Wednesday, May 9

Apple Hardens Security with Mac OS X 10.7.4 and Safari 5.1.7

TidBITS Safe Computing: Apple Hardens Security with Mac OS X 10.7.4 and Safari 5.1.7:

What a fantastic idea.

From the article:


Safari will now check the version of Flash you are running and disable it if it is not capable of updating itself to a current version. Flash versions 10.1.102.64 (yes, that’s a version number, not an IP address) and older don’t include the capability to update themselves to new releases, requiring users to update manually. Newer versions will self-update as Adobe releases fixes, which minimizes the chances a user will be exposed to Flash-related security issues.

It also fixes this error:

Mac OS X 10.7.4 fixes a security error introduced in 10.7.3 that exposed a user’s password if they upgraded to Lion while leaving the legacy version of FileVault enabled. The flaw was due to a developer leaving debugging code enabled, which logged the user’s password in plain text. This problem affected only the older version of FileVault that encrypted a user’s home directory, as opposed to the FileVault 2 feature enabled in Lion that encrypts the entire disk. To be exposed, you would have had to upgrade a legacy FileVault system to Lion and keep the older FileVault in place.
Although this extremely serious bug essentially negated any password security on affected systems, relatively few users were likely exposed. 

Friday, May 4

I believe this pcap to be bad.


Alerts (2.9.2.2, dump-1.pcap)
1:18275:9 FILE-IDENTIFY HyperText Markup Language file download request Alerts: 1
1:16425:15 FILE-IDENTIFY Portable Executable binary file download request Alerts: 3
1:21860:1 SPECIFIC-THREATS Phoenix exploit kit post-compromise behavior Alerts: 4
1:21042:4 BLACKLIST URI possible Blackhole post-compromise download attempt - .php?f= Alerts: 1
1:21492:12 SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch Alerts: 3
1:21347:3 BLACKLIST URI possible Blackhole URL - .php?page= Alerts: 1
1:13245:2 BACKDOOR troya 1.4 runtime detection - init connection Alerts: 2
1:21646:6 SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch Alerts: 2
1:11192:12 FILE-IDENTIFY download of executable content Alerts: 2
120:8:1 (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE Alerts: 1
1:20494:6 FILE-IDENTIFY PDF file magic detected Alerts: 1
1:21583:4 FILE-PDF Possible malicious pdf detection - qwe123 Alerts: 1
1:21556:3 POLICY-OTHER Microsoft Windows 98 User-Agent string Alerts: 4
1:648:12 SHELLCODE x86 NOOP Alerts: 3
1:21548:1 BOTNET-CNC Cutwail landing page connection attempt Alerts: 1
1:15306:16 FILE-IDENTIFY Portable Executable binary file magic detected Alerts: 2
1:21418:1 BOTNET-CNC Trojan.FareIt outbound connection Alerts: 1
1:22041:2 SPECIFIC-THREATS Blackhole landing redirection page Alerts: 1


I could be wrong. Don't think I am.


Please leave comments below.