Researcher draws attention to long-standing security vulnerability in OS X operating systems

Posted by:
Date: Thursday, August 29th, 2013, 10:19
Category: News, security, Software

applelogo_silver

After five months, it might be time to fix this sucker…

Per mitre.org and Ars Technica, a unaddressed bug in Apple’s Mac OS X discovered five months ago allows hackers to bypass the usual authentication measures by tweaking specific clock and user timestamp settings, granting near unlimited access to a computer’s files.

While the security flaw has been around for nearly half a year, a new module created by developers of testing software Metasploit makes it easier to exploit the vulnerability in Macs.

The bug revolves around a Unix program called sudo, which allows or disallows users operational access based on privilege levels. Top tier privileges grant access to files belonging to other users’ files, though that level of control is password protected.

Instead of inputting a password, the flaw works around authentication by setting a computer’s clock to Jan. 1, 1970, or what is referred to as the Unix epoch. Unix time starts at zero hours on this date and is the basis for calculations. By resetting a Mac’s clock, as well as the sudo user timestamp, to epoch, time restrictions and privilege limitations can be bypassed.

“The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent rootkit,” said H.D. Moore, founder of the open-source Metasploit and chief research officer at security firm Rapid7.

Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings. As a result, all versions of the operating system from OS X 10.7 to the current 10.8.4 are affected. The same problem exists in Linux builds, but many of those iterations password protect clock changes.

While powerful, the bypass method has limitations. In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before. As noted by the National Vulnerability Database, the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.

Apple has yet to respond or issue a patch for the bug.

“I believe Apple should take this more seriously but am not surprised with the slow response given their history of responding to vulnerabilities in the open source tools they package,” Moore said.

Stay tuned for additional details as they become available.

Parallels Desktop 9 announced, adds cloud support, Windows 8 Start button, other new features

Posted by:
Date: Thursday, August 29th, 2013, 09:47
Category: News

21252

Parallels announced its Parallels Desktop 9 for Mac client today, the new version of the virtualization software offering the following set of fixes and features:
- Cloud storage optimizations for iCloud, Dropbox, Google Drive and SkyDrive.

- Support for OS X Launchpad in Windows applications

- Enhanced support for Apple’s forthcoming OS X 10.9 Mavericks.

- Incorporates the familiar Start menu and Windows Start button for Windows 8 users..

- Extends the OS X PowerNap feature to Windows and Windows applications.

- Allows Mountain Lion Dictionary gesture compatibility in Windows apps.

- Allows users to connect Thunderbolt and FireWire devices to either their Mac or virtual machine, just like with USB.

- Enhances the virtual machine wizard, making it easier to create new systems by automatically locating operating systems on a Mac. Users can also manually select a range of media types to install.

- 40 percent better disk performance than the previous version.

- Virtual machines shut down up to 25 percent faster than the previous version.

- Virtual machines suspend up to 20 percent faster than the previous version.

- 3D graphics and web browsing is 15 percent faster than the previous version.

- A new Security Center in Parallels Desktop 9 is said to make it easier to ensure that files are secure, both on the Mac and in a Windows virtual machine.

- In addition, Parallels Desktop 9 comes with a six-month subscription to Parallels Access for iPad, announced earlier this week. That new software allows customers to remotely access and experience Windows and Mac applications as if they were designed for Apple’s iPad.

- Mac gestures inside Windows apps: Parallels Desktop now includes the addition of the Dictionary lookup gesture in Windows applications.

- PDF printer for Windows: Lets people print from any Windows application to a PDF on the Mac desktop, even if the application doesn’t have that functionality.

- Sticky multi-monitor setup: When using Windows in Full Screen mode and connecting to an external monitor, Parallels Desktop will remember settings and put the Windows virtual machine back in full screen mode on the remote monitor.

- Custom keyboard: Editable keyboard shortcuts help customize the Windows experience.

- Linux guest integration: Parallels Desktop customers who use Linux now have additional and enhanced integration with the Mac OS.

Parallels Desktop 9 for Mac will become broadly available for purchase next Thursday, Sept. 5. It is now available as a US$50 upgrade for legacy Parallels users, and a free upgrade for those who recently bought Parallels Desktop 8.

Thursday’s launch of Parallels Desktop 9 is available for existing customers for US$49.99, while those who recently purchased may be eligible for a free upgrade. Customers who buy Parallels Desktop 8 today will also be eligible to upgrade to the new version at no additional charge.

Stay tuned for additional details as they become available.

T-Mobile issues September employee blackout dates, signs point towards next-gen iPhone launch

Posted by:
Date: Thursday, August 29th, 2013, 09:20
Category: Hardware, iPhone, News

Some more definitive dates have appeared regarding the next-gen iPhone release.

Per the TmoNews blog, sources on Wednesday have claimed that the upcoming Sept. 20 to 22 employee blackout dates came with no explanation, but speculated a tie to an as-yet-unannounced Apple iPhone launch.

The report is in line with previous rumblings about a Sept. 20 debut for Apple’s “iPhone 5S” and “iPhone 5C” handsets, which are expected to be announced on Sept. 10.

The publication points out that the blackout dates may be in relation to the release of Samsung’s Galaxy Note III, as the Korean company is said to be announcing the device on Sept. 4. That scenario is unlikely, however, as a new Note model would hardly require T-Mobile to bolster its in-store staff.

Rumors surrounding Apple’s next-generation iPhone are heating up ahead of the anticipated announcement, with supposed parts “leaks” popping up on the Web in the form of videos and comparison pictures, which can be found over on JailBreak Nation.



Stay tuned for additional details as they become available.

Apple to hold off on next-gen iPad announcement for September 10th media event, more likely to announce new iPhones

Posted by:
Date: Thursday, August 29th, 2013, 08:32
Category: iPad, iPhone, News

You might have to wait a bit longer for that next-gen iPad you’ve been hankering for.

Per The Loop, there will be “no iPads” at Apple’s upcoming September 10th media event. The keynote is expected to feature Apple’s next-generation iPhones, rumored to be called the “iPhone 5S” and “iPhone 5C.”

The mighty Jim Dalrymple’s comments were provided in response to an earlier media report that had suggested iPads could be introduced at Apple’s Sept. 10 media event. However, Apple has historically kept its iPhone and iPad announcements separate.

Last year, the iPhone 5 was unveiled at a media event in September, while the iPad mini and fourth-generation iPad were introduced to the public in October. It’s likely that Apple will follow a similar schedule this year, and introduce a second-generation iPad mini and redesigned fifth-generation iPad in October, ahead of the holiday shopping season.Jim Dalrymple’s comments assure that there won’t be iPads at Apple’s iPhone-centric Sept. 10 event, but new MacBook Pros with Haswell processors remain a possibility.

The new fifth-generation iPad is expected to feature many of the same design elements as the current iPad mini, including smaller size bezels, a thinner body, and lighter weight. Parts claimed to be for the “iPad 5″ have appeared regularly throughout 2013.

As for the iPad mini, it’s expected that Apple’s second-generation 7.9-inch tablet will see an upgraded high-resolution Retina display. There has also been speculation by well-connected analyst Ming-Chi Kuo of KGI Securities that Apple could additionally offer a low-cost iPad mini, potentially without a Retina display, to allow the company to hit an even lower price point than the current US$329 entry price.

While Dalrymple’s comments assure that there won’t be any iPads at Apple’s Sept. 10 event, the possibility of new Macs being unveiled at the keynote remains. Most of Apple’s Mac lineup, including the MacBook Pro and iMac, are due for upgrades to Intel’s latest-generation Haswell processors.

The September event is also expected to announce the release date for iOS 7, Apple’s next-generation mobile operating system currently available in beta to developers. If prior release schedules hold again for 2013, iOS 7 will likely become available to the public about a week after the event, while Apple’s next-generation iPhones will be in the hands of customers on Friday, Sept. 20.

Stay tuned for additional details as they become available.