Friday, January 28, 2011

1Password 3.5.4 addresses MITM Cookie Disclosure Issue

The 1Password update 3.5.4, released on January 28th, 2011, changelogs included the following note:
>> Updated thumbnail downloader to turn off default cookie operations and prevent fetching previews from sites with bad certificates.
This may not seem like a big thing, but it should be to 1Password users.  Prior to version 3.5.4, if a man in the middle attacker posed as a secure site that 1Password had a stored login to, the lack of certificate validation would allow cookies stored by Safari, and other applications like 1Password Agent that use the default cookie store to be leaked to attackers.
Your web browser normally warns you before connecting to a site with a bad SSL certificate, because there is danger in disclosing GET request arguments and Cookies to impostor websites. However, 1Password's agent did not fail as it should when encountering a bad certificate, even if the site had a valid certificate when you saved your login.  When 1Password Agent made requests, it did so with the default cookie store. This means that session cookies and other sensitive cookies could be leaked to any site that posed as a secure site you login to whenever 1Password Agent attempted to store or update a thumbnail image of the site.
This issue was addressed in the 3.5.4 release of 1Password by no longer allowing 1Password Agent to connect to sites with bad certificates.
The Agile Web Solutions team fixed this bug very quickly after I notified them of the issue and should be commended for their quick response. They responded to this issue within 1 hour (wow!), and had a fix available to the public within 2 weeks. Given that I reported this over new years, thats incredibly impressive. Good job guys!
1Password users should update to the latest version so they are no longer vulnerable to this attack.

Thursday, January 6, 2011

Apple fixes CVE-2010-4013 in Mac OS X v10.6.6 update

It's always nice to see Apple fix security holes I've reported.  Thanks for promptly addressing this issue.

The official description from their bulletin (http://support.apple.com/kb/HT4498):


PackageKit
CVE-ID: CVE-2010-4013
Available for: Mac OS X v10.6 through v10.6.5, Mac OS X Server v10.6 through v10.6.5
Impact: A man-in-the-middle attacker may be able to cause an unexpected application termination or arbitrary code execution
Description: A format string issue exists in PackageKit's handling of distribution scripts. A man-in-the-middle attacker may be able to cause an unexpected application termination or arbitrary code execution when Software Update checks for new updates. This issue is addressed through improved validation of distribution scripts. This issue does not affect systems prior to Mac OS X v10.6. Credit to Aaron Sigel of vtty.com for reporting this issue.