Security hole discovered in Facebook, Dropbox apps for iOS, physical connection needed to exploit it (updated)

Posted by:
Date: Friday, April 6th, 2012, 07:26
Category: security, Software

You’re probably not going to like this.

According to security researcher Gareth Wright and The Next Web, a fairly prominent security hole has been discovered in the popular Facebook and Dropbox iOS apps. The good news is that someone would have to have physical access to your iPhone, and you’d have to allow them to plug it into their Mac, then allow them to do a bunch of business on your phone to grab a plain text file from inside these apps, then they’d have to go and do something malicious on your Facebook or Dropbox accounts.

Although many have reported jailbreak is required to access this hole, that is simply not true. A Mac app like iExplorer, which allows you to open app folders on an iPhone, will allow you to access the security hole.

According to The Unofficial Apple Weblog, it works like this: iOS apps use .plist files (aka property list files), to store all sorts of little things about an app. In this case, Dropbox and Facebook are using an unencrypted property list to apparently store both the oauth key and its secret counterpart.

By using iExplorer to find the right plist, that file can be copied and dropped into another device, which would then be able to access your account as though you had already logged in. Using a property list in this way leaves us scratching our heads.

Facebook issued a comment saying they will patch this soon and a representative with Dropbox offered the following comment:

“Dropbox’s Android app is not impacted because it stores access tokens in a protected location. We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user’s device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.”

Stay tuned for additional details as they become available.

Apple releases Digital Camera Raw Compatibility Update 3.12

Posted by:
Date: Friday, April 6th, 2012, 07:47
Category: News, Software

eliphoto

Early Friday, Apple posted its Digital Camera Raw Compatibility Update 3.12, an update designed to extend RAW image compatibility for the Aperture 3 and iPhoto ’11 applications.

The update, a 7.6 megabyte download, adds support for the following camera:

– Canon EOS 5D Mark III

The update requires Mac OS X 10.5.8 or later to install and run and is also available via Mac OS X’s built-in Software Update feature.

If you’ve tried the new Digital Camera RAW update and noticed any changes, please let us know how it went.

Apple releases Java for OS X 2012-002 update, offers potential fixes for Flashback trojan

Posted by:
Date: Friday, April 6th, 2012, 06:40
Category: News, Software

applelogo_silver

It’s been a strange week for Java on the Mac.

Per AppleInsider, Apple on Thursday rolled out its second Java update for Mac OS X in less than a week via Software Update.

Java for OS X 2012-002 appeared on Software Update just two days after version 2012-001 was released on Tuesday. Apple also released Java for Mac OS X 10.6 Update 7 earlier in the week. The updater, a 63.8 megabyte download, requires an Intel-based Mac running Mac OS X 10.7 or later to install and run.

It’s not immediately clear, however, how the most recent update differs from the earlier version, as Apple’s links for more detail and information point to the same page as the old update. Java for OS X 2012-001 resolved multiple vulnerabilities in Java, the most serious of which could “allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.”

On Wednesday, a Russian antivirus company revealed that an estimated 600,000 Macs had been infected by a “Flashback” trojan that exploited the Java vulnerability to turn the computers into bots. The majority of the infected computers were located in the U.S.

The virus was first discovered by a security firm last September. F-Secure has posted a tutorial on how to detect and remove the trojan.

Stay tuned for additional details as they become available.

Skype updated to 5.6.0.203

Posted by:
Date: Thursday, April 5th, 2012, 07:20
Category: News, Software

skypelogo.jpg

On Tuesday, version 5.6.0.203 of the Skype VoIP application was released. The new version, a 22.7 megabyte download, offers the following fixes and changes:

– Automatic Updates

– Improved UI for group video calling.

– New full screen mode in OS X Lion.

– Ability to delete conversations.

– Ability to disable Audio Gain Control.

Skype 5.6.0.203 is available for free and requires Mac OS X 10.5.8 or later to install and run.

If you’ve tried the new version and have any feedback to offer, please let us know.

Five regional U.S. wireless carriers to offer iPhone units, service starting April 20th

Posted by:
Date: Wednesday, April 4th, 2012, 11:45
Category: iPhone, News

If you felt left out of the iPhone party, there’s a decent chance it’s coming to your area.

Per AppleInsider, a total of five regional U.S. carrier announced on Wednesday that they will begin selling Apple’s iPhone on April 20, as Alaska Communications, GCI, Appalachian Wireless and Cellcom join an earlier announcement from nTelos.

The iPhone 4S will become available to customers of five regional U.S. on April 20. It will be sold for US$50 cheaper than its traditional subsidized price at other carriers, starting at US$150 for the 16-gigabyte model, US$250 for 32 gigabytes, and US$350 for 64 gigabytes. The 8-gigabyte iPhone 4 will also be available for US$50.

And one of the carriers announced Wednesday, GCI, has a GSM network, which means it will also be able to offer Apple’s iPhone 3GS for free with a two-year contract.

Two of the carriers announced on Wednesday are based out of Alaska: Alaska Communications and GCI. The iPhone 4S will be available through Alaska Communications from its 14 retail stores, as well as the company’s website.

The carrier offers nationwide unlimited talk plans for US$90 with 2 gigabytes of data, while adding unlimited texting brings the monthly cost to US$101 and bumps the data cap up to 5 gigabytes. The subsidized iPhone pricing requires a two-year service contract.

Cellcom offers wireless service in parts of Michigan and Wisconsin, while Appalachian Wireless is based in Kentucky.

The announcement of four more wireless partners as an official carrier partner of Apple came on the same day that nTelos Wireless was also revealed. nTelos will also begin selling the iPhone 4S on April 20 to its more than 400,000 subscribers.

Apple began expanding availability of the iPhone to smaller, regional carriers last October when a deal with C Spire Wireless was announced. That carrier has about 900,000 customers.

Stay tuned for additional details as they become available.

nTelos regional wireless carrier to carry iPhone 4, 4S units

Posted by:
Date: Wednesday, April 4th, 2012, 07:33
Category: iPhone, News

nTelos Wireless, a Virginia-based wireless company with more than 400,000 subscribers, will become the fifth U.S. carrier to sell Apple’s iPhone when it launches on April 20.

Per AppleInsider, nTelos is the second regional carrier to partner with Apple, as the company began expanding to smaller U.S. carriers last October when it struck a deal with C Spire Wireless, which has about 900,000 customers.

The 8-gigabyte iPhone 4 will be available through nTelos for US$50, while the 16-gigabyte iPhone 4S can be had for US$150, 32 gigabytes for US$250, and 64 gigabytes for US$350. Those contract-subsidized prices are all US$50 cheaper than the offerings from the company’s competitors.

nTelos offers unlimited voice, text and data for one line for US$100 per month. Two lines can be purchased for US$140 per month, and additional lines after that cost US$50 each.

Availability of the iPhone to nTelos is possible because the carrier relies on a CDMA network, similar to the technology that powers Verizon and Sprint’s wireless networks.

As of Wednesday, the iPhone 4S is listed as “coming soon” on the nTelos Wireless website. Sales will officially begin at 7 a.m. on April 20 through nTelos retail stores, at the company’s website, or by calling 1-888-427-8858.

nTelos offers nationwide voice and data coverage for subscribers based in Virginia and West Virginia, along with portions of Maryland, North Carolina, Pennsylvania, Ohio, and Kentucky.

When the iPhone launches with nTelos, it will join AT&T, Verizon, Sprint and C Spire as one of five official U.S. carriers. The one glaring omission from the list of official Apple partners is T-Mobile, which is the fourth-largest wireless carrier in the U.S. with 34 million customers.

T-Mobile’s lack of access to the iPhone is a result of the company’s 3G service relying on the uncommon 1700MHz and 2100MHz bands, which are not supported by Apple’s smartphone. Users who operate an unlocked iPhone on T-Mobile’s network are restricted to much slower “EDGE” speeds.

Stay tuned for additional details as they become available.

Apple releases Java for Mac OS X 10.6 Update 7, Java for Mac OS X Lion 2012-001 updates

Posted by:
Date: Wednesday, April 4th, 2012, 06:51
Category: News, Software

applelogo_silver

Have updates, will travel.

Late Tuesday, Apple released Java for Mac OS X 10.6 Update 7, providing “improved reliability, security and compatibility.” The 76 megabyte download requires Mac OS X 10.6.8 to install and run.

The company also released Java for Mac OS X Lion 2012-001, which claims to offer improved compatibility security and reliability. The download comes in at 63.8 megabytes and requires OS X 10.7 or later to install and run.

The updates, which can be located, downloaded and installed via Mac OS X’s Software Update feature, focus on multiple vulnerabilities that exist in Java 1.6.0_29, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. If you’ve tried the new versions and have any feedback to offer, please let us know in the comments.

SpamSieve updated to 2.9

Posted by:
Date: Tuesday, April 3rd, 2012, 08:07
Category: News, Software

spamsieve2.jpg

Michael Tsai’s must-have shareware program, SpamSieve, has just been updated to version 2.9. The new version, an 8.8 megabyte download, adds the following fixes and improvements:

– Added support for upcoming versions of Mac OS X.

– Made various changes to improve SpamSieve’s filtering accuracy.

– SpamSieve is now code-signed using a Developer ID certificate for Gatekeeper.
When training an Exchange message as good in Apple Mail, SpamSieve is better at moving it to the proper inbox.

– Processing incoming messages with Outlook is more efficient. To take advantage of this change, choose Install Outlook Scripts from the SpamSieve menu.

– If you’ve used the SpamSieve – Change Settings command in Apple Mail to tell SpamSieve not to use a local spam mailbox, training a message as spam will now try to move the message to a spam mailbox on the same server account, rather than always using the first account.

– Added support for training messages as spam via Herald (version 2.1.2 and later), a notification plug-in for Apple Mail.

– When sorting spam messages by color in Apple Mail, you can now use Grey as a synonym for Gray.

– The score script command has a new auto training parameter that can be used to override the setting in the preferences on a case-by-case basis. This might be useful, for example, if you’re writing an AppleScript to triage messages that have already been classified, and you just want to get SpamSieve’s opinion without having to make any corrections.

– Adjusted the drone AppleScripts so that they’re easier to troubleshoot.

– If Apple Mail gives SpamSieve empty data for a message, the plug-in now assumes the message is good and does not pass it on to SpamSieve for analysis.

– Added support for Growl notifications via GNTP (requires Mac OS X 10.7 or later).

– SpamSieve is better at handling file permission errors.

– SpamSieve is better at handling errors when running helper tools.

– Improved SpamSieve’s ability to still function when the application package is damaged.

– Added the AddStandardRules esoteric preference, which lets you prevent SpamSieve from creating its built-in blocklist and whitelist rules if you prefer to manage the rules yourself.

– Fixed a bug that could reduce SpamSieve’s filtering accuracy for some messages with attached files.

– Made various improvements to the documentation.

– Updated the German localization.

SpamSieve is available for a US$30 registration fee and requires Mac OS X 10.4 or later to run. The new version can either be downloaded directly from the web site or brought up to the current version via the program’s built-in update feature.

If you’ve tried the new version and have any feedback to offer, let us know in the comments.

Rumor: Fifth-generation iPhone could surface in June

Posted by:
Date: Tuesday, April 3rd, 2012, 07:46
Category: iPhone, Rumor

It’s the rumors that keep things interesting, except this time it’s coming from a stranger source than usual.

Per Macotakara, a recruiter for Foxconn’s growing Taiyuan plant may have inadvertently spoiled some of Appe’s 2012 iPhone plans. When interviewing with TV-Tokyo [past 6-minute mark], the staffer said the plant was explicitly hiring 18,000 workers “for the fifth-generation phone.” He expected the phone to come out in June.

As a recruiter and not a direct product overseer, the Foxconn worker’s knowledge of what would be happening isn’t certain. If accurate, he may only know enough for a recruiting drive and may not have the full picture. The phone may only be shipping or starting production in June, which could put a launch weeks or months later.

The interview could still be a sign that Apple won’t wait until fall for its next revision and that the October release of the iPhone 4S was a singular exception rather than starting a new pattern. Based on new iPad components, many now anticipate Apple jumping to LTE support. It might also get an A6 processor that wasn’t ready in time for the new iPad. Conflicting rumors have left debate open as to whether or not there will be a larger screen.

Stay tuned for additional details as they become available.

Flashback trojan changes tactics, can now install on your Mac without a password

Posted by:
Date: Monday, April 2nd, 2012, 15:43
Category: News, security, Software

Well, you’ve gotta admit, they’re persistent.

Per Macworld and F-Secure, the Flashback Mac trojan uncovered by security firm Intego last year can now infect your computer from little more than a visit to a website.

Originally, Flashback masqueraded as an installer for Adobe’s Flash Player. Since then, the malware has changed tacks at last once since then, instead pretending to be a Mac software update or a Java updater.

The latest variant, discovered by security researchers at F-Secure and dubbed OSX/Flashback.K, takes advantage of a weakness in Java SE6. That vulnerability, identified as CVE-2012-0507, allows the malware to install itself from a malicious website the user visits, without needing the user to enter an administrator’s password.

No fix is currently available for this vulnerability on the Mac, although the hole was patched in Java for Windows back in February. Unfortunately, Apple has long been criticized for lagging behind Windows when it comes to updating Java for security patches. However, given that Apple rolls out updates every few months, it seems likely that the company will distribute a patch in the not too distant future.

Until then, F-Secure suggests users deactivate Java on their Macs. The company has also given instructions for checking if your system is currently infected by the Flashback Trojan.

It’s also worth noting that the Java vulnerability has recently been included in the popular BlackHole exploit kit used by many attackers.

While there’s no need for widespread panic, the fact that this latest version of the malware can install itself without the user’s password is enough of a reason for concern that some precautions are necessary. Disabling Java is a good step, but the first line of defense is, as always, to be cognizant of the websites you visit and use common sense.

Stay tuned fora additional details as they become available.