Apple patches Shellshock vulnerability, but it’s not in Software Update

Posted by:
Date: Wednesday, October 1st, 2014, 01:24
Category: OS X, security

OS X bash Update 1.0 for OS X Mavericks released to address Shellshock bug on Macs

Apple released OS X bash Update 1.0 for OS X Mavericks to fix a vulnerability in the bash UNIX shell. “Shellshock” is believed to be much worse than the Heartbleed vulnerability that was discovered earlier this year.

PC Magazine wrote about two scenarios that can make OS X vulnerable to the Shellshock bash bug:

For example, Bash would be exposed if a user turned on the remote login capability for all users, including guests. But that is an action that “is probably not the most secure thing to do anyway,” Erwin wrote, as it would open up the computer to other possible attacks.

Another scenario in which adjusted settings could make a difference is on a Lion OS X server running Apache or PHP scripting environments, Erwin wrote. If Apache is configured to run scripts, an attacker could insert variables into a script that a Bash shell would run.

Curiously, OS X bash Update 1.0 isn’t available through the usual channel (the Updates tab in the App Store). It needs to be downloaded and installed manually. Based on the potential impacts of the bug it’s recommended that all OS X 10.9/Mavericks users install OS X bash Update 1.0 right away. 

Apple releases OS X 10.9.5 Mavericks update

Posted by:
Date: Thursday, September 18th, 2014, 11:49
Category: Mavericks, News, security, Software

maverickslogo

In the midst of the iPhone 6 hype and hoopla, a major operating system update just hit.

Late Wednesday, Apple released OS X 10.9.5, which includes the following fixes and changes:

- Safari version 7.0.6.

- Fix for VPN-related vulnerability.

- Fix for file access from SMB servers.

- Fix for the reliability of virtual private network connections that use USB Smart Cards as IDs.

(more…)

Apple implements two-step authentication protocol for iCloud Web services

Posted by:
Date: Wednesday, September 17th, 2014, 11:23
Category: News, security, Software

icloudicon

It’s a step in the right direction.

Or at least a step to make the iCloud user base feel more secure.

Per AppleInsider, Apple on Tuesday activated two-factor authentication for iCloud.com access, allowing only basic access to Find My iPhone for those opted-in to the security layer.

The authentication system now requires users to enter a dynamically generated code sent to a trusted device prior to gaining access to the service.

Apple first tested the extra layer of iCloud.com security in June, more than one year following the protocol’s introduction for Apple ID accounts in 2013.

(more…)

Apple to institute 2-step iCloud authentication protocol after recent celebrity photo leaks

Posted by:
Date: Friday, September 5th, 2014, 14:52
Category: iCloud, security

icloudicon

Sometimes you’ve gotta go the two step security authentication route to keep everyone happy.

Especially the celebrities.

Following a rash of nude photos apparently stolen from celebrities’ iCloud accounts, Apple CEO Tim Cook said the company plans to activate new security measures designed to thwart future attacks.

Per AppleInsider and the Wall Street Journal, Cook reiterated Apple’s previous stance that iCloud was not breached before announcing new security protocols meant to give users a heads-up when changes are made to their accounts.

“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” Cook said. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”

(more…)

Apple releases Safari 7.0.6, 6.1.6, addresses WebKit security issues

Posted by:
Date: Thursday, August 14th, 2014, 10:12
Category: News, security, Software

Apple_Safari

On Wednesday, Apple released version 7.0.6 of its Safari web browser for OS X Mavericks and version 6.1.6 for its OS X Lion and Mountain Lion operating systems. The new version, features fixes for several WebKit-related security and memory corruption issues that could let attackers run arbitrary code on victim’s computers. The security issue could also cause app crashes.

According to the security release notes, seven security issues were patches, all related to WebKit memory corruption. The notes state, “These issues were addressed through improved memory handling.”

(more…)

Apple posts support document detailing iOS “backdoor” allegations

Posted by:
Date: Wednesday, July 23rd, 2014, 16:26
Category: iOS, News, security, Software

ios-7-logo

The timing’s a bit strange, but Apple seems to be trying to explain what its assortment of “backdoor” services are doing on its iOS devices only days after forensic scientist Jonathan Zdziarski disclosed the services during a speech at a hacker convention.

Per AppleInsider, a recently published support document on Apple’s web site.

In what appears to be a response to allegations of installing “backdoor” services with the intent to harvest data from iOS devices, Apple on Tuesday posted to its website an explanation of three diagnostics capabilities built in to the mobile OS.

(more…)

Jonathan Zdziarski’s talk at hacker conferences shows backdoors on every iOS device, questionable services being run

Posted by:
Date: Monday, July 21st, 2014, 16:25
Category: iOS, iPad, iPhone, iPod Touch, News, security

jonathan-zdziarski-154x206-1

There’s apparently a back door access point on every iOS device on the market.

Per The Apple Core, forensic scientist and author Jonathan Zdziarski has posted the slides (in PDF format) from his talk at the Hackers On Planet Earth (HOPE/X) conference in New York called Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices.

Zdziarski, better known as the hacker “NerveGas” in the iPhone development community, worked as dev-team member on many of the early iOS jailbreaks and is the author of five iOS-related O’Reilly books including “Hacking and Securing iOS Applications.”

In December 2013, an NSA program dubbed DROPOUTJEEP was reveled by security researcher Jacob Appelbaum that reportedly gave the agency almost complete access to the iPhone.

The leaked document, dated 2008, noted that the malware required “implant via close access methods” (presumably physical access to the iPhone) but ominously noted that “a remote installation capability will be pursued for a future release.”

(more…)

Apple adding transition encryption to boost iCloud email service security

Posted by:
Date: Wednesday, July 16th, 2014, 12:36
Category: iCloud, News, security

apple-icloud-logo-1

Apple looks to be overhauling its iCloud email service security by including end-to-end encryption for messages sent from me.com and icloud.com, according to new data from Google’s Gmail transparency effort and The Unofficial Apple Weblog.

The report suggests that at least 95 percent of the messages sent to Gmail from users of iCloud mail is now encrypted, just one month after Apple initially promised that such a change would be forthcoming.

Apple is using industry-standard Transport Layer Security, or TLS, infrastructure for the encryption. With TLS, both sending and receiving servers as well as the email messages themselves can be verified for authenticity, nearly eliminating the possibility of email being unknowingly intercepted by a third party.

(more…)

Apple blocks older Flash plug-in version if Safari, pushes users to adopt new, more secure, version

Posted by:
Date: Friday, July 11th, 2014, 11:51
Category: News, security, Software

flashplayericon

You may not like doing it, but you’re going to have to snag the newest version of Adobe’s Flash Player plug-in.

Per AppleInsider, Apple late Thursday issued a security message saying it has blocked old versions of Adobe’s Flash Player plug-in for Safari, citing a recent flaw that could potentially allow hackers to harvest browser data like cookies.

Users with out of date plug-ins will be met with a message saying, “Blocked plug-in,” “Flash Security Alert” or “Flash out-of-date” when attempting to access Flash content in Safari. Clicking on the alert takes users to Adobe’s Flash installer page, where the latest version of the plug-in can be downloaded and installed.

(more…)

Adobe warns against Flash Player security exploit, offers version 14.0.0.125 as fix

Posted by:
Date: Wednesday, July 9th, 2014, 11:43
Category: News, security, Software

flashplayericon

Even if you’re not crazy about Adobe Flash Player these days, there’s a better reason than usual to upgrade to the new version.

Per AppleInsider and Adobe, a well-known vulnerability in Adobe’s Flash player that could allow malicious users to steal browser data — including cookies — on Macs, PCs, and Linux machines has been exploited for the first time. As such, Adobe has issued a patch and urged users to upgrade their system as soon as possible.

The company says that Flash Player versions 14.0.0.125 and earlier for Mac and Windows and version 11.2.202.378 and earlier for Linux suffer from the bug, which was exploited in a proof-of-concept by Google engineer Michele Spagnuolo. Mac and Windows users should update to version 14.0.0.145 while Linux users should update to version 11.2.202.394.

(more…)