Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

Apple tagged in these posts

Super Bowl Sunday for iOS 6.1 Jailbreak [Updated]

Posted: 01 Feb 2013 05:31 AM | Anonymous | no comments

February 3, 2013 not only marks the start of Super Bowl Sunday, it could also signify the arrival of a new untethered iOS jailbreak.


The newly formed hacking group, going by the name of evad3rs, is reportedly close to completing their latest iOS 6.1 jailbreak. More importantly this jailbreak works on the A5 and A6 chip architectures in the latest flagship iOS devices. 


Previous reports claiming that the group held back releasing the jailbreak, in the knowledge that Apple were to release the long awaited iOS 6.1 update which surfaced on Monday. The group claims that publishing the exploit earlier would allow Apple to develop a patch to counter-act their efforts. So, immediately after the iOS 6.1 release, some four and a half months after the original iOS 6 release, the group have said they are ready.




Filed under: , , , , , ,

Is CVE-2012-0507 the best toolkit to exploit Mac OS X?

Posted: 16 Apr 2012 10:23 AM | Anonymous | no comments

The recent advent of flashback malware that includes exploit code for CVE-2012-0507 has been creating waves and quickly adopted by various other attackers as Websense® Security Labs™ has shown. This blog post detail some of the aspects of CVE-2012-0507 and how this exploit has been used in the wild. The Java code first starts with the excerpt below: The string "sobj" contains a stream of characters that trigger the vulnerability and force Java to render something which it usually wouldn't be allowed to. The string "8BCA ..." is obfuscated with an XOR key of 0x27 shown below: After this string is de-obfuscated, it looks something like the image below: We compared the exploit code used in the flashback campaign (above) with another instance in the wild that surfaced recently. Apparently, the attacker is using the exploit code provided by the metasploit framework. The only difference between the flashback exploit code and the one used by metasploit is the bytecode array, where one is a signed byte array while the other is unsigned, as revealed below: In our flashback sample, the string that triggers the vulnerability is "XOR-ed" with 0x27, while the string seen in the metasploit sample uses a signed byte array. Lastly, the payload used by the flashback malware is a dropped Mach-O binary executable, while the metasploit exploit opens a listening TCP port shell pipe depending on what operating system the victim is on (This highlights the beauty of a design flaw as opposed to a vulnerability that corrupts memory). The code excerpt is shown below: Websense security solutions protect users from these kinds of exploits.


Filed under: , , , , ,

Flashback Mac malware

Posted: 12 Apr 2012 11:48 PM | Patrik Runald | no comments

We in Websense® Security Labs™ have been following the developments of the Flashback trojan for Mac that has infected over 600,000 Apple computers worldwide. The number of infected computers seems to be dropping steadily now and will continue to do so as Apple yesterday released a removal tool as part of their Software Update:




Filed under: ,

Jailbreakme.com 3 and security implications

Posted: 07 Jul 2011 10:29 AM | Patrik Runald | no comments

Jailbreakme.com version 3 went public yesterday and offers, again, a simple way to jailbreak an iOS device. And it's very, very simple. In fact, in our testing the jailbreak doesn't take more than 20 seconds from start to finish and works flawlessly. It doesn't crash your browser, and it even looks and feels like a regular App Store installation. Very slick but also very dangerous. The reason it's dangerous is that it works like a drive-by download (but requires user interaction), similar to the ones we see used attacking Windows PCs every day through vulnerabilities and exploit kits. What happens when you click on "Free" -> "Install" on the jailbreakme.com website is that your browser downloads a PDF file that triggers a vulnerability in how the built-in PDF reader handles a certain Font type which in turn installs the actual jailbreak. This isn't the first time we've seen a jailbreak like this for iOS. In fact, jailbreakme.com was used in August 2010 to do exactly the same thing, again with a PDF file. We didn't see any malicious use of this attack despite the source code being made available, but will it be different this time? It wouldn't be hard for a malicious attacker to reverse engineer how the jailbreak works and create something similar that doesn't require the user to click on "Free" -> "Install" and silently installs malicious code on your iOS device, either through the browser or via an email attachment. If this were created, an attacker could gain full control of your device and install everything from a keylogger to a full-blown bot. Or what about forwarding all mails to a third-party email address? The regular iOS sandbox won't be protecting your device, and since iOS is a variant of Unix, anything is possible. We hope that Apple will release an updated firmware to fix this vulnerability and not wait for iOS5 to fix it. On a side note, I made a bet with @mikkohypponen on how long it will take Apple to release the patch. My guess is less than 10 days, Mikko thinks in 5 days. What do our readers think, how long will it take Apple to release the patch?


Filed under: ,