SecureMac.com
About SecureMac Advertise Security Consulting Mac Security Store Send Feedback

Site Information
Site Background
Who runs the site
Advertising
Security Consulting
Employment/Jobs
Feedback Form

SecureMac Software
PrivacyScan

 

Mac OS X Security
sudo buffer overflow exploit + fix
Disable Single User Boot Mode
Malevolence - Dumping Passwords
nidump security
Startup Security - Open Firmware Password Protection

Mac OS X Network Security
SAINT
Secure FTP Wrapper
Ettercap - sniffer interceptor logger
Snort - Network Intrusion Detection System
SSH Admin
SSH Helper
xnu - enable MAC Address spoofing


Mac OS X Virus

Mac OS X Firewalls
Firewalk Firewall Utility
NetBarrier X

Mac OS X App Sec.

Mac OS X Encryption
LittleSecrets
GPGMail - PGP Functionality

Mac OS X DoS

SecureMac Library
Mac Cable Modem Security
Mac Security Auditing
Mac OS X Security Understanding
Mac OS X Security Second Lessons
Mac OS X Security Third Lesson
Mac OS X Single User Mode Root Access
Mac OS X Shareware Firewalls
Mac OS X Secure Installation
Cable & DSL Connections - Security Measures
Better Safe than Sorry
Apple.com Security Resources
Marketing Macintosh Security Programs

Vulnerability in Multiple Microsoft Products for Mac OS

Fixes:
To fix Internet Explorer: This is done by updating through the Software Update Pane/Control Panel.
Patch Microsoft Office Products: Patch is Here
More Information:Security Alert

Vulnerability: Run code attacker wants.
Severity Level: Microsoft suggests Critical
Affected Software:
  • Microsoft Internet Explorer 5.1 for Macintosh OS X
  • Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9
  • Microsoft Outlook Express 5.0.-5.0.3 for Macintosh
  • Microsoft Entourage v. X for Macintosh
  • Microsoft Entourage 2001 for Macintosh
  • Microsoft PowerPoint v. X for Macintosh
  • Microsoft PowerPoint 2001 for Macintosh
  • Microsoft PowerPoint 98 for Macintosh
  • Microsoft Excel v. X for Macintosh
  • Microsoft Excel 2001 for Macintosh
Josha Bronson of AngryPacket Security and w00w00 compiled the advisory below which, microsoft did release a patch for their products and should be downloaded now.
w00w00 (http://www.w00w00.org)
Angry Packet Security (http://sec.angrypacket.com)

Vulnerability in Multiple Microsoft Products for Mac OS
HTML format: http://www.w00w00.org/advisories/ms_macos.html
Text format: http://www.w00w00.org/files/advisories/ms_macos.txt

SOFTWARE VERSIONS AFFECTED

Microsft Internet Explorer
Versions affected: 5.1
Platforms affected: Mac OS 8, 9, and X

Microsft Outlook Express
Versions affected: 5.0.2
Platforms affected: all Mac OS

Microsft Entourage
Versions affected: 2001 and X
Platforms affected: all Mac OS

Microsft PowerPoint
Versions affected: 98, 2001, and X
Platforms affected: all Mac OS

Microsft Excel
Versions affected: 2001 and X
Platforms affected: all Mac OS

Microsft Word
Versions affected: 2001
Platforms affected: all Mac OS

PRELUDE

A bug in Internet Explorer for Mac OS X was originally reported to
Microsoft by Josha Bronson of Angry Packet Security on January 4,
2002. 

Due to some internal mishandling at Microsoft, this was brushed off
until w00w00 informed Microsoft of its intention to release the
information on February 17. We originally gave them a deadline of
two weeks until we discovered that this affected Entourage (the 
Outlook equivalent for Mac OS). When Microsoft determined this 
affected most of their Office suite on Mac OS, we felt it was
appropriate to give them time to fix it.

DESCRIPTION

There is a vulnerability in multiple Microsoft products on Mac OS.
The problem lies in the handling of a lengthy subdirectory in the
file:// directive, such as file:///AAAAAA[...] or 
file://A/A/A/A/[...]. The number of subdirectories is trivial as 
long as there is at least one.

IMPLICATIONS

In most cases, the user would need to click on the link to be
attacked. In the case of Entourage or Outlook Express, however, 
just opening the email will cause this. This leaves the 
potential for a worm. The magnitude depends on how many people 
actually use Entourage and Outlook Express for Mac OS. In all
cases, writing shellcode to exploit this problem is simple. 
Given that Mac OS X has a Unix interface, existing PowerPC 
shellcode that runs /bin/sh will work. No complex shellcode 
is needed to bind to a port or download an application off the 
web. The /bin/sh shellcode would need to be changed from an 
interactive shell to one that will execute a chain of commands. 
There are enough commands on Mac OS by default to allow an 
attacker to download and execute an application off of a web 
page.  The downloaded application could do any number of 
things, such as read off the user's contact list and send the 
same email to exploit to all of the user's contacts.

EXPLOIT

The following HTML file will demonstrate the problem. We chose to
use IMG simply because that is instantly loaded, but an
<A HREF=...> could have been used also. It can also be viewed (in
live form) at http://www.w00w00.org/files/advisories/ie_sample.html.
It overwrites the saved link register which is used for a
subroutine's return address on PowerPC. This will allow remote
execution of arbitrary code. The saved link register is overwritten
by the 0x41424344. This vulnerability will allow up to 1313
characters before the saved link register. Pure binary data
(including NUL bytes) can be used by escaping it (i.e., A as %41).
However, using "%41" will count as three characters, rather
than
just one. Note: by character I mean unibyte characters.

<html>
<body>
<img src=file:///[1313 characters]%41%42%43%44>
</body>
</html>

PATCHES

For Internet Explorer, a patch is available from 
http://www.apple.com/macosx/upgrade/softwareupdates.html. For
the other products, the patches can be downloaded from
http://www.microsoft.com/mac/download.

CREDIT

w00w00 would like to thank Angry Packet for involving us in their
efforts to get Microsoft to resolve this problem after their 
attempts failed.


UPDATES
Click Here To Visit The Advisory

To fix Internet Explorer visit your Software Update Control Panel and update. for the Microsoft Office Product update visit the update page

Interact:
Could not connect!