Apple releases iOS 6.1.2 update

Posted by:
Date: Tuesday, February 19th, 2013, 12:42
Category: iOS, iPad, iPad mini, iPhone, iPhone 3GS, iPod Touch, News, security, Software

Never doubt the speed of a fix in the wake of bad PR…

On Tuesday, Apple released iOS 6.1.2, a 107 megabyte download offering the following fixes for its supported iOS devices:

- Fixes an Exchange calendar bug that could result in increased network activity and reduced battery life.

iOS 6.1.2 is available via iTunes or Over-The-Air updating and requires an iPhone 3GS, 4, 4S, 5, iPad 2, third or fourth-gen iPad, iPod Touch 4th Gen or iPad Mini to install and run.

disableEmergency app available through jailbreak, helps bypass iOS 6.1 lockscreen exploit

Posted by:
Date: Monday, February 18th, 2013, 08:52
Category: Hack, News, security, Software

The hackers get the last laugh this time around.

Per The Mac Observer, the jailbreak community has beat Apple to the punch with its own solution to an iOS 6.1 bug that could give someone access to your iPhone without knowing your passcode. The app, dubbed “disableEmergency”, removes the Emergency Call button from the lock screen, which effectively removes one of the steps needed to break into your iPhone.

The security flaw requires several steps involving swipes, taps and button presses in the right order, afterwhich your contacts, schedule, and email are acessible.

Removing the Emergency Call button from the lock screen means calling for police or fire assistance will require dialing the emergency number yourself, so hacking your iPhone just to avoid a difficult to perform process may be a little extreme, especially since Apple has promised that a fix is on the way.

disableEmergency is free and available through the Cedia installer.

If you’ve tried the disableEmergency app and have any feedback to offer, please let us know in the comments.

Rumor: Apple working on quick fix for lockscreen exploit in iOS 6.1.2

Posted by:
Date: Monday, February 18th, 2013, 08:56
Category: iOS, Rumor, security, Software

When in doubt, work on a fix.

Per German web blog iFun and AppleInsider, Apple is already working on an update to iOS 6 to address a dangerous passcode vulnerability discovered earlier in the week, with one report claiming that the company anticipated issuing the update as early as next week.

The article presently states that iOS 6.1.2 will arrive early next week, and likely before February 20. iFun accurately predicted the launch of iOS 6.1.1, relying on the same sources that tell them 6.1.2 is on the way.

News of the lockscreen exploit hit the Internet last Wednesday. Using the bypass method, one can view and modify an iPhone owner’s contacts, listen to voicemail, and browse through their photos. The exploit does not, though, appear to grant access to email or the web.

Apple on Thursday acknowledged the vulnerability. The company, representatives said to the media, is hard at work on a patch, though they provided no hard details on when users could expect one.

Stay tuned for additional details as they become available.

Lockscreen bypass available in iOS 6.1, contacts vulnerable through hack

Posted by:
Date: Thursday, February 14th, 2013, 05:54
Category: Hack, iOS, News, security, Software

Ok, they’re probably going to need to fix this.

Per The Verge, a security flaw in Apple’s iOS 6.1 lets anyone bypass your iPhone password lock and access your phone app, view or modify contacts, check your voicemail, and look through your photos (by attempting to add a photo to a contact).

The method, as detailed by YouTube user videosdebarraquito, involves making (and immediately canceling) an emergency call and holding down the power button twice. Tests confirmed that the hack worked on two UK iPhone 5s running iOS 6.1 and can be seen below:



Similar instances had occurred – and were patched – in iOS 4.1, and was fixed in iOS 4.2.

Apple has yet to reply to requests for comment regarding this situation.

Apple releases 11th OS X 10.8.3 build to developer community, pins down file bug

Posted by:
Date: Thursday, February 7th, 2013, 08:58
Category: News, security, Software

The betas, they just keep rolling in…

Per The Mac Observer, Apple continued to extensively test the next maintenance update to OS X 10.8 Mountain Lion with the release of the tenth prerelease build of 10.8.3 to developers Wednesday. The build, 12D65, arrives one week after the previous build, 12D61.

The latest build of 10.8.3 lists no known issues and asks developers to focus on AirPlay, Airport, Game Center, Graphics Drivers, and Safari.

Notably, the build fixes a file bug revealed over the weekend that caused nearly every Mountain Lion app to crash by entering a specific set of characters. It was eventually determined that the bug was due to a Cocoa programming error in Mountain Lion’s data detectors. That Apple has now fixed the bug in the latest prerelease of 10.8.3 is a good sign, as it was potentially a serious security vulnerability.

OS X 10.8 Mountain Lion was first released on July 25, 2012. The 10.8.1 update arrived on August 23, 2012 and 10.8.2 on September 19, 2012. Prerelease builds of 10.8.3 have been seeded by Apple since November.

If you’ve gotten your mitts on the latest beta and have any feedback to offer, please let us know in the comments.

Apple releases Java for Mac OS X 10.6 Update 12

Posted by:
Date: Monday, February 4th, 2013, 08:04
Category: News, security, Software

applelogo_silver

This sort of came out of left field, but if you’re running Mac OS X 10.6, you should probably install it.

Late Friday, Apple released Java for Mac OS X 10.6 Update 12, a Java update for its Mac OS X 10.6 (Snow Leopard) operating system.

The update, a 72.8 megabyte download, offers the following fixes and changes:

- Java for Mac OS X 10.6 Update 12 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_39.

As always, the update can also be located and installed via the built-in “Software Update” feature in Mac OS X.

The Java for Mac OS X 10.6 Update 11 fix requires an Intel-based Mac running Mac OS X 10.6.8 or later to install.

If you’ve tried the updates and have any feedback to offer, please let us know in the comments.

Apple quietly disables Oracle’s Java 7 Update 11 fix via XProtect anti-malware feature in OS X

Posted by:
Date: Thursday, January 31st, 2013, 08:19
Category: News, security, Software

javaicon

When it comes to Java, there’s always an argument to be had between Apple and Oracle.

Per MacGeneration, the recently released Java 7 Update 11 has been blocked by Apple through its XProtect anti-malware feature in OS X.

Oracle issued the latest update to Java earlier this month to fix a serious zero-day security flaw. The threat was so serious that the U.S. Department of Homeland Security had recommended that all Java 7 users disable or uninstall the software until a patch was issued.

Apple took action on its own and quietly disabled the plugin through its OS X anti-malware system. As noted by the article, Apple has again updated its OS X XProtect list, this time to block Java 7 Update 11.

Because Oracle has yet to issue a newer version of Java that addresses any outstanding issues, Mac users are prevented from running Java on their system.

Over the last few years, Apple has moved to gradually remove Java from OS X. The company dropped the Java runtime from the default installation for OS X 10.7 Lion when the operating system update launched in 2010. Java vulnerabilities have been a common exploit used by malicious hackers looking to exploit the OS X platform.

Most notably, the “Flashback” trojan that spread last year was said to have infected as many as 600,000 Macs worldwide at its peak. Apple addressed the issue by releasing a removal tool specifically tailored for the malware, and also disabled the Java runtime in its Safari web browser starting with version 5.1.7.

Oracle releases updated Java 7 Update 11 security fix, now available for download

Posted by:
Date: Monday, January 14th, 2013, 08:28
Category: News, security, Software

javaicon

Following up on the discovery of a Java 7 flaw that prompted Apple to disable the software in OS X, Oracle issued a statement saying it is currently working on a fix and released a patch over the weekend.

Oracle released the statement late Friday following a U.S. Department of Homeland Security recommendation that all Java 7 users disable or uninstall the software until a patch was issued, reports Reuters. Taking action on its own, Apple quietly disabled the plugin through its OS X anti-malware system shortly after hearing of the exploit.

The U.S. Department of Homeland Security said that Java’s most-recent vulnerability is being “attacked in the wild, and is reported to be incorporated into exploit kits.”

For its part, Oracle noted in its statement that the flaw only affects the most up-to-date version of Java 7 and Java software designed to run in Internet browsers.

Java and Apple have had a rocky relationship over the past few years, including a move to drop the Java runtime from OS X 10.7 Lion’s default installation when the OS debuted in 2010. Another flaw in Oracle’s internet plugin was responsible for the most widespread Mac malware ever when the “Flashback” trojan reportedly affected some 600,000 OS X machines in April 2012.

Apple continued efforts to deprecate Java from OS X over the past year, culminating in the company’s final official in-house Java update issued in May 2012. From that point, all responsibility for future updates was handed over to Oracle.

Oracle on Sunday released a fix to a Java 7 flaw discovered on Friday. Users can download the release here.

The update requires an Intel-based Mac running Mac OS X 10.7.3 or later to install and run.

From the release notes:
“The fixes in this Alert include a change to the default Java Security Level setting from “Medium” to “High”. With the “High” setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.”

If you’ve tried the Java update and have any feedback to offer, please let us know in the comments.

Hacker cites iOS 6 code as becoming more secure, offering “tougher protections”

Posted by:
Date: Wednesday, December 26th, 2012, 07:18
Category: iOS, News, security, Software

Hacking an iOS device may be getting tougher to do.

Per iPodNN, in a recent tweet, hacker i0n1c has revealed that the forthcoming iOS 6.1 update adds “again tougher protections” to the codebase even compared to iOS 6, suggesting that security has been dramatically improved.

While many users have perfectly legitimate reasons (beyond just wanting to) for jailbreaking their iOS devices, because the technique relies on finding an exploitable “hole” in the OS code that could also be used for malicious purposes, Apple is naturally very eager to close up avenues by which unofficial or dangerous code could be injected into the device — even though many “unofficial” apps are simply ones that were rejected by Apple for App Store guideline violations, mostly for altering core OS elements.

Closing down jailbreaking loopholes will also close off one of the principle sources of pirated apps, also giving Apple considerable incentive to cut off the practice. Holes in Android code are frequently used to install scamware, malware, privacy-compromising and even virus-ridden apps — a growing problem for Google, though the ability to heavily customize and “root” Android devices is a major selling point to the most technically-proficient of Android’s audience.

The hacker community believes that iOS 6 will eventually get an “untethered” (meaning “persistent through restarts”) jailbreak, but that iOS 6.1 may represent the end of the free jailbreaking road. The security may simply have reached a point where only those likely to sell any remaining exploit secrets are likely to be able to come up with any.

Apple has made security a top priority on iOS, since it is the only platform where malware is all but completely unknown. Many of the security improvements made in iOS have also been transferred to the Mac as applicable, including complete sandboxing of applications and developer “signatures” on apps.

In his tweet, i0n1c refers to a “changing of the guard” that has brought much-improved security to iOS. It’s unknown if this refers to Craig Federighi’s recent promotion to handle both iOS and OS X, or if this is a reference to Kristin Paget, a top white-hat hacker herself who is now listed on LinkedIn as a “Core OS Security Researcher” at Apple.

Stay tuned for additional details as they become available.

iOS 6 security bug in wild, reenables JavaScript under Safari without input from user

Posted by:
Date: Monday, December 24th, 2012, 08:57
Category: News, security, Software

This is the reason bug fixes were invented.

Per AppleInsider the Safari web browser in Apple’s iOS 6 platform has a potentially serious JavaScript bug that could have major security and privacy implications.

The new “Smart App Banner” feature in iOS 6 is designed to allow developers the ability to promote App Store software within Safari. The Smart App Banner detects whether a user has a specific application installed, and invites them to view the software on the App Store or open it on their iOS device.

But for users who choose to turn off JavaScript in the Safari Web browser, the appearance of a Smart App Banner on a website will automatically and permanently turn JavaScript back on without notifying the user.

iOS device owners can test this issue by opening the Settings application and choosing Safari, then turning off JavaScript. Then simply launch the Safari browser and visit a website with a Smart App Banner.

Users can then go back into the Settings application to verify that the JavaScript setting switch has been flipped back to the “on” position without warning. Accordingly, JavaScript features on websites will begin working again.

The issue has reportedly existed since the release of iOS 6 months ago, though it has not been widely reported. In addition, people familiar with the latest beta of iOS 6.1 said the problem also remains in Apple’s pre-release test software on the iPhone.

Peter Eckersley, technology products director with digital rights advocacy group the Electronic Frontier Foundation, said he would characterize such an issue as a “serious privacy and security vulnerability.”

Neither Eckersley nor the EFF had heard of the bug in iOS 6, nor had they independently tested to confirm that they were able to replicate the issue. But Eckersley said that if the problem is in fact real, it’s something that Apple should work to address as quickly as possible.

“It is a security issue, it is a privacy issue, and it is a trust issue,” Eckersley said. “Can you trust the UI to do what you told it to do? It’s certainly a bug that needs to be fixed urgently.”

But Lysa Myers, a virus hunter at security firm Intego, said she doesn’t see the bug as a major concern for the vast majority of iOS device owners.

“While this issue is certainly not an ideal situation, by itself it actually isn’t that large a problem,” said Myers. “At the moment it doesn’t pose a threat, but we’ll continue to monitor it to make sure it doesn’t become more exploitable. There’s also the fact that few people actually disable JavaScript completely as it can partially, or totally, disable the majority of websites.”

Stay tuned for additional details as they become available.