1.2 to the public, addressing a bug related to Exchange calendars that could drain a device’s battery.

Apple first began testing its planned improvements for iOS Maps in Japan with the first beta of iOS 6.1.1 earlier this month. But that software number was quickly used for an update issued to iPhone 4S owners that addressed issues related to battery life and 3G connectivity.

Thursday’s beta software release was renamed iOS 6.1.3 for developers because the iOS 6.1.2 identifier was also used this week in the latest public update.

Stay tuned for additional details as they become available.

Apple cyber attack investigation shifts from Chinese to eastern European hackers

Posted by:
Date: Thursday, February 21st, 2013, 07:51
Category: News, security, Software

Ok, maybe we were a bit hasty in blaming the chinese…

Per Bloomberg, while earlier reports suggested hackers who targeted Apple emanated from China, investigators now believe the criminals are instead based out of Eastern Europe.

The attacks on Apple, Facebook, Twitter and others are now linked to “an Eastern European gang of hackers that is trying to steal company secrets,” citing sources people familiar with an ongoing investigation.

“Investigators suspect that the hackers are a criminal group based in Russia or Eastern Europe, and have tracked at least one server being used by the group to a hosting company in the Ukraine,” the report said. “Other evidence, including the malware used in the attack, also suggest it is the work of cyber criminals rather than state-sponsored espionage from China, two people familiar with the investigation said.”

An earlier report had instead linked recent attacks on companies like Facebook to the Chinese Army. It claimed that there was “little doubt” that an “overwhelming percentage of attacks on American corporations, organizations and government agencies” originate from a People’s Liberation Army group known as “Unit 61398″ based out of the outskirts of Shanghai.

Apple announced on Wednesday that some of its employees’ laptops had been infected through a vulnerability in the Java plug-in for browsers. The company revealed that the same malware was used against a number of companies, but did not indicate what country the attacks may have originated from.

“We identified a small number of systems within Apple that were infected and isolated them from our network,” the company said in a statement. “There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.”

The attacks are believed to have occurred through an iPhone developer community website that was hosting malware. It’s believed that the infected code made its way onto the computers of Apple, Facebook, Twitter and other companies utilizing a Java zero-day flaw.

The method used by the criminals is a so-called “watering hole attack,” in which hackers compromise a popular website that many people visit and trust.

Apple on Tuesday pushed out an update for all OS X users that patches the exploit, and also removes the Java Web applet.

Stay tuned for additional details as they become available.

Evasi0n hack updated, new version offers iOS 6.1.2 support

Posted by:
Date: Wednesday, February 20th, 2013, 08:34
Category: iOS, News, security, Software

evasi0n-icon

It’s hard to knock a hack that’s also updated frequently.

Per MacNN, the Evasi0n iOS jailbreak tool has been released enabling support for the new 6.1.2 OS update. No bug fixes are noted for the release, or specific notes on what the group had to modify to enable the hack.

Problems such as app instability, battery drain or other minor issues are common with jailbreaks, as they rely on injecting new code to overwrite portions of the original Apple code. Other potential hazards, according to Apple, include security issues as the jailbreak relies on an exploit, which could be found and misused by others to serve malware or foster hacking attacks as seen on the Android platform.

Apple has also warned that iOS devices that are jailbroken may in some cases be refused warranty or extra-warranty service, particularly if there is any chance that the jailbreaking is related to the complaint. Most devices can be easily un-jailbroken and returned to normal service if they are still operable, but if they are nonfunctional as a result of the process (known as “bricked’) then the jailbreak cannot be removed before servicing.

If you’ve tried the updated version of Evasi0n and have any feedback to offer, please let us know in the comments.