8 Feb 2019

Week in review

AUSCERT Week in Review for 8th February 2019

Greetings,

This week Apple patched the high-profile FaceTime vulnerability that made the news from last week, and a researcher goes public with a Mac OS key-chain vulnerability that allows a user access to its plaintext credentials without restriction. One in, one out for news-worthy Apple vulnerabilities.

To dramatically cap off this week, the Australian Parliament was subject to a cyber attack, the extent of which is still being investigated.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

China link possible in cyber attack on Australian Parliament computer system, ABC understands
08 February 2019
Author: Stephanie Borys

Excerpt: “Australia’s security agencies are investigating a cyber breach of the Federal Parliament’s computer network that the ABC understands is likely the result of a foreign government attack.

The agencies are looking into whether China is behind the incident.

In a statement, Federal Parliament’s presiding officers said authorities were yet to detect any evidence data had been stolen in the breach.”

——

Apple puts bullet through ‘Do Not Track’, FaceTime snooping bug and iOS vulnerabilities
07 February 2019
Author: Thomas Claburn

Excerpt: “Today, Apple also emitted security fixes for iOS 12.1.4. This fixes the FaceTime eavesdropping bug (CVE-2019-6223) found by 14-year-old Grant Thompson of Catalina Foothills High School and Daven Morris of Arlington, Texas. We understand the teen and his family will get some compensation from Apple, which will also pay toward his education.

The OS update also fixes two elevation-of-privilege holes (CVE-2019-7286 in Foundation, CVE-2019-7286 in IOKit), and a vague problem with Live Photos in FaceTime (CVE-2019-7288).

Meanwhile, FaceTime has been fixed in macOS, too.”

——

Researcher reveals huge Mac password flaw to protest Apple bug bounty
06 February 2019
Author: Jeremy Horwitz

Excerpt: “Apple’s operating systems have recently had more than their fair share of serious security issues, and the latest problem will be enough to rattle millions of Mac users. Previously credible researcher Linuz Henze has revealed an exploit that in one button press can reveal the passwords in a Mac’s keychain.

Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze’s KeySteal exploit grabs everything with a single press of a “Show me your secrets” button.”

——

Here are this week’s noteworthy security bulletins:

1) ESB-2019.0388 – [Apple iOS] iOS: Multiple vulnerabilities

Apple has released its patch for the FaceTime group chat, alongside two elevation of privilege vulnerabilities.

2) ASB-2019.0046 – [Android] Android: Multiple vulnerabilities

Android’s February update is out, with all the usual suspects getting fixes (RCE, EoP, DoS).

3) ESB-2019.0305 – [Win][UNIX/Linux][Debian] libreoffice: Execute arbitrary code/commands – Remote with user interaction

Libreoffice documents would happily execute any Python script (and arguments!) in a document-supplied directory.

Stay safe, stay patched and have a good weekend!

Tim