Google Chrome for OS X goes 64-bit

Posted by:
Date: Thursday, November 20th, 2014, 16:40
Category: News, Software

chromeicon

If you were hankering for a 64-bit version of Google Chrome for OS X, it’s finally arrived.

Safari has been 64-bit since OS X 10.6 (August 2009) and Firefox has been 64-bit since version 4 (2011). Incidentally, a 64-bit web browser is required to run Oracle Java on OS X.

Per Google’s Chrome Releases Blog, the Chrome team promoted v.39 to the stable channel for Windows, Mac and Linux. Google Chrome 39.0.2171.65 contains a number of fixes and improvements, including 64-bit support for Mac, a number of new apps/extension APIs, lots of under the hood changes for stability and performance.

Chrome 39 will arrive through an automatic update (if you have that feature enabled). If you don’t, you can download it from Google.

(more…)

WireLurker security paper released, discusses potential next generation of OS X, iOS malware

Posted by:
Date: Friday, November 7th, 2014, 02:30
Category: iOS, News, security

trojanhorse

Not that you should be entirely paranoid about malware on your OS X and iOS devices, but a little caution couldn’t hurt.

Per Palo Alto Networks, a new paper has been published on WireLurker, a family of malware targeting both Mac OS and iOS systems for the past six months. It’s believed that WireLurker could herald in a new generation of malware on Apple’s desktop and mobile platforms given the following characteristics:
- It is only the second known malware family that attacks iOS devices through OS X via USB.

- It is the first malware to automate generation of malicious iOS applications, through binary file replacement.

- It is the first known malware that can infect installed iOS applications similar to a traditional virus.

- It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning.

WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.

(more…)

Security researcher finds unsaved files are automatically saved into iCloud

Posted by:
Date: Wednesday, November 5th, 2014, 17:10
Category: iCloud, News, security

icloudicon

This may not be what Apple intended to have happen with iCloud.

And there may be a patch coming for it posthaste.

According to Slate, security researcher Jeffrey Paul recently noticed that Apple’s default autosave is storing in-progress files—the ones you haven’t explicitly saved yet—in the cloud, not on your hard drive. Unless you decided to hit save before you start typing, or manually changed the default settings, those meeting notes, passwords, and credit card numbers you jotted down in “Untitled 17” are living in iCloud.

Although this issue seems to be a recent phenomenon, it appears that it’s been happening since at least December of 2013, according to Apple’s Knowledge Base, and it doesn’t just affect TextEdit, but also Preview, Pages, Numbers, and Keynote. Hopefully there wasn’t anything sensitive on those screenshots, spreadsheets, presentations, and documents you haven’t yet saved, or you were using other programs. Luckily, Word for Mac files don’t seem to be affected in this way.

You can turn off this surreptitious feature in Documents & Data —> Apple —> System Preferences —> iCloud —> Documents & Data, or you can save your empty file before you even start typing. But that’s not really the point. The problem is that users intuitively expect their in-progress documents to be saved locally, but these files are being stored on the Cloud instead.

(more…)

Hours after citing capable security, CurrentC announces unauthorized access of users’ email accounts

Posted by:
Date: Wednesday, October 29th, 2014, 16:35
Category: Finance, iOS, News, security, Uncategorized

currentc

Hubris, anyone?

Just hours after publishing a blog post answering some questions about its upcoming CurrentC mobile payments system and touting the security of its cloud-based storage of sensitive information, the company behind the effort, Merchant Customer Exchange (MCX) has alerted users of unauthorized access to their email addresses.

Per MacRumors, the company released the following statement:

Thank you for your interest in CurrentC. You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information.

Details on the unauthorized access have not been disclosed, but reporter Nick Arnott of iMore took some time earlier this week took a look at some of the personal information being collected by MCX and CurrentC and noted that he could ping CurrentC’s systems to look for valid registered email addresses on the system. While he did not find valid addresses, the system appeared capable of returning a substantial amount of personal information about such accounts.

(more…)

Apple announces end to SSL 3.0 notifications on October 29th in wake of POODLE vulnerability

Posted by:
Date: Thursday, October 23rd, 2014, 08:05
Category: iOS, News, security, Software

applelogo1

Sometimes you’ve got to drop back and punt.

Per the Apple developer web site and AppleInsider, Apple announced on Wednesday that it will be removing support for the SSL 3.0 protocol on its Apple Push Notification server.

Apple will be switching off SSL 3.0 support in favor of the more secure transport layer security (TSL) protocol on Wednesday, Oct. 29, noting developers will have to build in support by that time to ensure uninterrupted push notification service continues.

Apps currently using both SSL 3.0 and TSL will not be affected by the change, but those using just SSL 3.0 will need to be updated.

Apple has disabled SSL 3.0 on the Provider Communication interface in the developer environment, offering developers a way to check their apps for compatibility. More information is available through Apple’s Developer Portal.

(more…)

iWorm trojan quietly added to Apple’s Xprotect definition list

Posted by:
Date: Wednesday, October 8th, 2014, 10:46
Category: News, security, Software, Uncategorized

The bad news is that there’s another chunk of malware on the OS X platform to worry about.

The good news is that Apple included a backdoor fix over the weekend to take care of it.

Per The Mac Observer, Apple pushed an update to its Xprotect malware list for the Mac that includes the Mac.BackDoor.iWorm malware over the weekend. Xprotect watches for telltale signatures from known malware threats and attempts to stop them from invading your computer.

The iWorm threat installs through a Trojan horse masquerading as an installer for other apps. Mac owners that have fallen victim to iWorm picked up the malware through installers for pirated apps such as Adobe Photoshop.

iworm

Once installed, iWorm looks to Reddit for posts that include server addresses it can link to for instructions on what nasty activities it should undertake. Reddit has shut down the forum iWorm checked, but that doesn’t mean hackers won’t be able to find an alternate method for delivering server locations.

(more…)

Shellshock fix posted for Mac OS X 10.4 to Mac OS X 10.6.8 operating systems

Posted by:
Date: Monday, October 6th, 2014, 10:35
Category: News, security, Software

unixterminal

This suggestion came in over the weekend from one Larry Macy, Ph.D over at the University of Pennsylvania and it’s pretty interesting.

For those of you still running Mac OS X 10.4 to Mac OS X 10.6.8, a workaround has been discovered for the recently discovered Shellshock bash vulnerabilities. Per Macy, the process replaces bash and sh with a new version of bash.

(more…)

Apple launches Find My iPhone page to help cut down on stolen iOS device purchases

Posted by:
Date: Friday, October 3rd, 2014, 11:18
Category: iOS, iPad, iPhone, iPod Touch, News, security, Software

This might prove useful.

This week, Apple launched a web-based tool to check the Activation Lock status of iOS devices such as iPhones, iPads and iPod Touches. Here, users can go to a web site, enter the device’s IMEI number or serial number and see if the Find My iPhone feature has been activated.

(more…)

Rumor: PayPal excluded from Apple Pay service providers due to relationship with Samsung

Posted by:
Date: Wednesday, October 1st, 2014, 11:27
Category: retail, Rumor, Uncategorized

paypallogo

It’s inevitable: competition and past legal strife creates some awkward scenarios.

Per The Unofficial Apple Weblog and BankInnovation, PayPal was conspicuously absent from Apple’s list of secured partnerships when Apple Pay was announced in September. Now comes word that PayPal was initially part of Apple’s vision of Apple Pay, but that negotiations fell apart due to Pay Pal’s relationship with Samsung.

Apple and PayPal started talking early on in Apple’s development of Apple Pay, as Apple was setting up partnerships with the card issuing banks and card networks. Since PayPal’s a payments industry leader, it would have been shortsighted for Apple to not reach out to PayPal.

But while these talks were going on, PayPal went ahead and partnered with Samsung on the Galaxy S5 fingerprint scanner, a move that was reportedly forced onto PayPal by eBay CEO John Donahoe. PayPal’s now-former president David Marcus was purportedly categorically against the Samsung deal, knowing that it would jeopardize PayPal’s relationship with Apple. Donahoe won the day, however.

(more…)

Apple patches Shellshock vulnerability, but it’s not in Software Update

Posted by:
Date: Wednesday, October 1st, 2014, 01:24
Category: OS X, security

OS X bash Update 1.0 for OS X Mavericks released to address Shellshock bug on Macs

Apple released OS X bash Update 1.0 for OS X Mavericks to fix a vulnerability in the bash UNIX shell. “Shellshock” is believed to be much worse than the Heartbleed vulnerability that was discovered earlier this year.

PC Magazine wrote about two scenarios that can make OS X vulnerable to the Shellshock bash bug:

For example, Bash would be exposed if a user turned on the remote login capability for all users, including guests. But that is an action that “is probably not the most secure thing to do anyway,” Erwin wrote, as it would open up the computer to other possible attacks.

Another scenario in which adjusted settings could make a difference is on a Lion OS X server running Apache or PHP scripting environments, Erwin wrote. If Apache is configured to run scripts, an attacker could insert variables into a script that a Bash shell would run.

Curiously, OS X bash Update 1.0 isn’t available through the usual channel (the Updates tab in the App Store). It needs to be downloaded and installed manually. Based on the potential impacts of the bug it’s recommended that all OS X 10.9/Mavericks users install OS X bash Update 1.0 right away.