Barthos Computers Blog

Apple on Wednesday released an update to its Safari Web browser for Mac OS X and Windows. The new release is available for download from Apple’s Web site and through the Software Update system preference.

Apple indicates in its release note that Safari 3.1.1 “includes improvements to stability, compatibility and security,” though the company did not offer any further clarification in that note. Apple recommends the update for all Safari users.

In a separately published tech note, Apple offered more details about what Safari 3.1.1 fixes in terms of security. Issues that affect the Mac version of Safari include a change to WebKit to improve handling of URLs to prevent cross-site scripting, and additional validation of JavaScript regular expressions to help prevent a heap buffer overflow that can cause Safari to unexpectedly quit or execute code.

For more Macintosh computing news, visit Macworld. Story copyright ? 2007 Mac Publishing LLC. All rights reserved.

Hackers are trying to exploit a critical Windows vulnerability just patched on Tuesday, security researchers say – and the only version of Windows not at risk is the unfinished Windows XP SP3.

Fortunately, attack incompetence means that these initial sorties have been unsuccessful, Symantec Corp. said in a brief warning to customers of its DeepSight threat service. “The DeepSight honeynet has observed in-the-wild exploit attempts targeting a GDI vulnerability patched by Microsoft on April 8, 2008,” said Symantec in its alert.

On Tuesday, Microsoft patched two bugs, both pegged as “critical,” in Windows’ GDI, or graphics device interface, one of the core components of the operating system. According to Microsoft, every current version of Windows, including the very newest, Vista Service Pack 1 (SP1) and Server 2008, is open to attack.

The vulnerabilities can be triggered by malformed WMF (Windows Metafile) or EMF (Enhanced Metafile) image files, Microsoft noted in its accompanying advisory .

Analysts on Tuesday fingered the GDI bugs as the most dangerous of the 10 disclosed and patched by Microsoft that day. They noted similarities between the two new vulnerabilities and others revealed in late 2005, which were extensively exploited by attackers for months afterward.

Amol Sarwate, manager of Qualys Inc.’s vulnerability research lab, said at the time that he expected attackers to quickly begin leveraging the bug. “Users who simply view an image online or in e-mail could be compromised,” he said.

Thursday, Symantec said it had spotted three different Web sites hosting malicious WMF/EMF image files that were targeting one of the two GDI bugs. However, those images weren’t able to exploit the flaw. “Analysis of the images has shown that although [they] appear to be malicious, they do not contain enough data in the associated image property to sufficiently trigger the vulnerability,” read Symantec’s warning. “We are still investigating the issue as to why this may be the case.”

The security company urged users to apply the GDI patches pronto if they have not done so already. “These attack attempts highlight the severity of this issue and it is only a matter of time before new images that successfully trigger the issue are observed in the wild,” Symantec concluded.

Ironically, the only version of Windows not vulnerable to attack is XP Service Pack 3 (SP3), the still-not-released final update to the aged operating system. Hidden in the MS08-021 security bulletin was the sentence: “Windows XP Service Pack 3 is not affected by this vulnerability.”

Windows XP SP3’s release date remains a mystery. Although Microsoft has not budged from its “first half of 2008″ public statements, others have speculated that the service pack will wrap up later this month. One Web site, which correctly predicted release dates for Vista SP1, has pegged XP SP3’s roll-out as coming in the second half of April.

Microsoft’s GDI patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

See more at Computerworld

This year’s PWN to 0WN contest will begin on March 26th, the first day of the CanSecWest conference. The contest includes three laptops, running the most up to date and patched installations of MacOS X Leopard, Windows Vista, and Ubuntu Linux:

VAIO VGN-TZ37CN running Ubuntu 7.10
Fujitsu U810 running Vista Ultimate SP1
MacBook Air running OSX 10.5.2
The main purpose of this contest is to responsibly unearth new vulnerabilities within these systems so that the affected vendor(s) can address them.

To claim a laptop as your own, you will need to read the contents of a designated file on each system through exploitation of a 0day code execution vulnerability (ie: no directory traversal style bugs). Each laptop will only have a direct wired connection (exposed through a crossover cable) and only one person may attack each system at a time so that each team’s exploit remains private. Slots will be available for sign up in 30 minute increments at the beginning of each day. Slots are assigned in random order. Once everyone signs up each morning, spots will be assigned randomly. Any WiFi or Bluetooth exploits will be verified offsite in a secure lab to prevent snooping. The first winner of each laptop gets to keep it (one laptop per vulnerability entry) as well as a cash prize sponsored by ZDI. Once a laptop is won however, no more exploits may be submitted. Therefore there are a maximum of three cash prizes, one per laptop. All winning exploits will be handed over to the affected vendors at the conference through the ZDI, with the appropriate credit given to the contestant once the vendor patches the issue. Until then, the actual vulnerability will be kept quiet from the public. This is a required condition of entry into the contest; all entrants must agree to the responsible disclosure handling of their vulnerability/exploit through the ZDI. An awards ceremony at the end of the conference will present each winner with their prizes.

Any vulnerability that the Zero Day Initiative awards a cash prize for, becomes the property of the ZDI, and therefore the winner can not discuss or disclose details of the 0day until the affected vendor has successfully patched the issue. Any discussion of the bug prior to the public disclosure of a ZDI advisory will result in forfeiting of the prize. TippingPoint is collaborating with the vendors to ensure that their response teams will be ready and waiting to receive any and all 0day that comes out of this contest. For all other vulnerabilities, we are ready to forward the information on to the appropriate vendor (Adobe, Skype, Apache, Sendmail, etc.) upon verification of the issue.

Read more …