Apple releases Safari 8.0.2 update

Posted by:
Date: Monday, December 15th, 2014, 04:32
Category: News, security, Software

Apple_Safari

It’s not a huge update, but it helps.

On Friday, Apple released version 8.0.2 of its Safari web browser.

The new version, a 53.8 megabyte download, offers the following fixes and changes:

- Fixes an issue that could prevent history from syncing across devices if iCloud Drive is not on.
•
- Fixes an issue that could prevent a saved password from being autofilled after two devices are added to iCloud Keychain.

(more…)

Apple releases iOS 8.1.2 update, includes ringtone purchase fix, security changes (updated)

Posted by:
Date: Tuesday, December 9th, 2014, 13:44
Category: iOS, iPad, iPhone, iPod, News, security, Software

ios8icon

This could come in handy.

Per 9to5Mac, Apple has released iOS 8.1.2 as an over-the-air software update for iPhone, iPad, and iPod touch users running iOS 8. The latest release contains bug fixes for users as well as a fix for a problem regarding ringtones purchased from Apple being removed from devices. Other fixes include a fix for keyboards that may not appear in Safari, Maps, or other third-party apps in iOS simulator and it offers Siri support for Singapore English, Repairing a bug that caused Notifications to fail to open an app and a fix for an issue that caused WatchKit apps to stop working in iOS 8 simulator.

For users subject to the reported issues involving ringtones purchased through iTunes, Apple points users to itunes.com/restore-tones for recovering those purchases.

(more…)

WireLurker security paper released, discusses potential next generation of OS X, iOS malware

Posted by:
Date: Friday, November 7th, 2014, 02:30
Category: iOS, News, security

trojanhorse

Not that you should be entirely paranoid about malware on your OS X and iOS devices, but a little caution couldn’t hurt.

Per Palo Alto Networks, a new paper has been published on WireLurker, a family of malware targeting both Mac OS and iOS systems for the past six months. It’s believed that WireLurker could herald in a new generation of malware on Apple’s desktop and mobile platforms given the following characteristics:
- It is only the second known malware family that attacks iOS devices through OS X via USB.

- It is the first malware to automate generation of malicious iOS applications, through binary file replacement.

- It is the first known malware that can infect installed iOS applications similar to a traditional virus.

- It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning.

WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.

(more…)

Security researcher finds unsaved files are automatically saved into iCloud

Posted by:
Date: Wednesday, November 5th, 2014, 17:10
Category: iCloud, News, security

icloudicon

This may not be what Apple intended to have happen with iCloud.

And there may be a patch coming for it posthaste.

According to Slate, security researcher Jeffrey Paul recently noticed that Apple’s default autosave is storing in-progress files—the ones you haven’t explicitly saved yet—in the cloud, not on your hard drive. Unless you decided to hit save before you start typing, or manually changed the default settings, those meeting notes, passwords, and credit card numbers you jotted down in “Untitled 17” are living in iCloud.

Although this issue seems to be a recent phenomenon, it appears that it’s been happening since at least December of 2013, according to Apple’s Knowledge Base, and it doesn’t just affect TextEdit, but also Preview, Pages, Numbers, and Keynote. Hopefully there wasn’t anything sensitive on those screenshots, spreadsheets, presentations, and documents you haven’t yet saved, or you were using other programs. Luckily, Word for Mac files don’t seem to be affected in this way.

You can turn off this surreptitious feature in Documents & Data —> Apple —> System Preferences —> iCloud —> Documents & Data, or you can save your empty file before you even start typing. But that’s not really the point. The problem is that users intuitively expect their in-progress documents to be saved locally, but these files are being stored on the Cloud instead.

(more…)

AT&T admits to testing “unique tracker” on smartphones, offers opt-out option

Posted by:
Date: Thursday, October 30th, 2014, 11:55
Category: iPhone, News, security, wireless

attlogosmall

This isn’t the best news.

According to Forbes, wireless carriers Verizon and AT&T have ceded that they’re tagging their customers with unique codes that are visible to third parties, making smartphone users far easier to track on the Web than they’ve ever been before, targeted advertising being that much easier to create as a result of this. After the findings by researchers, AT&T admitted it’s “testing” a new way of tracking its customers for ad display purposes.

“There’s nothing ready to announce,” said AT&T spokesperson Mark Siegel. “We’re still testing.”

But that means, yes, AT&T customers are being tagged by AT&T in a way that’s visible to the websites they visit, but AT&T says it’s building in what it considers to be a privacy-protective measure: the unique code for each user will change every 24 hours. Siegel says this is happening now, but Kenneth White, one of the researchers who discovered the tracking, says that is “categorically untrue,” saying he found three identifying codes being sent by AT&T that were persistent.

“AT&T does not currently have a mobile Relevant Advertising program. We are considering such a program, and any program we would offer would maintain our fundamental commitment to customer privacy,” read a statement from AT&T. “For instance, we are testing a numeric code that changes every 24 hours on mobile devices to use in programs where we serve ads to the mobile device. This daily rotation on the numeric code would help protect the privacy of our customers. Customers also could opt out of any future AT&T program that might use this numeric code.”

(more…)

Hours after citing capable security, CurrentC announces unauthorized access of users’ email accounts

Posted by:
Date: Wednesday, October 29th, 2014, 16:35
Category: Finance, iOS, News, security, Uncategorized

currentc

Hubris, anyone?

Just hours after publishing a blog post answering some questions about its upcoming CurrentC mobile payments system and touting the security of its cloud-based storage of sensitive information, the company behind the effort, Merchant Customer Exchange (MCX) has alerted users of unauthorized access to their email addresses.

Per MacRumors, the company released the following statement:

Thank you for your interest in CurrentC. You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information.

Details on the unauthorized access have not been disclosed, but reporter Nick Arnott of iMore took some time earlier this week took a look at some of the personal information being collected by MCX and CurrentC and noted that he could ping CurrentC’s systems to look for valid registered email addresses on the system. While he did not find valid addresses, the system appeared capable of returning a substantial amount of personal information about such accounts.

(more…)

MCX responds to Apple Pay blocking controversy with questionable responses to issues at hand

Posted by:
Date: Wednesday, October 29th, 2014, 11:46
Category: Finance, iOS, iPhone, News, security, Software

applepayicon

The most recent shot in the NFC payment wars has been fired.

And it kind of made MCX look like a bunch of jerks.

Per 9to5Mac, MCX, the retailer consortium behind the CurrentC mobile payment system, has responded to the controversy over its members being required to block Apple Pay or face fines with some unconvincing ‘assurances.’

The first sign of trouble between MCX and Apple Pay was when CVS disabled NFC functionality from its payment terminals. When Rite Aid joined in, consumers responded by threatening to boycott MCX members.

In a blog post which MCX says is designed to “set the record straight,” as it were, MCX responded to some of the recent concerns levied against it.

Responding to the fines issue, the company offered the following comment:

Importantly, if a merchant decides to stop working with MCX, there are no fines.

Nobody has suggested there are. What has been suggested–and which MCX has not denied–is that members are fined if they accept other forms of mobile payment, like Apple Pay, alongside CurrentC.

The consortium gets off to a marginally better start on privacy, with a statement that consumers “can choose to limit the information they share through our privacy dashboard, which means they will have the ability turn off location based services and opt out of marketing communications in our app.” However, that does nothing to limit the storage of other sensitive information, nor to address claims that merchants will share purchasing data amongst themselves.

(more…)

Apple announces end to SSL 3.0 notifications on October 29th in wake of POODLE vulnerability

Posted by:
Date: Thursday, October 23rd, 2014, 08:05
Category: iOS, News, security, Software

applelogo1

Sometimes you’ve got to drop back and punt.

Per the Apple developer web site and AppleInsider, Apple announced on Wednesday that it will be removing support for the SSL 3.0 protocol on its Apple Push Notification server.

Apple will be switching off SSL 3.0 support in favor of the more secure transport layer security (TSL) protocol on Wednesday, Oct. 29, noting developers will have to build in support by that time to ensure uninterrupted push notification service continues.

Apps currently using both SSL 3.0 and TSL will not be affected by the change, but those using just SSL 3.0 will need to be updated.

Apple has disabled SSL 3.0 on the Provider Communication interface in the developer environment, offering developers a way to check their apps for compatibility. More information is available through Apple’s Developer Portal.

(more…)

iWorm trojan quietly added to Apple’s Xprotect definition list

Posted by:
Date: Wednesday, October 8th, 2014, 10:46
Category: News, security, Software, Uncategorized

The bad news is that there’s another chunk of malware on the OS X platform to worry about.

The good news is that Apple included a backdoor fix over the weekend to take care of it.

Per The Mac Observer, Apple pushed an update to its Xprotect malware list for the Mac that includes the Mac.BackDoor.iWorm malware over the weekend. Xprotect watches for telltale signatures from known malware threats and attempts to stop them from invading your computer.

The iWorm threat installs through a Trojan horse masquerading as an installer for other apps. Mac owners that have fallen victim to iWorm picked up the malware through installers for pirated apps such as Adobe Photoshop.

iworm

Once installed, iWorm looks to Reddit for posts that include server addresses it can link to for instructions on what nasty activities it should undertake. Reddit has shut down the forum iWorm checked, but that doesn’t mean hackers won’t be able to find an alternate method for delivering server locations.

(more…)

Shellshock fix posted for Mac OS X 10.4 to Mac OS X 10.6.8 operating systems

Posted by:
Date: Monday, October 6th, 2014, 10:35
Category: News, security, Software

unixterminal

This suggestion came in over the weekend from one Larry Macy, Ph.D over at the University of Pennsylvania and it’s pretty interesting.

For those of you still running Mac OS X 10.4 to Mac OS X 10.6.8, a workaround has been discovered for the recently discovered Shellshock bash vulnerabilities. Per Macy, the process replaces bash and sh with a new version of bash.

(more…)