Apple adds two-step verification, other new features to iCloud security

Posted by:
Date: Friday, March 22nd, 2013, 06:44
Category: News, security, Software

When in doubt, beef up the ol’ security system a bit…

On Thursday, Apple has rolled out a new two-step verification service for iCloud and Apple ID users. This functionality greatly enhances the security of Apple accounts because it requires users to use a trusted device and an extra security code.

Per 9to5Mac, the security code can be sent via SMS or via the Find my iPhone iOS app (if it is installed). Users can now setup two-step authentication on their devices via the Apple ID web site. Users need to access the security tab on this website to conduct the setup process.

During the setup process for two-step verification, users can choose which of their iOS devices they want to be “trusted.” This new service will allow only you to be able to reset your password.

Full details can be located at the Apple ID web site.

New iOS passcode bypass bug discovered one day after iOS 6.1.3 release

Posted by:
Date: Thursday, March 21st, 2013, 07:32
Category: iOS, iPhone, News, security

Well, this is sort of awkward…

Remember how you JUST installed iOS 6.1.3 to get rid of a passcode bypass bug that would allow an unauthorized person to access the Phone app on a locked iPhone? Per iMore and The Next Web, a new bypass bug has been discovered.

The passcode bypass in the previous versions of iOS 6 required a series of well-timed taps and button presses. The result was full access to the Phone app on a locked device without entering the passcode. This new bug (not quite new, it seems to have existed prior to iOS 6.1.3) requires a sequence that’s a little easier to execute as can be seen in this video. For some reason, this bypass seems to to be more difficult to accomplish on newer, Siri-capable devices.



The bypass can be achieved using the iPhone’s Voice Dial feature. By holding the Home button on a device for a few seconds, the Voice Dial feature will come up. Issue a dial command such as “Dial 303-555-1212”, then as the call is being initiated, eject the SIM card. The iPhone detects the SIM has been removed, cancels the call, and displays an alert saying there is no SIM. Behind the alert you will see the Phone app and after dismissing the alert, you will have full access to the Phone app. As before this means you can access contact information as well as all photos on the device.

Initially thought to only be possible on non-Siri phones, reports are now coming in of this bypass being performed on the iPhone 4S and 5 as well, though it doesn’t seem to be as easily reproducible on these devices. Performing the bypass on these devices devices would also require Siri to be disabled and Voice Dial to be enabled.

Unlike the previous bug, this bypass can also easily be prevented by disabling Voice Dial. This can be done in the iPhone’s Settings app, under General > Passcode Lock, by turning the Voice Dial switch to off. With the way Apple has been handling these so far, it would not be surprising to see this fixed in a 6.1.4 update.

Stay tuned for additional details as they become available.

Apple releases iOS 6.1.3 update

Posted by:
Date: Tuesday, March 19th, 2013, 12:59
Category: iOS, iPhone, iPod Touch, News, security, Software

I’ll say this for Apple: it’s getting speedier on its iOS updates.

On Tuesday, Apple released iOS 6.1.3, a 107 megabyte download offering the following fixes for its supported iOS devices:

- Fixes a bug that could allow someone to bypass the passcode and access the Phone app.

- Improvements to Maps in Japan.

iOS 6.1.3 is available via iTunes or Over-The-Air updating and requires an iPhone 3GS, 4, 4S, 5, iPad 2, third or fourth-gen iPad, iPod Touch 4th Gen or iPad Mini to install and run.

Microsoft releases Office 2011 14.3.2, Microsoft Office 2008 12.3.6 updates for Mac

Posted by:
Date: Tuesday, March 12th, 2013, 09:17
Category: News, Software

On Tuesday, Microsoft released its Microsoft Office 2011 14.3.2 update. The update, a 118 megabyte download, adds the following fixes and features:

- This update fixes critical issues and also helps to improve security. It includes fixes for vulnerabilities that an attacker can use to overwrite the contents of your computer’s memory with malicious code.

Microsoft Office 2011 14.3.2 requires Mac OS X 10.5.8 or later to install and run.

The company also released its Office 2008 12.3.6 update, a 219.9 megabyte download (via MacUpdate), which offers the following fixes and changes:

- This update fixes critical issues and also helps to improve security. It includes fixes for vulnerabilities that an attacker can use to overwrite the contents of your computer’s memory with malicious code.

Microsoft Office 2008 12.3.6 requires Mac OS X 10.4.9 or later to install and run.

Security firm Skycure illustrates possible hacking attacks through iOS’ use of Provisioning Profiles

Posted by:
Date: Tuesday, March 12th, 2013, 07:41
Category: iOS, iPhone, News, security, Software

In the words of assorted security analysts, Apple may be setting itself up for a malware fall thanks to its Provisioning Profiles.

Per The Next Web, while iOS users have been relatively safe from malware on their devices, researchers from security company Skycure say they’re concerned about a feature of iOS that could be used by malicious actors to read information, passwords and even encrypted data from devices without customers knowledge. They’ve detailed the new vulnerability in a presentation at the Herzliya Conference and a company blog post.

It’s worth noting at the beginning that Skycure’s product, still in development, is a mobile firewall with a cloud component designed to secure devices against attacks just like these. This isn’t all that unusual, though, as many security firms like Sophos and Intego produce research reports along with consulting and security products.

Provisioning Profiles (mobileconfigs) are small files installed with a single tap on iOS devices. They essentially function as instruction lists which can alter many settings, including network configurations and they’re used by thousands of companies around the world including app developers, corporations with IT departments and more.

Their use is officially approved by Apple and there is nothing innately malicious about any given profile. But, if put to the right uses, they do open up the ability to read usernames and passwords right off of a screen, transmit data that would normally be secure (over HTTPS) to a malicious server where it can be read and a lot more.

In a demonstration, Skycure’s CTO Yair Amit and CEO Adi Sharabani sent the author to a website where a link was offered. A provisioning profile was presented, installed and led to a screen that looked a lot like a phishing attempt, which requires an action on the part of a user in order to infect or grant access to a hacker.

After the profile was installed, Sharabani demonstrated that he could not only read exactly which websites the author had visited, but also scrape keystrokes, searches and login data from apps like Facebook and LinkedIn. To be perfectly clear, this is not a vulnerability within iOS, instead it uses standardized frameworks to deliver a profile that has malicious intent.

iOS has typically been far more secure than other platforms because of its heavy use of curation on the App Store, but also because it has been built from the ground up to use sandboxing. This means that apps are cordoned off, unable to reach outside of their data box or to affect any other apps that have not given them explicit permission to do so.

Provisioning Profiles step outside of that protection and can do things like route all of a victim’s traffic through a third-party server, install root certificates allowing for interception and decryption of secure HTTPS traffic and more.

Sharabani provides a couple of scenarios by which people could be convinced to install what seems like a harmless provisioning profile, only to be a victim of a traffic re-routing attack:

- Victims browse to an attacker-controlled website, which promises them free access to popular movies and TV shows. In order to get the free access, “all they have to do” is to install an iOS profile that will “configure” their devices accordingly.

- Victims receive a mail that promises them a “better battery performance” or just “something cool to watch” upon installation.

The attacks, Sharabani stated, can be configured to use a VPN, APN proxy or a wireless proxy (WiFi), so just because you’re not on a WiFi network doesn’t mean that the profile can’t send your traffic to a third-party. This also means that (unlike a VPN, where there is an indicator in your status bar), you could also be affected by the hack without your knowledge. Of course, you would still have had to install a profile in the first place.

For the third attack scenario, Skycure came up with a list of cellular carriers that ask clients to install a special profile that configures their device to work with that network’s data servers. Of course, those sites could end up being compromised to deliver corrupted profiles, but it’s bound to be harder to do if it’s the carrier’s own servers doing the distribution.

As of now, no evidence has been found of a Provisioning Profile attack in the wild. And, to be extremely blunt once again, you are not at risk at all if you don’t install any profiles to your device, period. And if you have to, make sure that those profiles are from a trusted source and are verified. You should also only download and install profiles from ‘secure’ HTTPS links.

The disclosure of the issue, Sharabani says, is really about raising awareness, rather than starting a panic. While the attacks can be powerful and harmful, the Provisioning Profile attack, much like phishing, relies on user ignorance. Just as you wouldn’t type your password into a page provided as a random link, don’t install profiles from websites that you don’t know and avoid them completely if at all possible.

Because of the deep integration of Provisioning Profiles into the workflows of IT departments and other companies, it’s unlikely that they’ll be going away any time soon. So the best defense for now is knowledge and care.

Stay tuned for additional details as they become available.

Google Chrome updated to 25.0.1364.160

Posted by:
Date: Friday, March 8th, 2013, 07:52
Category: News, security, Software

google-chrome-logo

You can’t fault a company for regularly updating its software.

On Friday, Google released version 25.0.1364.160 of its Chrome web browser. The update, a 48.8 megabyte download, adds the following fixes and changes:

- [Fixed] High CVE-2013-0912: Type confusion in WebKit.

Google Chrome 25.0.1364.160 requires an Intel-based Mac with Mac OS X 10.6 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Oracle releases emergency Java patch, advises users to update to latest version

Posted by:
Date: Tuesday, March 5th, 2013, 08:58
Category: News, security, Software

javaicon

This is why updates were invented.

Per CNET, in response to discovering that hackers were actively exploiting two vulnerabilities in Java running in Web browsers, Oracle has released an emergency patch that it says should deal with the problem.

“These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password,” Oracle wrote in a security alert on Monday. “For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.”

Hackers were recently found using one of the vulnerabilities to get into users’ computers and install McRAT malware. Once installed, McRAT works to contact command, control servers, and copy itself into all files in Windows systems.

Only days after scheduling its last zero-day vulnerability in February, Oracle found these two new exploits. Rather than wait to include the patch in its scheduled quarterly April update, Oracle issued the emergency patch on Monday.

“In order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible,” Oracle software security assurance director Eric Maurice wrote in a blog post today.

According to Oracle, the most recent vulnerabilities are only applicable to Java running in Web browsers — they don’t affect Java running on servers, standalone Java desktop applications, or embedded Java applications. They also do not affect Oracle server-based software.

Users can install and update their Java software by going to the Java Web site or through the Java auto update.

Stay tuned for additional details as they become available.

Apple releases Java 2013-002 update for Mac OS X 10.7, 10.8 operating systems, Java for Mac OS X 10.6 Update 14

Posted by:
Date: Tuesday, March 5th, 2013, 07:38
Category: News, security, Software

applelogo_silver

A security update never truly goes unappreciated.

Following up on recently discovered zero-day Java security holes, Apple releases Java updates for its Mac OS X 10.6, 10.7 and 10.8 operating systems.

The first update, Java for Mac OS X 10.6 Update 14, stands as a 72.8 megabyte download and offers the following fixes and changes:

- Delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_41.

The update requires an Intel-based Mac running Mac OS X 10.6.8 or later to install and run.

The second update, Apple Java 2013-002, stands as a 68.3 megabyte download and offers the following fixes and changes:

- Uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled “Missing plug-in” to go download the latest version of the Java applet plug-in from Oracle.

- Removes the Java Preferences application, which is no longer required to configure applet settings.

The update requires an Intel-based Mac running Mac OS X 10.7 or later to install and run.

The updates can be located, snagged and installed via the Software Update feature built into the Mac OS X operating system.

If you’ve tried the updates and have any feedback to offer, please let us know in the comments.

Adobe Reader, Acrobat Pro updated to 11.0.02, add security fixes

Posted by:
Date: Wednesday, February 20th, 2013, 12:40
Category: News, Software

You can’t argue with a security update…

On Wednesday, Adobe released version 11.0.02 of its Adobe Reader and Adobe Acrobat Pro applications. The updates, which can also be snagged through the Adobe Update Utility, add the following fixes and changes:

- This full installer provides mitigation for specific security issues. For additional release details, see the Release Notes.

Acrobat Reader 11.0.02 and Acrobat Pro 11.0.02 require an Intel-based processor and Mac OS X 10.6.4 or later to install and run.

If you’ve tried the new versions and noticed any differences, please let us know what you think.

Apple releases Java updates for Mac OS X 10.6, 10.7, 10.8 operating systems

Posted by:
Date: Wednesday, February 20th, 2013, 07:17
Category: News, security, Software

applelogo_silver

Well, this is a bit awkward.

Following up on a recent, wide-ranging malware attack, Apple releases Java updates for its Mac OS X 10.6, 10.7 and 10.8 operating systems.

The first update, Java for Mac OS X 10.6 Update 13, stands as a 69.32 megabyte download and offers the following fixes and changes:

- Java for OS X 10.6 Update 13 delivers improved security, reliability, and compatibility for Java SE 6.

- Java for OS X 10.6 Update 13 supersedes all previous versions of Java for OS X v10.6.

The update requires an Intel-based Mac running Mac OS X 10.6.8 or later to install and run.

The company also addressed its Mac OS X 10.7 and 10.8 user base, releasing its Apple Java 2013-001 update, a 67 megabyte download that offers the following fixes and changes:

- Java for OS X 2013-001 delivers improved security, reliability, and compatibility for Java SE 6.

- Java for OS X 2013-001 supersedes all previous versions of Java for OS X.

The update requires an Intel-based Mac running Mac OS X 10.7 or later to install and run.

The updates can be located, snagged and installed via the Software Update feature built into the Mac OS X operating system.

If you’ve tried the updates and have any feedback to offer, please let us know in the comments.