Apple announces end to SSL 3.0 support on October 29th in wake of POODLE vulnerability

Posted by:
Date: Thursday, October 23rd, 2014, 08:05
Category: iOS, News, security, Software

applelogo1

Sometimes you’ve got to drop back and punt.

Per the Apple developer web site and AppleInsider, Apple announced on Wednesday that it will be removing support for the SSL 3.0 protocol on its Apple Push Notification server.

Apple will be switching off SSL 3.0 support in favor of the more secure transport layer security (TSL) protocol on Wednesday, Oct. 29, noting developers will have to build in support by that time to ensure uninterrupted push notification service continues.

Apps currently using both SSL 3.0 and TSL will not be affected by the change, but those using just SSL 3.0 will need to be updated.

Apple has disabled SSL 3.0 on the Provider Communication interface in the developer environment, offering developers a way to check their apps for compatibility. More information is available through Apple’s Developer Portal.

(more…)

iWorm trojan quietly added to Apple’s Xprotect definition list

Posted by:
Date: Wednesday, October 8th, 2014, 10:46
Category: News, security, Software, Uncategorized

The bad news is that there’s another chunk of malware on the OS X platform to worry about.

The good news is that Apple included a backdoor fix over the weekend to take care of it.

Per The Mac Observer, Apple pushed an update to its Xprotect malware list for the Mac that includes the Mac.BackDoor.iWorm malware over the weekend. Xprotect watches for telltale signatures from known malware threats and attempts to stop them from invading your computer.

The iWorm threat installs through a Trojan horse masquerading as an installer for other apps. Mac owners that have fallen victim to iWorm picked up the malware through installers for pirated apps such as Adobe Photoshop.

iworm

Once installed, iWorm looks to Reddit for posts that include server addresses it can link to for instructions on what nasty activities it should undertake. Reddit has shut down the forum iWorm checked, but that doesn’t mean hackers won’t be able to find an alternate method for delivering server locations.

(more…)

Shellshock fix posted for Mac OS X 10.4 to Mac OS X 10.6.8 operating systems

Posted by:
Date: Monday, October 6th, 2014, 10:35
Category: News, security, Software

unixterminal

This suggestion came in over the weekend from one Larry Macy, Ph.D over at the University of Pennsylvania and it’s pretty interesting.

For those of you still running Mac OS X 10.4 to Mac OS X 10.6.8, a workaround has been discovered for the recently discovered Shellshock bash vulnerabilities. Per Macy, the process replaces bash and sh with a new version of bash.

(more…)

Apple launches Find My iPhone page to help cut down on stolen iOS device purchases

Posted by:
Date: Friday, October 3rd, 2014, 11:18
Category: iOS, iPad, iPhone, iPod Touch, News, security, Software

This might prove useful.

This week, Apple launched a web-based tool to check the Activation Lock status of iOS devices such as iPhones, iPads and iPod Touches. Here, users can go to a web site, enter the device’s IMEI number or serial number and see if the Find My iPhone feature has been activated.

(more…)

Apple patches Shellshock vulnerability, but it’s not in Software Update

Posted by:
Date: Wednesday, October 1st, 2014, 01:24
Category: OS X, security

OS X bash Update 1.0 for OS X Mavericks released to address Shellshock bug on Macs

Apple released OS X bash Update 1.0 for OS X Mavericks to fix a vulnerability in the bash UNIX shell. “Shellshock” is believed to be much worse than the Heartbleed vulnerability that was discovered earlier this year.

PC Magazine wrote about two scenarios that can make OS X vulnerable to the Shellshock bash bug:

For example, Bash would be exposed if a user turned on the remote login capability for all users, including guests. But that is an action that “is probably not the most secure thing to do anyway,” Erwin wrote, as it would open up the computer to other possible attacks.

Another scenario in which adjusted settings could make a difference is on a Lion OS X server running Apache or PHP scripting environments, Erwin wrote. If Apache is configured to run scripts, an attacker could insert variables into a script that a Bash shell would run.

Curiously, OS X bash Update 1.0 isn’t available through the usual channel (the Updates tab in the App Store). It needs to be downloaded and installed manually. Based on the potential impacts of the bug it’s recommended that all OS X 10.9/Mavericks users install OS X bash Update 1.0 right away. 

Apple releases OS X 10.9.5 Mavericks update

Posted by:
Date: Thursday, September 18th, 2014, 11:49
Category: Mavericks, News, security, Software

maverickslogo

In the midst of the iPhone 6 hype and hoopla, a major operating system update just hit.

Late Wednesday, Apple released OS X 10.9.5, which includes the following fixes and changes:

- Safari version 7.0.6.

- Fix for VPN-related vulnerability.

- Fix for file access from SMB servers.

- Fix for the reliability of virtual private network connections that use USB Smart Cards as IDs.

(more…)

Apple implements two-step authentication protocol for iCloud Web services

Posted by:
Date: Wednesday, September 17th, 2014, 11:23
Category: News, security, Software

icloudicon

It’s a step in the right direction.

Or at least a step to make the iCloud user base feel more secure.

Per AppleInsider, Apple on Tuesday activated two-factor authentication for iCloud.com access, allowing only basic access to Find My iPhone for those opted-in to the security layer.

The authentication system now requires users to enter a dynamically generated code sent to a trusted device prior to gaining access to the service.

Apple first tested the extra layer of iCloud.com security in June, more than one year following the protocol’s introduction for Apple ID accounts in 2013.

(more…)

Apple to institute 2-step iCloud authentication protocol after recent celebrity photo leaks

Posted by:
Date: Friday, September 5th, 2014, 14:52
Category: iCloud, security

icloudicon

Sometimes you’ve gotta go the two step security authentication route to keep everyone happy.

Especially the celebrities.

Following a rash of nude photos apparently stolen from celebrities’ iCloud accounts, Apple CEO Tim Cook said the company plans to activate new security measures designed to thwart future attacks.

Per AppleInsider and the Wall Street Journal, Cook reiterated Apple’s previous stance that iCloud was not breached before announcing new security protocols meant to give users a heads-up when changes are made to their accounts.

“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” Cook said. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”

(more…)

Apple releases Safari 7.0.6, 6.1.6, addresses WebKit security issues

Posted by:
Date: Thursday, August 14th, 2014, 10:12
Category: News, security, Software

Apple_Safari

On Wednesday, Apple released version 7.0.6 of its Safari web browser for OS X Mavericks and version 6.1.6 for its OS X Lion and Mountain Lion operating systems. The new version, features fixes for several WebKit-related security and memory corruption issues that could let attackers run arbitrary code on victim’s computers. The security issue could also cause app crashes.

According to the security release notes, seven security issues were patches, all related to WebKit memory corruption. The notes state, “These issues were addressed through improved memory handling.”

(more…)

Apple posts support document detailing iOS “backdoor” allegations

Posted by:
Date: Wednesday, July 23rd, 2014, 16:26
Category: iOS, News, security, Software

ios-7-logo

The timing’s a bit strange, but Apple seems to be trying to explain what its assortment of “backdoor” services are doing on its iOS devices only days after forensic scientist Jonathan Zdziarski disclosed the services during a speech at a hacker convention.

Per AppleInsider, a recently published support document on Apple’s web site.

In what appears to be a response to allegations of installing “backdoor” services with the intent to harvest data from iOS devices, Apple on Tuesday posted to its website an explanation of three diagnostics capabilities built in to the mobile OS.

(more…)