Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-10-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Apple Releases Updates for iOS, WatchOS, OS X, Safari and iTunes.

Published: 2015-10-21
Last Updated: 2015-10-21 19:42:06 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Apple published one of it's usual updates for "everything". Below I took a shot at a quick summary. You can find details here https://support.apple.com/kb/HT201222

iOS 9.1

49 Vulnerabilities fixed. A number of these affect WebKit and are exploitable via Safari. The update also addresses numerous issues in the FontParser. 

WatchOS 2.0.1

14 Vulnerabilities fixed. CVE-2015-5916 looks like a repeat of what was fixed in WatchOS 2: ApplePay may allow malicious terminals to retrieve a partial transaction history.

Safari 9.0.1

9 Vulnerabilities in WebKit fixed (pretty much the same vulnerabilities fixed in iOS 9.0.1)

iTunes 12.3.1

12 Vulnerabilities fixed, 9 of which affect WebKit which is included in iTunes.

EFI

EFI contained unused functions that could be abused. This update removes these unused functions.

Apple OS X 10.11.1

41 Vulnerabilities fixed. Again WebKit and some Fontparser vulnerabilities. This update also addresses issues with open source software included in OS X like php. The Safari 9.0.1 update is included in this update.

I didn't see an update for AppleTV yet, but wouldn't be surprised if it will be released as well. At least the WebKit issues will also affect AppleTV.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
0 comment(s)

Odd DNS TXT Record. Anybody Seen This Before?

Published: 2015-10-21
Last Updated: 2015-10-21 13:46:26 UTC
by Johannes Ullrich (Version: 1)
18 comment(s)

A reader sent us an "odd looking" DNS TXT record. The record was recovered from an old, decommissioned, DNS server. Has anybody seen this before? The zone also include the Google Apps authentication records, so it is possible that this is a similar scheme. According to the reader, the change times on the file are from 2010, but it is not certain that these times are correct. The file was maintained manually, so it is unlikely that a bad ip management script corrupted it.

We have seen DNS TXT records used as a covert channel in the past, so it is is possible this attempts to try something like this, or that these records were used for reflective DNS attacks. At this point, I really have no idea and was wondering if someone else has seen this.

 

bradmbig        TXT "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" "@@@@@@@@@@Cc::.:::cc:C@@@@@@@@" "@@@@@@@Oc::....:...:::co@@@@@@" "@@@@@@c:::........:::::cc@@@@@" "@@@@@o:::::::c::::c:....:@@@@@" "@@@@O::::oooCoOOoCCOCc...O@@@@" "@@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@" "@@@@@c::CCccoooOoooccoo..O@@@@" "@@@O@oCoCCCCCCCCoCCOCCoCoO@@@@" "@@@O@CCoCCOOCCCOCoCOCCoCCO@@@@" "@@@@@OCooCCCCCoooCCCCoooO@@@@@" "@@@OOO@OoooCccoocccCCooO@@@@@@" "@@@@OOOOCcooCCCCCCooco@@@@@@@@" "@@@@OOOOCocccoooCooccO@@@@@@@@" "@@@OOOOOCooocc:c::cooC@@@@@@@@" "@@O@OC..cCCoooCoCooooo.C@@@@@@" "@@O@c..:ooCCCCoocoCooo:.o@O@@@" "c..:....oCCCOCCCOCCoCo...:..cO" ".....:...oCCCCCCOOCOo....:...."
bradbig        TXT "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" "@@@@@@@@@@Cc::.:::cc:C@@@@@@@@" "@@@@@@@Oc::....:...:::co@@@@@@" "@@@@@@c:::........:::::cc@@@@@" "@@@@@o:::::::c::::c:....:@@@@@" "@@@@O::::oooCoOOoCCOCc...O@@@@" "@@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@" "@@@@@c::CCccoooOoooccoo..O@@@@" "@@@O@oCoCCCCCCCCoCCOCCoCoO@@@@" "@@@O@CCoCCOOCCCOCoCOCCoCCO@@@@" "@@@@@OCooCCCCCoooCCCCoooO@@@@@" "@@@OOO@OoooCccoocccCCooO@@@@@@" "@@@@OOOOCcooCCCCCCooco@@@@@@@@" "@@@@OOOOCocccoooCooccO@@@@@@@@" "@@@OOOOOCooocc:c::cooC@@@@@@@@" "@@O@OC..cCCoooCoCooooo.C@@@@@@" "@@O@c..:ooCCCCoocoCooo:.o@O@@@" "c..:....oCCCOCCCOCCoCo...:..cO" ".....:...oCCCCCCOOCOo....:...."
bradmsmall      TXT "@@@@@@@@@@@@@@@@@" "@@@@@8c:::cc8@@@@" "@@@O::....:::c@@@" "@@@::c:cc:c:..O@@" "@@8:cCCCOOCCC.8@@" "@@8ooCCCCoCCoo8@@" "@@8CoCCoooCCoo@@@" "@@88CoCoooooo@@@@" "@@88Oocooocc8@@@@" "@88c:CCooooo:O@@@" "Oc..cCCCCCCCc.:O8" ".....cCCCOCc....."
bradm      TXT "@@@@@@@@@@@@@@@@@" "@@@@@8c:::cc8@@@@" "@@@O::....:::c@@@" "@@@::c:cc:c:..O@@" "@@8:cCCCOOCCC.8@@" "@@8ooCCCCoCCoo8@@" "@@8CoCCoooCCoo@@@" "@@88CoCoooooo@@@@" "@@88Oocooocc8@@@@" "@88c:CCooooo:O@@@" "Oc..cCCCCCCCc.:O8" ".....cCCCOCc....."

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
18 comment(s)

Oracle Critical Patch Update for Q3 2015 (Includes Java Updates)

Published: 2015-10-21
Last Updated: 2015-10-21 13:27:34 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

On Tuesday, Oracle released it's Quarterly Critical Patch Update or "CPU" for short. As usual, this release covers a long list of different products, and is too large to summarize in a diary. Oracle patched a total of 154 vulnerabilities. Here are some of the "highlights" :

Java:

Of course, Java is always getting a lot of attention as it has probably the largest user base among Oracle's products. This time, Oracle is patching 25 Java flaws. All vulnerabilities can be exploited via Java Web Start applications, but only 5 apply to Java running on servers. 7 of the vulnerabilities have the highest CVSS score of "10" (none of these can be exploited on server side code).

Sun Systems:

The "Integrated Lights Out Manager" (ILOM) receives a patch that fixes a remote code execution vulnerabilities with a base CVSS score of 10. Comparable "IPMI" interfaces suffered from numerous vulnerabilities in the past, and Oracle does the right thing by advising users to not expose these interfaces to public networks.

OpenSSL

Various Oracle components use OpenSSL, and this patch includes OpenSSL related updates for MySQL, Oracle Enterprise Manager and Oracle Supply Chain Products.

According to Oracle, there is no evidence that any of these vulnerabilities has been exploited so far. The next update will be released in January.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
2 comment(s)
ISC StormCast for Wednesday, October 21st 2015 http://isc.sans.edu/podcastdetail.html?id=4707
Diary Archives