Apple addresses security concerns with QuickTime 7.6.9 update for Mac OS X 10.5.x operating systems

Posted by:
Date: Wednesday, December 8th, 2010, 05:14
Category: News, security, Software

quicktimelogo.jpg

Per the cool cats over at CNET, Apple has updated its Quicktime software, now at version 7.6.9, to fix vulnerabilities where a maliciously designed file could execute arbitrary code or lead to the application terminating.

As Apple describes in its knowledge base article:
“Description: A heap buffer overflow exists in QuickTime’s handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.5. Credit to Nils of MWR InfoSecurity, and Will Dormann of the CERT/CC, for reporting this issue.”

Also included in this security update are fixes to maliciously crafted avi file types, other movie file types, FlashPix image files, GIF image files, or PICT image files, as well as a possibility that local users may have access to sensitive information on certain Windows machines.
The update is for Mac users running Mac OS X 10.5.8 or Server 10.5.8. For more information, visit the entire security update article.

As usual, the update can be located, snagged and installed via Mac OS X’s Software Update feature.

If you’ve tried the update and noticed any major changes, let us know in the comments.

Apple explains iOS 4.2 security fixes

Posted by:
Date: Wednesday, November 24th, 2010, 08:41
Category: News, security, Software

Following Apple’s Monday release of iOS 4.2 for iPads, iPhones and iPod touch devices, the company outlined its security fixes in a Knowledge Base entry posted online.

Per Macworld, many of the patches protect against malicious attackers running code on your device, which could in theory be used for all sorts of malicious purposes. Vulnerabilities were corrected for WebKit, Configuration Profiles, CoreGraphics, FreeType (in PDF rendering), and more to prevent against this type of attack.

iOS 4.2 also includes a fix for iAd content display, to prevent attackers in what Apple calls “a privileged network position” to force phone calls from your device without your permission. A separate fix for Mail corrects an issue where carefully-crafted HTML emails could track whether you viewed a message, even if you had turned off remote image loading in Settings.

The update also addresses a situation where your MobileMe password could become visible to an outside user in a privileged network position when using the Photos app to send images to the service. iOS 4.2 also corrects a race condition that could force the Reset Safari option to take a full 30 seconds to remove your saved Web passwords–during which time a speedy user with access to your device could still log in to those sites.

So, there you have it. And if you’ve noticed any major changes in iOS that you’d like to comment on, let us know.

Apple release Security Update 2010-007 update for Mac OS X 10.5 operating systems

Posted by:
Date: Friday, November 12th, 2010, 05:27
Category: News, security, Software

On Wednesday, Apple released Security Update 2010-007, bringing the same security patches included in the recent Mac OS X 10.6.5 release to Macs running 10.5 Leopard client or server versions.

Per Macworld, the more prominent fixes included in the update is a fix for a bug in Apple Type Services which could allow the downloading of a maliciously crafted font file to lead to arbitrary code execution. That bug, originally caught by security firm Core Security, was similar to a vulnerability in Apple’s iOS that allowed hackers to jailbreak devices running that software. Apple patched the flaw in an iOS update

In addition to fixing the font bug, 2010-007 brings an updated version of Adobe’s Flash Player plug-in (numbered 10.1.102.64) which patches a number of security vulnerabilities, some of which could lead to arbitrary code execution. Patches are also included for a number of holes in QuickTime, Time Machine, Safari RSS, Quick Look, and several of OS X’s other underlying systems.

The Leopard client version of Security Update 2010-007 is a 240.74 megabyte download while the server version is a 448.10 megabyte download. If you’re running an eligible system, the relevant update should appear via Mac OS X’s Software Update feature.

If you’ve tried the update and noticed any major changes, please let us know.

Security researchers locate additional iPhone security hole, publish findings

Posted by:
Date: Thursday, May 27th, 2010, 04:02
Category: iPhone, News, security

3gs.jpg

Even if you feel absolutely secure in entering your PIN every time you unlock your iPhone, there may still be some security shortfalls. Per a blog post by Bernd Marienfeldt, Marienfeldt and fellow security wonk Jim Herbeck have discovered that plugging even a fully up-to-date, non-jailbroken iPhone 3GS into a computer running Ubuntu Lucid Lynx allows nearly full read access to the phone’s storage even when it’s locked.

The belief is that they’re just a buffer overflow away from full write access as well, which would surely open the door to making calls. Bernd believes the iPhone’s lack of data encryption for content is a real problem, and also cites the inability to digitally sign e-mails as reasons why the iPhone is still not ready for prime time in the enterprise.

Still, better that these guys found it and put the evidence in front of Apple than another party locate the security hole.

Stay tuned for additional details as they become available.

Apple releases Security Update 2010-003 for Mac OS X 10.5, 10.6 operating systems

Posted by:
Date: Thursday, April 15th, 2010, 04:40
Category: security, Software

applelogo_silver

Following up on a slew of recent software updates, Apple released Security Update 2010-003 on Wednesday. The update, which varies in size between 6.2 and 208 megabytes depending on the version used and fixes assorted security holes described here.

The update, as usual, can be located, snagged and installed Mac OS X’s Software Update feature.

Security Update 2010-003 requires Mac OS X 10.5 or later to install and run.

If you’ve installed the update and noticed any changes, let us know.

Apple releases Security Update 2010-002 for Mac OS X 10.5.x

Posted by:
Date: Tuesday, March 30th, 2010, 03:26
Category: security, Software

applelogo_silver

Following yesterday’s release of the Mac OS X 10.6.3 update for Mac OS X 10.6 (Snow Leopard) users, Apple also released Security Update 2010-002, a 208 megabyte download that incorporates previous security updates have been incorporated into this security update and essentially brings Mac OS X 10.5.x to the same security standard as Mac OS X 10.6.3.

For a full list of the changes, click here.

As usual, the update can also be located, snagged and installed via Mac OS X’s Software Update feature.

Security Update 2010-002 requires Mac OS X 10.5 or later to install and run.

Apple Releases Security Update 2010-001

Posted by:
Date: Wednesday, January 20th, 2010, 06:58
Category: security, Software

applelogo1.jpg

Late Tuesday, Apple released Security Update 2010-001 for its Mac OS X operating systems. The updates, which range between a 21 and 159 megabyte download (depending on operating system), address critical vulnerabilities in the system where hackers and malicious software can take advantage and either compromise the system or steal personal information.

The update requires an Intel-based Mac running Mac OS X 10.5 or later for the Mac OS X 10.5 operating system and Mac OS X 10.6.2 or later for the Mac OS X 10.6 operating system and can also be located and snagged with Mac OS X’s Software Update feature.

If you’ve tried the updates and noticed any major changes, please let us know.

Second iPhone Worm in the Wild

Posted by:
Date: Monday, November 23rd, 2009, 06:24
Category: iPhone, security

3gs.jpg

We told you not to jailbreak your iPhone, but you had to be super cool and rebellious. Per BBC News, jailbroken iPhones could be vulnerable to a new, malicious worm that can allow remote access and control without the owner’s knowledge or permission. It’s been estimated that hundreds of users are currently affected by a worm that targets users of “jailbroken” iPhones who live in the Netherlands and use the bank ING Direct. But security company F-Secure told stated that the currently isolated issue could easily jump to thousands of handsets. The worm is reportedly spread between phones when they share the same Wi-Fi spot.

In order for an iPhone to be vulnerable to the new worm, they must have willingly modified their handset’s software to allow them to run unauthorized code. Phones can be jailbroken to run applications or modify the system in ways not approved by Apple.

The worm only affects jailbroken phones that have SSH (secure shell) installed, without the default password — “alpine” — changed. It employs the same method as a previous worm, Ikee, that was not malicious. Instead, the wallpaper-changing prank simply changed the user’s background to a picture of 1980s pop star Rick Astley, who sang the 1987 hit “Never Gonna Give You Up.”

The new worm reportedly has botnet functionality and connects to a Web-based command and control center based in Lithuania.

For now, the worm is only aimed at customers who live in the Netherlands and bank with ING Direct. The company has stated that it intends to put a warning on its Web site.

Intego Warns Against Ikee Worm for iPhone

Posted by:
Date: Wednesday, November 11th, 2009, 06:31
Category: iPhone, security

3gs.jpg

It’s not Rick Astley you have to worry about, it’s the Ikee worm.

According to Macworld UK, Intego, which develops and sells desktop Internet security and privacy software for the Mac, claims to have spotted a hacker tool, which potentially copies personal info from users iPhones.

The news comes after the first iPhone worm, known as Ikee, was revealed, which simply adds Rick Astley wallpaper to jailbroken iPhone phones.

Intego claims the new worm is far more dangerous than the Ikee worm. This hacker tool, which Intego identifies as iPhone/Privacy.A, takes advantage of the same vulnerability in the iPhone as the Ikee worm, allowing hackers to connect to any jailbroken iPhone whose owners have not changed the root password.

“It is important to note that standard, non-jailbroken iPhones are not at risk; it is extremely dangerous to jailbreak an iPhone because of the vulnerabilities that this process creates,” claims Intego, who believe 6-8 per cent of iPhones are jailbroken.

The tool reportedly allows a hacker to silently copy user data from a compromised iPhone including email, contacts, SMSs, calendars, photos, music files, videos, as well as any data recorded by any iPhone application insists Intego.

This new hacker also tool gives no indication that it has invaded an iPhone warns the company.

“Hackers using this tool will install it on a computer – Mac, PC, Unix or Linux – then let it work. It scans the network accessible to it, and when it finds a jailbroken iPhone, breaks into it, then steals data and records it,” insists Intego.

“This hacker tool could easily be installed, for example, on a computer on display in a retail store, which could then scan all iPhones that pass within the reach of its network. Or, a hacker could sit in an Internet café and let his computer scan all iPhones that come within the range of the wifi network in search of data.|

“Hackers could even install this tool on their own iPhones, and use it to scan for jailbroken phones as they go about their daily business,” Intego adds.

Stay tuned for additional details as they become available and, well, if you were planning on jailbreaking your iPhone in the near future, you might want to give it a second thought.

Apple Files Patent for iPhone Theft Prevention Technology

Posted by:
Date: Friday, September 11th, 2009, 05:58
Category: iPhone 3GS, Patents, security

3gs.jpg

A recently published patent application filed this week by Apple suggests the company is looking to use the device’s accelerometer to detect possible theft of the hardware. Per AppleInsider, in a application entitled “Acceleration-Based Theft Detection System for Portable Electronic Devices,” Apple describes a system that would analyze movement via a device’s accelerometer to determine whether a theft is present. If the system were to interpret fast movement as a theft, it would initiate an alarm.

“The drive toward miniaturization of electronics has resulted in computer-based systems that are becoming much more portable,” the application reads. “Current portable electronic devices such as laptop computers, hand-held devices such as cellular telephones and personal media devices, such as the iPod from Apple Computer, Inc., and even devices such as compact disc players, are sufficiently compact and lightweight as to make them easily movable. Unfortunately, such ease of transport also implies ease of theft. While the rightful owner of a portable electronic device may conveniently transport it almost anywhere, so can a thief. ”

The patent application goes on to state that traditional theft-prevention methods like mechanical locks are bulky and tether the device, eliminating portability and convenience. In the proposed system, the accelerometer would be used to determine whether the device is currently in a likely theft condition.

“Typically, theft or other large-scale movement of the device results in an acceleration signal having characteristics different from other events such as shock, impact, nearby machinery, etc,” the application reads. “The detected acceleration as a function of time is thus analyzed to determine whether it corresponds to such large-scale movement of the device, rather than an innocuous event such as the impact of a book dropped nearby. If so, an alarm is produced in order to alert others to the theft.”

The described system would have methods to prevent false alarms through “signal conditioning,” which could filter out events such as shock or impact associated with an iPhone being dropped. The system would also allow the phone owner to display a “visual warning” for potential would-be thieves. Such a warning would warn potential thieves that the device “has an active theft detection system protecting it.”

The patent was filed by Apple on May 20th, 2009 and is credited to Paul J. Wehrenberg of Palo Alto, Calif.