Last night JailbreakMe was released in the wild. As we reported, it’s one of the simplest jailbreak tools ever made, as it requires only one slide in Mobile Safari to install Cydia on your device. You visit a link, slide, and wait. As we also reported, though, the exploit seems to based on a PDF vulnerability in iOS: the iPhone automatically downloads PDF files, and Comex injected the jailbreak code in a PDF file.
Posts tagged with "security"
How To Prevent iOS From Automatically Loading PDFs [Vulnerability]
Safari 5.0.1 Addresses AutoFill Security Vulnerability
If you haven’t updated to Safari 5.0.1 yet for Safari Extensions, maybe you should to address a recent security vulnerability? MacRumors reports that the latest update addresses a critical flaw that could allow malicious sites to gather Address Book information. According to Apple,
Safari’s AutoFill feature can automatically fill out web forms using designated information in your Mac OS X Address Book, Outlook, or Windows Address Book. By design, user action is required for AutoFill to operate within a web form. An implementation issue exists that allows a maliciously crafted website to trigger AutoFill without user interaction.
For more information regarding the security content of Safari, be sure to check out Apple’s official document here: http://support.apple.com/kb/HT4276
[via MacRumors]
Why You Should Disable your Browser Autofill
Geeking out on all things security, Jeremiah Grossman details an interesting attack that could steal information stored in a web browser for use in autofill.
These fields are AutoFill’ed using data from the users personal record in the local operating system address book. Again it is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form.
All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.
Apple New World Leader in Software Insecurity?
We’ve read about various vulnerabilities and security issues related to Apple and the software they push out before, and yesterday Ars Technica reported that Apple has become the new world leader in software insecurity. While it’s mentioned that OS X itself isn’t the most insecure in practice, the various pieces of software you use like iTunes, Quicktime, and Safari, all display gaping security flaws that aren’t being addressed.
To illustrate this point, the report includes cumulative figures for the number of vulnerabilities found on a Windows PC with the 50 most widely-used programs. Five years ago, there were more first-party flaws (in Windows and Microsoft’s other software) than third-party. Since about 2007, the balance shifted towards third-party programs. This year, third-party flaws are predicted to outnumber first-party flaws by two-to-one.
There is a valid point to be made: yes, third party software can introduce vulnerabilities to the OS. But what bothers me about the article is two things. The first is that while Apple is known to have plentiful vulnerabilities in their software that should be fixed (quicktime vulnerabilities have been complained about for years now), it’s never addressed how these vulnerabilities affect OS X – Windows is mentioned as the only OS affected by Apple’s software. The second issue I have: it’s not mentioned specifically what vulnerabilities are being exposed and what ill-effects are had on the user. It seems unlike Ars Technica to throw out an article like this without further explaining potential risks for users. Instead, it’s mentioned that third party software is harder to update and Microsoft does a better job of applying patches.
[via Ars Technica]
McAfee Internet Security for Mac Doesn’t Support Safari
You’d think if you were going to make the attempt to sell Mac users a security product they didn’t want in the first place, you’d at least support their web browser of choice. Seriously McAfee? I might be a little rash, but I’m not wasting a gig of memory and 150 MB of hard drive space for this, especially after seeing how they treat Windows computers.
[via Macworld]
Apple’s Response to Vietnamese iTunes Fraud
Two days ago some iTunes accounts were apparently hacked by a Vietnamese developer who used these confidential data to buy his own applications, thus making money and rising the App Store charts.
Engadget is now reporting Apple’s official response to the fraud, check it out after the break.
iOS 4 Fixes Over 60 Security Issues
Apple has posted a new support document online, describing all the security vulnerabilities they have addressed with the release of iOS 4.
New “Highly Critical” Vulnerability Discovered in Safari
Secunia has discovered a new vulnerability in Apple’s Safari browser, which can be used to compromise a user’s system. The security hole is confirmed in Safari 4.0.5 for Windows and “other versions may also be affected”.
“The vulnerability is caused due to an error in the handling of parent windows and can result in a function call using an invalid pointer. This can be exploited to execute arbitrary code when a user e.g. visits a specially crafted web page and closes opened pop-up windows.”
Security update coming for Safari, perhaps for a 4.1 version? And could this 4.1 version the one with “full HTML5 support”? We’ll keep you posted.
How To Turn Your iSight into a Security Camera with Automator
If you stay a lot of time away from your Macbook but you’ve always wanted to control what’s happening to your Mac while you’re not there, this tutorial is aimed at you.
Today I’ll teach you how you can easily turn your iSight into a security camera system, with automatic refresh time and FTP upload.
Enjoy!