Apple quietly disables Oracle’s Java 7 Update 11 fix via XProtect anti-malware feature in OS X

Posted by:
Date: Thursday, January 31st, 2013, 08:19
Category: News, security, Software

javaicon

When it comes to Java, there’s always an argument to be had between Apple and Oracle.

Per MacGeneration, the recently released Java 7 Update 11 has been blocked by Apple through its XProtect anti-malware feature in OS X.

Oracle issued the latest update to Java earlier this month to fix a serious zero-day security flaw. The threat was so serious that the U.S. Department of Homeland Security had recommended that all Java 7 users disable or uninstall the software until a patch was issued.

Apple took action on its own and quietly disabled the plugin through its OS X anti-malware system. As noted by the article, Apple has again updated its OS X XProtect list, this time to block Java 7 Update 11.

Because Oracle has yet to issue a newer version of Java that addresses any outstanding issues, Mac users are prevented from running Java on their system.

Over the last few years, Apple has moved to gradually remove Java from OS X. The company dropped the Java runtime from the default installation for OS X 10.7 Lion when the operating system update launched in 2010. Java vulnerabilities have been a common exploit used by malicious hackers looking to exploit the OS X platform.

Most notably, the “Flashback” trojan that spread last year was said to have infected as many as 600,000 Macs worldwide at its peak. Apple addressed the issue by releasing a removal tool specifically tailored for the malware, and also disabled the Java runtime in its Safari web browser starting with version 5.1.7.

Opera web browser updated to 12.13.1734

Posted by:
Date: Wednesday, January 30th, 2013, 08:16
Category: News, Software

operalogo

Late Thursday, Opera Software released version 12.13.1734 of its web browser. The new version, a 20.3 megabyte download via MacUpdate, boasts the following fixes and changes:

General and User Interface:
- Fixed an issue where Opera gets internal communication errors on Facebook.

- Fixed an issue where no webpages load on startup, if Opera is disconnected from the Internet.

- Fixed an issue where images will not load after back navigation, when a site uses the HTML5 history API (deviantart.com).

Linux and Windows:
- A new stand-alone update-checker, as part of a planned upgrade of the auto-update system.

Windows:
- Improved protection against hijacking of the default search, including a one-time reset.

Security:
- Fixed an issue where DOM events manipulation might be used to execute arbitrary code, as reported by Arthur Gerkis; see our advisory.

- Fixed an issue where use of SVG clipPaths could allow execution of arbitrary code, as reported by anonymous via the iSIGHT Partners GVP Program; see our advisory.

- Fixed a low severity security issue; details will be disclosed at a later date.

- Fixed an issue where CORS requests could omit the preflight request, as reported by webpentest; see our advisory.

Opera 12.13.1734 is available for free and requires an Intel-based Mac running Mac OS X 10.5.8 or later to install and run.

Rumor: Apple prepping iOS 6.1 beta, build expected to go Golden Master

Posted by:
Date: Monday, January 14th, 2013, 07:51
Category: iOS, News, Software

Just the term, “golden master”, it pretty much sounds awesome.

Per German web site iFun, Apple is said to be internally testing a new beta of iOS 6.1 that is expected to be the golden master build, suggesting the software is nearly ready to be released to the public.

Citing a “reliable source,” the web site reported Friday that the fifth beta of iOS 6.1 is about to be released to developers. The software is said to have gone through “extensive internal testing,” and if all goes well it will be the golden master of the software.

The software is expected to be released to developers either on Friday or potentially on Monday.

Apple began supplying beta builds of iOS 6.1 to its development community in early November. To date, there have been four betas seeded, the most recent arriving in mid-December.

Changes in iOS 6.1 are mostly minor, with the most significant user-facing additions including the ability to purchase movie tickets through Fandango with Siri, and a new prompt that asks users to enter security questions for iCloud when setting up their device for the first time.

For developers, iOS 6.1 includes an enhanced Map Kit framework that will allow third-party applications to search for map-based addresses based on points of interest. For example, a user could search the term “coffee” and the new framework would return the location of local coffee bars along with information about each one.

iOS 6.1 builds released to date have been compatible with the iPhone 5, iPhone 4S, iPhone 4, and iPhone 3GS; fourth-, third-, and second-generation iPad; iPad mini; and fifth-and fourth-generation iPod touch.

Stay tuned for additional details as they become available.

Google Chrome updated to 24.0.1312.52

Posted by:
Date: Friday, January 11th, 2013, 07:43
Category: News, Software

google-chrome-logo

If you love Google Chrome, it’s your lucky day.

Late Thursday, Google released version 24.0.1312.52 of its Chrome web browser. The update, a 46.8 megabyte download, adds the following fixes and changes:

- [$1000] [162494] High CVE-2012-5145: Use-after-free in SVG layout. Credit to Atte Kettunen of OUSPG.

- [$4000] [165622] High CVE-2012-5146: Same origin policy bypass with malformed URL. Credit to Erling A Ellingsen and Subodh Iyenger, both of Facebook.

- [$1000] [165864] High CVE-2012-5147: Use-after-free in DOM handling. Credit to José A. Vázquez.

- [167122] Medium CVE-2012-5148: Missing filename sanitization in hyphenation support. Credit to Google Chrome Security Team (Justin Schuh).

- [166795] High CVE-2012-5149: Integer overflow in audio IPC handling. Credit to Google Chrome Security Team (Chris Evans).

- [165601] High CVE-2012-5150: Use-after-free when seeking video. Credit to Google Chrome Security Team (Inferno).

- [165538] High CVE-2012-5151: Integer overflow in PDF JavaScript. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.

- [165430] Medium CVE-2012-5152: Out-of-bounds read when seeking video. Credit to Google Chrome Security Team (Inferno).

- [164565] High CVE-2012-5153: Out-of-bounds stack access in v8. Credit to Andreas Rossberg of the Chromium development community.

- [Windows only] [164490] Low CVE-2012-5154: Integer overflow in shared memory allocation. Credit to Google Chrome Security Team (Chris Evans).

- [Mac only] [163208] Medium CVE-2012-5155: Missing Mac sandbox for worker processes. Credit to Google Chrome Security Team (Julien Tinnes).

- [162778] High CVE-2012-5156: Use-after-free in PDF fields. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.

- [162776] [162156] Medium CVE-2012-5157: Out-of-bounds reads in PDF image handling. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.

- [162153] High CVE-2013-0828: Bad cast in PDF root handling. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.

- [162114] High CVE-2013-0829: Corruption of database metadata leading to incorrect file access. Credit to Google Chrome Security Team (Jüri Aedla).

- [Windows only] [162066] Low CVE-2013-0830: Missing NUL termination in IPC. Credit to Google Chrome Security Team (Justin Schuh).

- [161836] Low CVE-2013-0831: Possible path traversal from extension process. Credit to Google Chrome Security Team (Tom Sepez).

- [160380] Medium CVE-2013-0832: Use-after-free with printing. Credit to Google Chrome Security Team (Cris Neckar).

- [154485] Medium CVE-2013-0833: Out-of-bounds read with printing. Credit to Google Chrome Security Team (Cris Neckar).

- [154283] Medium CVE-2013-0834: Out-of-bounds read with glyph handling. Credit to Google Chrome Security Team (Cris Neckar).

- [152921] Low CVE-2013-0835: Browser crash with geolocation. Credit to Arthur Gerkis.

- [150545] High CVE-2013-0836: Crash in v8 garbage collection. Credit to Google Chrome Security Team (Cris Neckar).

- [145363] Medium CVE-2013-0837: Crash in extension tab handling. Credit to Tom Nielsen.

- [Linux only] [143859] Low CVE-2013-0838: Tighten permissions on shared memory segments. Credit to Google Chrome Security Team (Chris Palmer).

Google Chrome 24.0.1312.52 requires an Intel-based Mac with Mac OS X 10.6 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Adobe releases Flash Player 11.5.502.146 update

Posted by:
Date: Thursday, January 10th, 2013, 08:00
Category: News, Software

On Wednesday, Adobe released Flash Player 11.5.502.146 for Mac OS X, a 16.9 megabyte download via MacUpdate as a pre-release beta. The new version adds the following fixes and changes:

- Contain fixes for critical vulnerabilities identified in Security Bulletin APSB13-01.

Adobe Flash Player 11.5.502.146 requires an Intel-based Mac running Mac OS X 10.6 or later to install and run.

If you’ve tried the new Flash Player and have any feedback to offer, please let us know in the comments.

Adobe Reader, Adobe Acrobat Pro updated to 11.0.01

Posted by:
Date: Wednesday, January 9th, 2013, 07:23
Category: News, Software

On Monday, Adobe released version 11.0.01 of its Adobe Reader and Adobe Acrobat Pro applications. The updates, which can also be snagged through the Adobe Update Utility, add the following fixes and changes:

- Latest release. This is a regular quarterly update that provides security mitigations, feature enhancements, and bug fixes.

Acrobat Reader 11.0.01 and Acrobat Pro 11.0.01 require an Intel-based processor and Mac OS X 10.6.4 or later to install and run.

If you’ve tried the new versions and noticed any differences, please let us know what you think.

Adobe releases Flash Player 11.6.602.137 beta

Posted by:
Date: Wednesday, January 9th, 2013, 07:45
Category: News, Software

On Tuesday, Adobe released Flash Player 11.6.602.137 for Mac OS X, a 16.9 megabyte download via MacUpdate as a pre-release beta. The new version adds the following fixes and changes:

- This pre-release includes new features as well as enhancements and bug fixes related to security, stability, performance, and device compatibility for Flash Player 11.6 and AIR 3.6.

Adobe Flash Player 11.6.602.137 requires an Intel-based Mac running Mac OS X 10.6 or later to install and run.

If you’ve tried the new Flash Player and have any feedback to offer, please let us know in the comments.

Hacker cites iOS 6 code as becoming more secure, offering “tougher protections”

Posted by:
Date: Wednesday, December 26th, 2012, 07:18
Category: iOS, News, security, Software

Hacking an iOS device may be getting tougher to do.

Per iPodNN, in a recent tweet, hacker i0n1c has revealed that the forthcoming iOS 6.1 update adds “again tougher protections” to the codebase even compared to iOS 6, suggesting that security has been dramatically improved.

While many users have perfectly legitimate reasons (beyond just wanting to) for jailbreaking their iOS devices, because the technique relies on finding an exploitable “hole” in the OS code that could also be used for malicious purposes, Apple is naturally very eager to close up avenues by which unofficial or dangerous code could be injected into the device — even though many “unofficial” apps are simply ones that were rejected by Apple for App Store guideline violations, mostly for altering core OS elements.

Closing down jailbreaking loopholes will also close off one of the principle sources of pirated apps, also giving Apple considerable incentive to cut off the practice. Holes in Android code are frequently used to install scamware, malware, privacy-compromising and even virus-ridden apps — a growing problem for Google, though the ability to heavily customize and “root” Android devices is a major selling point to the most technically-proficient of Android’s audience.

The hacker community believes that iOS 6 will eventually get an “untethered” (meaning “persistent through restarts”) jailbreak, but that iOS 6.1 may represent the end of the free jailbreaking road. The security may simply have reached a point where only those likely to sell any remaining exploit secrets are likely to be able to come up with any.

Apple has made security a top priority on iOS, since it is the only platform where malware is all but completely unknown. Many of the security improvements made in iOS have also been transferred to the Mac as applicable, including complete sandboxing of applications and developer “signatures” on apps.

In his tweet, i0n1c refers to a “changing of the guard” that has brought much-improved security to iOS. It’s unknown if this refers to Craig Federighi’s recent promotion to handle both iOS and OS X, or if this is a reference to Kristin Paget, a top white-hat hacker herself who is now listed on LinkedIn as a “Core OS Security Researcher” at Apple.

Stay tuned for additional details as they become available.

iOS 6 security bug in wild, reenables JavaScript under Safari without input from user

Posted by:
Date: Monday, December 24th, 2012, 08:57
Category: News, security, Software

This is the reason bug fixes were invented.

Per AppleInsider the Safari web browser in Apple’s iOS 6 platform has a potentially serious JavaScript bug that could have major security and privacy implications.

The new “Smart App Banner” feature in iOS 6 is designed to allow developers the ability to promote App Store software within Safari. The Smart App Banner detects whether a user has a specific application installed, and invites them to view the software on the App Store or open it on their iOS device.

But for users who choose to turn off JavaScript in the Safari Web browser, the appearance of a Smart App Banner on a website will automatically and permanently turn JavaScript back on without notifying the user.

iOS device owners can test this issue by opening the Settings application and choosing Safari, then turning off JavaScript. Then simply launch the Safari browser and visit a website with a Smart App Banner.

Users can then go back into the Settings application to verify that the JavaScript setting switch has been flipped back to the “on” position without warning. Accordingly, JavaScript features on websites will begin working again.

The issue has reportedly existed since the release of iOS 6 months ago, though it has not been widely reported. In addition, people familiar with the latest beta of iOS 6.1 said the problem also remains in Apple’s pre-release test software on the iPhone.

Peter Eckersley, technology products director with digital rights advocacy group the Electronic Frontier Foundation, said he would characterize such an issue as a “serious privacy and security vulnerability.”

Neither Eckersley nor the EFF had heard of the bug in iOS 6, nor had they independently tested to confirm that they were able to replicate the issue. But Eckersley said that if the problem is in fact real, it’s something that Apple should work to address as quickly as possible.

“It is a security issue, it is a privacy issue, and it is a trust issue,” Eckersley said. “Can you trust the UI to do what you told it to do? It’s certainly a bug that needs to be fixed urgently.”

But Lysa Myers, a virus hunter at security firm Intego, said she doesn’t see the bug as a major concern for the vast majority of iOS device owners.

“While this issue is certainly not an ideal situation, by itself it actually isn’t that large a problem,” said Myers. “At the moment it doesn’t pose a threat, but we’ll continue to monitor it to make sure it doesn’t become more exploitable. There’s also the fact that few people actually disable JavaScript completely as it can partially, or totally, disable the majority of websites.”

Stay tuned for additional details as they become available.

Apple releases iOS 6.0.2 update, includes fixes for Wi-Fi, security features iPhone 5, iPad mini

Posted by:
Date: Wednesday, December 19th, 2012, 08:57
Category: iOS, iPad, iPhone, iPod Touch, iTunes, News, Software

Hey, an update’s an update.

Late Monday, Apple released iOS 6.0.2, the latest version of its iOS operating system for the iPhone 5 and iPad mini devices.

The update, a 626 megabyte download, offers the following fixes and changes:

- Fixes a bug that could impact Wi-Fi.

- Assorted security fixes detailed here.

The iOS 6.0.2 update requires the following devices:

- iPhone 3GS / 4 / 4S / 5

- iPad 2 and new iPad

- iPod Touch 4th Gen

- iPad Mini

As always, the update can be acquired via iTunes or the Over The Air software update feature built into iOS 5 or later.

If you’ve tried the update and have any feedback to offer, please let us know in the comments.