Apple Releases Safari 6
Even if you don't plan to upgrade to Mountain Lion, as of today Safari 6 is available as an update for older versions of OS This new version includes numerous security fixes and improvements.
For a (long) list of fixed bugs, the the Apple security announcement [1]. There are also some new security related features:
- extensions can now figure out if you are in private browsing mode, which should make it easier for extensions to avoid leak.
- the "https" in https urls is highlighted more, and the lock with more information about the certificate is placed right next to it.
- The safe password feature got redone, but it doesn't look like Safari will suggest new passwords unless you run Mountain Lion.
[1] http://support.apple.com/kb/HT5400
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Apple OS X 10.8 (Mountain Lion) released
You probably saw by now that Apple unleashed Mountain Lion earlier today. If you are lucky to make it past the overloaded App store, you may already be installing it. But some of you may not be as daring, and there are some reasons to be cautious like with any major update like this. OS X includes some interesting new security features:
One important feature, Gatekeeper, implements iOS like restrictions to install software. This feature may be turned off by an administrator, but you should consider leaving it on by default. It will prevent users from installing unauthorized software. Just like in iOS, the software has to be signed by a valid Apple developer certificate. Further, you can limit software to be installed from the app store only. In OS X Lion, the command line utility "spctl" can be used to test this feature. Mountain Lion added a GUI configuration tool to the standard OS X settings dialog. Also see our prior diary about this tool [1].
The "Roaring Apps" website maintains a pretty good list of Mountain Lion compatible applications [2]. Most security tools I use appear to be compatible (Sophos Anti Virus, Kaspersky Anti Virus, Little Snitch, 1Password...). But note that RoaringApps.com is crowd sourced. To make sure, you should check the software publisher's website.
OS X 10.8 also includes a password safe feature, and improved privacy controls. For details, see Apple's list of security features [3].
Make sure to first update ALL software on your system. Various vendors released Mountain Lion specific updates as late as today.
Of course, backups are always a good idea, but I assume you got that covered ;-)
[1] http://isc.sans.edu/diary.html?storyid=12631
[2] http://roaringapps.com/
[3] http://www.apple.com/osx/what-is/security.html
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Microsoft Exchange/Sharepoint and others: Oracle Outside In Vulnerability
Microosft published an unusual knowledge base article today, warning users of certain versions of Microsoft Exchange and Sharepoint server of a remote code execution vulnerability introduced by Oracle's "Outside In" libraries that are included with these products. [1]
Affected Products:
Microsoft Exchange Server 2007
Microsoft Exchange Server 2010
FAST Search Server 2010 for Sharepoint
Oracle provided a patch for this issue in it's July patch release [2]. The issue si covered by Oracles "Fusion Middleware" fix. Outside in library version 8.3.7.77 and earlier is vulnerable. The fixed version is 8.3.7.171 (US Cert also mentions 8.3.5.6369 as fixed).
As a work around, you could disable the transcoding service, but it will no longer allow you to preview attachments. Or you could disable the advanced filter pack on FAST Search Server 2010 for SharePoint.
Oracle's "Outdside In" libraries are able to decode over 500 different file formats [3]. The libraries are used to be able to index content inside files like PDFs and other common file types.
It is very likely, that not only Microsoft's software is including this library. US-CERT provides a list of software that they identified.
[1] http://technet.microsoft.com/en-us/security/advisory/2737111
[2] http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
[3] http://www.kb.cert.org/vuls/id/118913
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments