lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <F215DD4495814B258D56742DAFBDDDB5@W340> Date: Mon, 2 Feb 2015 20:57:57 +0100 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: "Brandon Perry" <bperry.volatile@...il.com> Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com Subject: Re: [FD] iTunes 12.1 for Windows: still outdated and VULNERABLE 3rd party libraries, still UNQUOTED and VULNERABLE pathnames C:\Program Files\... "Brandon Perry" <bperry.volatile@...il.com> wrote: >I think you would get more traction on possibly getting Apple to fix these > if you wrote exploits proving they were a problem. Or do you mean exploits like this one: <http://seclists.org/fulldisclosure/2014/May/163> EVERY developer should know that * his/her software is not the only application installed on a users PC; * the outdated or vulnerable components s/he delivers and ínstalls can be called by every other application or malware running on a users PC! JFTR: the MSVCRT DLL of Visual C++ 2003 which was/is used for example in Sun/Oracle Java 6.x and thus installed on many user systems is a good trampoline for attacks. There is ABSOLUTELY no justification for Apple or any other developer to ship VULNERABLE components at all! regards Stefan Kanthak > On Sat, Jan 31, 2015 at 10:11 AM, Stefan Kanthak <stefan.kanthak@...go.de> > wrote: > >> Hi @ll, >> >> See <http://seclists.org/bugtraq/2014/Oct/164>, >> <http://seclists.org/fulldisclosure/2014/Oct/109>, >> <http://seclists.org/fulldisclosure/2014/Aug/44>, >> <http://seclists.org/fulldisclosure/2014/Aug/33> and >> <http://seclists.org/fulldisclosure/2014/Jul/30> for the >> prequel. >> >> >> The just released iTunes 12.1 for Windows comes again with >> outdated and VULNERABLE 3rd party libraries. >> >> In AppleMobileDeviceSupport.msi: >> >> * libeay32.dll and ssleay32.dll 0.9.8za from 2014-06-05 >> >> The current version is 0.9.8ze and has 21 security fixes >> which are missing in 0.9.8za; see <http://openssl.org/news/> >> >> At last, these DLLs are no more 7 years old as before, but >> "only" 7 months old. >> >> >> * libcurl.dll 7.16.2 >> >> is almost EIGHT years old and has at least 22 unfixed CVEs! >> >> The current version is 7.40.0; for the fixed vulnerabilities >> see <http://curl.haxx.se/docs/security.html> >> >> >> In AppleApplicationSupport.msi: >> >> * msvcr100.dll and msvcp100.dll 10.0.40219.1 from 2011-02-20 >> >> These are the runtime DLLs for Visual C++ 2010 RTM. >> >> The current version is but 10.0.40219.325; see >> https://technet.microsoft.com/library/security/bulletin/MS11-025 >> >> >> >> Additionally the following VULNERABLE[*] command lines with unquoted >> pathnames containing spaces are registered. >> >> By AppleApplicationSupport.msi: >> >> >> [HKEY_CLASSES_ROOT\CLSID\{fdd068c2-d51a-4175-8a20-5cbc704ea3bd}\LocalServer32] >> @="[#AppleApplicationSupport_APSDaemon.exe]" >> >> >> [HKEY_CLASSES_ROOT\CLSID\{6812639B-FD61-4329-9901-22CFDBD690FE}\LocalServer32] >> @="[#AppleApplicationSupport_APSDaemon.exe]" >> >> >> [HKEY_CLASSES_ROOT\CLSID\{D9E904CA-8865-42E7-B0F0-B7B8C4D54D70}\LocalServer32] >> @="[#AppleApplicationSupport_APSDaemon.exe]" >> >> >> For beginners: the value of the unnamed registry entry is a COMMAND >> LINE and has to be quoted properly! >> >> From <https://msdn.microsoft.com/library/ms683844.aspx> >> >> | To help provide system security, use quoted strings in the path to >> | indicate where the executable filename ends and the arguments begin. >> >> As of Windows 2003 developers who are NOT completely unaware of >> Microsofts documentation might want to use the "ServerExecutable" >> registry entry described there too. >> But 12 years are surely way too short for Apple's developers, QA and >> management to learn about such "new" features which help improve safety >> and security. >> >> >> By iTunes.msi: >> >> [HKEY_CLASSES_ROOT\itms\shell\open\command] >> @="[#iTunes.exe] /url \"%1\"" >> >> [HKEY_CLASSES_ROOT\iTunes\shell\open\command] >> @="[#iTunes.exe] /url \"%1\"" >> >> [HKEY_CLASSES_ROOT\daap\shell\open\command] >> @="[#iTunes.exe] /url \"%1\"" >> >> [HKEY_CLASSES_ROOT\itmss\shell\open\command] >> @="[#iTunes.exe] /url \"%1\"" >> >> [HKEY_CLASSES_ROOT\itsradio\shell\open\command] >> @="[#iTunes.exe] /url \"%1\"" >> >> [HKEY_CLASSES_ROOT\itunesradio\shell\open\command] >> @="[#iTunes.exe] /url \"%1\"" >> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\iTunes\shell\open\command] >> @="[#iTunes.exe]" >> >> [HKEY_CLASSES_ROOT\itpc\shell\open\command] >> @="[#iTunes.exe] /url \"%1\"" >> >> [HKEY_CLASSES_ROOT\itls\shell\open\command] >> @="[#iTunes.exe] /url \"%1\"" >> >> [HKEY_CLASSES_ROOT\iTunes.AssocProtocol.itls\shell\open\command] >> @="[INSTALLDIR]iTunes.exe /url \"%1\"" >> >> [HKEY_CLASSES_ROOT\pcast\shell\open\command] >> @="[INSTALLDIR]iTunes.exe /url \"%1\"" >> >> [HKEY_CLASSES_ROOT\iTunes.AssocProtocol.daap\shell\open\command] >> @="[INSTALLDIR]iTunes.exe /url \"%1\"" >> >> [HKEY_CLASSES_ROOT\iTunes.AssocProtocol.itms\shell\open\command] >> @="[INSTALLDIR]iTunes.exe /url \"%1\"" >> >> [HKEY_CLASSES_ROOT\iTunes.AssocProtocol.itmss\shell\open\command] >> @="[INSTALLDIR]iTunes.exe /url \"%1\"" >> >> [HKEY_CLASSES_ROOT\iTunes.AssocProtocol.itpc\shell\open\command] >> @="[INSTALLDIR]iTunes.exe /url \"%1\"" >> >> [HKEY_CLASSES_ROOT\iTunes.AssocProtocol.pcast\shell\open\command] >> @="[INSTALLDIR]iTunes.exe /url \"%1\"" >> >> >> From <http://msdn.microsoft.com/library/cc144175.aspx>: >> >> | If any element of the command string contains or might contain >> | spaces, it must be enclosed in quotation marks. Otherwise, if >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> | the element contains a space, it will not parse correctly. >> >> >> See <http://home.arcor.de/skanthak/sentinel.html> if you want to >> detect software with this 20+ year old vulnerability[*] without >> dissecting its *.MSI files. >> >> >> Until Apple's developers, their QA and their managers start to >> develop a sense for their customers safety and security: >> stay away from Apple's (Windows) software! >> >> >> stay tuned >> Stefan Kanthak >> >> >> [*] <https://cwe.mitre.org/data/definitions/428.html> >> You'll read more about it soon! >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> https://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists