Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Critical OS X Vulnerability Patched

Published: 2011-10-13
Last Updated: 2011-10-13 03:08:14 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

With today's focus on the release of iOS 5, and people worldwide refreshing the UPS shipping status page to check if the iPhone 4S left Hong Kong or Anchorage yet, a patch released for OS X Lion (10.7) came in under the radar. In addition to bringing us iCloud support and a good number of other security related patches, one issue sticks out as SUPER CRITICAL, PATCH NOW, STOP THAT iOS 5 DOWNLOAD.

The exploit can be implemented in a line of javascript, and will launch arbitrary programs on the user's system. It does not appear that the attacker can pass arguments to the software, which may make real malicious exploitation a bit hard, but I am not going to wait for an improved proof of concept to proof me wrong.

That said: It is our policy not to link to exploit code. Search twitter and other outlets for links. We may reconsider if we see the code used maliciously. At this point, I am only aware of the PoC site. Please let us know if you spot it anywhere else.

NB: My Macbook failed to boot after applying the update. Still debugging why :(

Update: In my case, the Macbook boot failed because I had Symantec's PGP software installed. I didn't use the whole disk encryption, but PGP still installed drivers that turned out to be the problem. My recovery process:

- hold command+R during boot to boot into recovery mode (if you got a recovery partition
- if you are using filevault2, launch the disk utilty to unlock the disk
- remove the following files from your system disk (which is now mounted under /Volumes )

    Library/Extensions/PGPnke.kext
    System/Library/Extensions/PGPwde.kext
   Library/Extensions/PGPdiskDriver.kext

This did it for me. The next reboot went fine. For more details see the following sites that helped me get this working:
http://prowiki.isc.upenn.edu/wiki/Removing_PGP_Desktop_on_a_Mac
https://discussions.apple.com/message/16333057#16333057
http://www.macworld.com/article/161088/2011/07/hands_on_lion_recovery_mode.html

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: exploit OS X Safari
0 comment(s)
Diary Archives