Apple releases Quicktime and Airport Extreme security updates

Apple has released security updates for the vulnerability published during the Month of Apple Bugs as MOAB-01-01-2007 and the closing vulnerability for the Month of Kernel Bugs , MOKB-30-11-2006. The exposure time was of 22 days for the first, and 58 days for the latter (although no public proof of concept was distributed, which would have, most probably, boosted the patch development).

• AirPort Update 2007-001 (CVE-2006-6292)
• Security Update 2007-001 (CVE-2007-0015)

Exploiting the otherwise non-exploitable, on Mac OS X

UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it will attempt to run any InputManager provided by the user. Code within the input manager will run under wheel privileges. In combination with diskutil and a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.

See the Month of Apple Bugs release and the exploit. This issue can be abused by fully unprivileged users and triggered via any of the so-called 'crashes' (ex. alleged 'denial of service'-only issues...).

A tribute to the Month of Browser Bugs, and specially Matt Miller, HD Moore and Skywing.

Inline Media Encryptor

Description from the NSA website about IME:

The Inline Media Encryptor (IME) is a government-developed media encryption device. It is positioned "in line" between the computer processor and hard drive to ensure that anything stored to the hard drive gets encrypted and anything retrieved from the hard drive gets decrypted. The IME protects data classified Top Secret and below. Data stored on the hard drive is considered unclassified when encrypted.

Nice. Read about the features. Certainly hardware based solutions are extremely useful. Wonder if there's a commercial device that conforms to similar standards available for public consumption. Hopefully not.

January first week digest

There has been a significant work load, between working on exploit code and dealing with press and media. Looks like some stuff has been going around:

• The Metasploit module (Microsoft Windows target) for the Quicktime RSTP vulnerability, by MC.
• An excellent article by Brian Krebs about Microsoft Internet Explorer vulnerabilities, patch times and "exposure" time (total: 284 days, see the neat chart).
• Apple DiskManagement BOM Local Privilege Escalation Vulnerability (Month of Apple Bugs).
• Landon Fuller kicks *** with the fixes for MOAB issues.
• VideoLAN fixes the VLC issue in record time (certainly an example of fast great vulnerability response).
• dr_springfield website (nice code).

More to come if there's time for it.