This Week's Sponsor:

Kolide

Ensure that if a device isn’t secure it can’t access your apps.  It’s Device Trust for Okta.

Posts tagged with "security"

Apple Promises Software Update To Fix iOS PDF Vulnerability

Following the release of @comex’s latest jailbreak tool yesterday, JailbreakMe 3.0, many wondered how long it would take for Apple to take action and patch the security hole that allows special PDF documents opened through Mobile Safari to give admin privileges to code hidden inside them. The method, discovered and developed by comex, enables JailbreakMe to install Cydia on devices running iOS 4.3 and above with a simple click, making it the easiest jailbreak ever developed for a variety of devices including the iPad 2. The exploit works on various versions of iOS after 4.3, but the iPad 2 is only being targeted on iOS 4.3.3. As a preliminary version of the exploit leaked online before the official jailbreak was released, comex had already warned users that Apple would soon issue a software update to patch the vulnerability.

The Associated Press reports [via The Next Web] Apple Inc. spokeswoman Bethan Lloyd has confirmed the company is aware of the issue and is developing a fix that will be available via Software Update. A group of German researchers took a look at comex’s exploit yesterday, and warned Apple that any maliciously crafted PDF could take advantage of the Safari hole to install code on a device without a user’s consent.

Apple Inc. spokeswoman Bethan Lloyd said Thursday the company is “aware of this reported issue and developing a fix that will be available to customers in an upcoming software update.”

She declined to specify when the update would be available.

In the past, Apple closed another PDF vulnerability that allowed the installation of Cydia through JailbreakMe 2.0 in roughly a week. Whilst Cydia developers are relying on an exploit that could also be used by malware creators, they’re also taking the necessary steps to prevent the vulnerability from working again after the jailbreak is done and Cydia is installed. In fact, they have released a “PDF Patcher” tool that, once installed from Cydia, will make the exploit used to jailbreak a device unusable. For this reason, Apple will soon issue a software update to officially close the hole, but it’s very likely that several users who don’t want to lose their jailbreaks, yet want to stay secure, will install the unofficial patcher from Cydia.

Firefox 4 Will Not Receive Any Security Updates, Firefox 5 Is The Only Supported Version

In line with its more rapid release schedule, Firefox 5 was released just three months after Firefox 4, which had arrived earlier this year. According to the Mozilla Security Leader, Daniel Veditz, it also means that Firefox 4 will no longer be receiving any more updates, including any for potential security issues.

Several people have repeatedly said in public places (newsgroups, planning meeting, Monday meeting; could not find a blog or wiki page) that Firefox 5 will be the security update to Firefox 4, and that there will be no 4.0.2

Effectively this means that if you use Firefox, you are expected to be running the latest major version; otherwise you will face safety risks with using a browser that will no longer be receiving security patches. With this kind of a strategy, Mozilla has taken more than just the rapid release schedule from Google Chrome; it is also following the Chrome idea of only supporting the latest releases.

In some ways it does make sense, both Firefox 6 and Firefox 7 are expected to arrive this year. Supporting older versions would become very difficult whilst wasting resources that could be going into developing new features.

[Via Digitizor]

Common Lockscreen PINs to Avoid on your iPhone

For those paranoid about both losing their phone and having your information be susceptible to criminal eyes, you probably lock your iPhone with a four digit PIN. While even I could tell you that ‘1234’ isn’t the finest choice in password security, Daniel Amitay took a moment to see what his customers were locking their phones with in his free app, Big Brother Camera Security for the iPhone. The passwords were recorded anonymously, and Daniel takes a look at everything from the most common passwords to suspect birth years in his results. Heck, the guy even built “heat maps” of the most digits pressed.

Naturally, 1234 is the most common passcode: mimicking the most common internet passwords. To put this into perspective, these 10 codes represent 15% of all passcodes in use. Most of the top passcodes follow typical formulas, such as four identical digits, moving in a line up/down the pad, repetition. 5683 is the passcode with the least obvious pattern, but it turns out that it is the number representation of LOVE (5683), once again mimicking a very common internet password: “iloveyou.”

With 15% of all passcodes represented by just 10 of these common passwords (out of a possible 10,000), Daniel concludes that 1 out of every 7 iPhones can be unlocked if a thief simply went through the list. Dear commenters, I now ask you, “Do you use one of these common passwords?” The results are fascinating, and I encourage anyone interested in keeping their iPhones secure to hit the source link for lots of juicy details.

[Daniel Amitay via Lifehacker]

New Mac Defender Variant Bypasses Apple’s Security Update

Last night, we reported Apple issued a Security Update for Snow Leopard users to update the OS X malware definitions, enhance File Quarantine’s functionalities and, more importantly, automatically find and remove known variants of the Mac Defender malware that’s been spreading among Mac users in the past month. By enabling OS X to update definitions daily in the background with a new daemon, Apple is taking the necessary measures to make sure new versions of Mac Defender and, overall, malware targeting Mac machines in the future can be removed safely and quickly a few hours / days after they’re discovered. As reported by Ed Bott at ZDNet, a new variant of Mac Defender coming with a new installer package has already been released, and it’s capable of circumventing Apple’s new security update and work exactly like Mac Defender and Mac Guard used to until yesterday.

The bad guys have wasted no time. Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple’s malware-blocking code.

The file has a date and time stamp from last night at 9:24PM Pacific time. That’s less than 8 hours after Apple’s security update was released. On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.

Bott suggests this “cat and mouse” game is just the beginning, and Apple will have to begin addressing new variants that are discovered every day. The system put in place by Apple to provide updated definitions for easy removal of malware should allow users to prevent computer infections by automatically finding suspicious packages downloaded from the Internet. [via MacRumors]

Behind The Scenes of Verizon iPhone: Special PIN Security Protocol, “ACME” Code Name

In a lengthy report published earlier today, TechnoBuffalo shares some of the interesting details behind the launch of the Verizon iPhone 4, which went on sale in the United States in February. In the months leading to the launch of the CDMA device, speculation was running wild on the Internet as to whether Apple was really ending AT&T exclusivity to release an updated version of the iPhone to support Verizon Wireless’ CDMA infrastructure; citing a source “close to the action”, TechnoBuffalo says only top executives at Verizon knew about the device, which internally used to be mentioned as “ACME device” to avoid other employees would hear the “iPhone” name and leak information outside of the company. Public testing of the CDMA iPhone 4 began at Apple Stores (and obviously, Apple’s own campus, where Steve Jobs said they had installed Verizon and AT&T towers) six months ahead of the official launch, meaning in summer 2010 shortly after the release of the AT&T iPhone.

Though key employees and executives were in the loop, everyone else at the carrier knew little more than the rest of the public. And it would seem the higher ups wanted to keep it that way. No one talked about the Apple smartphone externally, and even internally, it was still a hush-hush operation. In fact, says the source, the word “iPhone” was never uttered; only its codename was referenced: It was called the “ACME” device.

Between NDAs to sign, corporate secrets and internal discussions about field-testing and cooperation with Apple, the most interesting tidbit details how, rather than installing geo-location software (like Find my iPhone) on the prototypes to make sure they wouldn’t end up in the wrong hands (as the AT&T iPhone 4 did), Verizon testers were required to text a PIN code every 12 hours as a confirmation the device was being used internally for testing purposes only.

Our source describes a unique protocol requiring staffers to text a secret PIN code to a dedicated phone number every 12 hours. This served as ongoing confirmation that the handset was still in the proper hands. So no PIN code, no functionality.

Unlike the original iPhone 4, Apple managed to keep the Verizon iPhone closely under wraps until the official announcement, not even allowing Verizon to tease anything at CES 2011 in Las Vegas a few weeks before. The security measures taken by Apple to ensure devices were only used internally are particularly interesting, and a sign Apple must have reconsidered its testing process after the AT&T iPhone got leaked to Gizmodo.com in Spring 2010, months before the WWDC announcement.

Backblaze Launches Location Service to Find Stolen Computers

Backblaze is the fiery backup service well known for their series of custom red-hot storage pods used to encapsulate all of your sensitive data, and today they’re launching a new location service designed to help you recover a lost or stolen computer. Locate My Computer aids in the recovery of a computer by reporting the IP address, the ISP the computer is on, the time the computer was last online, and by showing the computer’s location on a map. Mapping updates may take a while (after I enabled Locate My Computer for the first time I received a notice that it may take up to four hours), but time and IP address related information is updated frequently. Blackblaze also provides links to various IP services to help track down the exact location (possibly even the house address) of the stolen machine.

Locate My Computer is available immediately and is free to all Backblaze customers. Mapping is enabled for new users; users with existing accounts can “Turn On” mapping. To turn mapping on or off, sign-in and visit the Locate My Computer page. (Please click “Check for Updates” from your menu icon to ensure you are using the latest version.)

The update is free to all Backblaze customers. To enable the new feature, simply install the latest Backblaze update over your previous installation before turning the service on.

[via Backblaze]

Ars Investigates Recent Mac Malware

Ars Investigates Recent Mac Malware

MAC Defender has changed everything,” one Apple Store Genius, who requested to remain anonymous (we’ll call him Lenny) told Ars. “We probably get 3 or 4 people with this per day. Most of them only got as far as installing the program and haven’t entered their credit card details.”

Lenny went on. “This always sparks a debate at the bar on whether antivirus software is necessary on the Mac. This is difficult, as the store sells several antivirus products implying that Apple supports the idea, but as many customers point out, the sales guys aren’t shy in making the claims for Mac OS X’s security. Internally, Apple’s [IT] department mandates the use of Norton Antivirus on company machines.

Following the controversy that sparkled after the large diffusion of MAC Defender (covered here) that rose (again) the inevitable question as to whether being scared of malware on a Mac is nothing but crying wolf, Ars Technica takes a step back and tries to analyze the situation interviewing Apple employees, Geniuses, and various representatives of antivirus / security companies. Whilst it’s kind of obvious that antivirus makers will always recommend their products because you have to keep your machine secure, the takeaway from support specialists is interesting: there’s no need to panic, but people are undoubtedly coming over asking for help with this recent malware.

Of course, the peculiar nature of Mac Defender (it’s a “scanning software” that asks for your credit card details, and it’s downloaded through a malicious script from certain websites and Google Image Search) raises another issue: users are installing the software by manually going through an installer and giving it their passwords – this shouldn’t happen. Anyone who’s a little skilled in computing should know that stuff you didn’t want to download shouldn’t be granted permission to run in the first place. And MAC Defender comes as a whole installer. On the other hand, I don’t think it’s really about crying wolf (though some people like to run overly sensationalistic headlines), as much as it’s about the fact that this malware ultimately exists. Fact.

Ars has an interesting read, and our friends at TUAW have a pretty handy guide detailing the removal of MAC Defender. The best tip, however, is still the same: don’t execute programs and documents you don’t know.

Permalink

Skype Bug Leaves Mac Users Vulnerable to Exploit: Updated

Those running Skype on OS X are vulnerable to an exploit that allows attackers to gain root access on target machines. Through an instant message, attackers could deliver a malicious payload that would give them remote access via a shell. The severity of the issue has already been addressed by the Skype team, and should be fixed in a future update. In the meantime, a proof of concept reveals the need for caution with recent OS X security warnings and concerns.

Read more

New “MacDefender” Malware Targets Mac Users

According to several discussion threads posted on Apple Support Communities, a new malware called MacDefender.app is quickly spreading among Mac users using the Safari browser to visit certain websites, especially Google Images. The application, disguised as a virus scanning tool and completely unrelated with the official MacDefender software, gets installed automatically without a user’s consent upon opening a webpage, although it’s not clear what kind of websites allow this kind of installation, and whether MacDefender “phones home” once running on a Mac to download additional pieces of code (like most malwares on Windows do). Some users are reporting they found the app installed on their Macs after visiting webpages linked on Google Images, some say it’s only happening with the Safari desktop browser, others claim the app can’t be removed with a simple drag & drop to the system’s Trash as, once installed, the process will beging running automatically on OS X. Again, it’s not clear what kind of malware MacDefender.app is and the proportion of this “spreading” across Mac OS X machines, but the number of threads on Apple Support Communities seems to suggest at least hundreds of people have experienced the issue in these past few days. Read more