It seems like there’s a huge bug in iOS 4.1 for iPhone: with a combination of sleep / power button and a fake emergency call, it is possible to access the iPhone’s contact list and phone keypad even if the device is locked. I personally tested the method and, indeed, it works: I was able to bypass iOS’ passcode lock check and make a phone call to a friend of mine. Read more
Posts tagged with "security"
iPhone Security Hole Lets You Make Calls When The Phone Is Locked
Apple Releases Security Update 2010-006 for Snow Leopard
Time for another security update, folks. Apple has just released the Security Update 2010-006 for Snow Leopard (server and client versions) which is available here or, as usual, in Software Update.
The update addresses an issue where AFP shared folders could be accessed by a remote attacker using an invalid password. Go update. Or, check out the full update description below. Read more
Apple Releases 2010-005 Security Update For Mac OS X 10.5 and 10.6
A few minues ago Apple issued a new security update for Mac OS X 10.6 and 10.5, aimed at fixing PDF vulnerabilities (the same of iOS?), network interceptions and PHP vulnerabilities.
Check out the full changelog after the break. Security update is available now in Software Update.
European Union Commission Ousts BlackBerry in Favor of iPhone, HTC
Reuters reports that the European Union Commission have canned the idea of toting BlackBerries upon security concerns that governments can’t monitor the traffic: RIM deploys their own servers which handle encrypted messages that keep communications secured. The strongest selling point of the BlackBerry is starting to become a major problem.
British bank Standard Chartered said earlier this year it was giving its staff the option to replace the BlackBerry with the iPhone, a move that could eventually result in thousands of bankers switching.
And many top French government ministers have been issued specially encrypted smartphones after a French security agency recommended that cabinet ministers and President Nicolas Sarkozy stop using BlackBerries due to security concerns.
RIM’s Chief Technology Officer David Yach retorted that the importance of the BlackBerry via the use from state officials would keep their mobile phone in the hands of the government, though I imagine RIM is particularly beside themselves as corporations begin adopting and deploying other devices such as the iPhone.
[via Reuters]
How To Prevent iOS From Automatically Loading PDFs [Vulnerability]
Last night JailbreakMe was released in the wild. As we reported, it’s one of the simplest jailbreak tools ever made, as it requires only one slide in Mobile Safari to install Cydia on your device. You visit a link, slide, and wait. As we also reported, though, the exploit seems to based on a PDF vulnerability in iOS: the iPhone automatically downloads PDF files, and Comex injected the jailbreak code in a PDF file.
Safari 5.0.1 Addresses AutoFill Security Vulnerability
If you haven’t updated to Safari 5.0.1 yet for Safari Extensions, maybe you should to address a recent security vulnerability? MacRumors reports that the latest update addresses a critical flaw that could allow malicious sites to gather Address Book information. According to Apple,
Safari’s AutoFill feature can automatically fill out web forms using designated information in your Mac OS X Address Book, Outlook, or Windows Address Book. By design, user action is required for AutoFill to operate within a web form. An implementation issue exists that allows a maliciously crafted website to trigger AutoFill without user interaction.
For more information regarding the security content of Safari, be sure to check out Apple’s official document here: http://support.apple.com/kb/HT4276
[via MacRumors]
Why You Should Disable your Browser Autofill
Geeking out on all things security, Jeremiah Grossman details an interesting attack that could steal information stored in a web browser for use in autofill.
These fields are AutoFill’ed using data from the users personal record in the local operating system address book. Again it is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form.
All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.
Apple New World Leader in Software Insecurity?
We’ve read about various vulnerabilities and security issues related to Apple and the software they push out before, and yesterday Ars Technica reported that Apple has become the new world leader in software insecurity. While it’s mentioned that OS X itself isn’t the most insecure in practice, the various pieces of software you use like iTunes, Quicktime, and Safari, all display gaping security flaws that aren’t being addressed.
To illustrate this point, the report includes cumulative figures for the number of vulnerabilities found on a Windows PC with the 50 most widely-used programs. Five years ago, there were more first-party flaws (in Windows and Microsoft’s other software) than third-party. Since about 2007, the balance shifted towards third-party programs. This year, third-party flaws are predicted to outnumber first-party flaws by two-to-one.
There is a valid point to be made: yes, third party software can introduce vulnerabilities to the OS. But what bothers me about the article is two things. The first is that while Apple is known to have plentiful vulnerabilities in their software that should be fixed (quicktime vulnerabilities have been complained about for years now), it’s never addressed how these vulnerabilities affect OS X – Windows is mentioned as the only OS affected by Apple’s software. The second issue I have: it’s not mentioned specifically what vulnerabilities are being exposed and what ill-effects are had on the user. It seems unlike Ars Technica to throw out an article like this without further explaining potential risks for users. Instead, it’s mentioned that third party software is harder to update and Microsoft does a better job of applying patches.
[via Ars Technica]
McAfee Internet Security for Mac Doesn’t Support Safari
You’d think if you were going to make the attempt to sell Mac users a security product they didn’t want in the first place, you’d at least support their web browser of choice. Seriously McAfee? I might be a little rash, but I’m not wasting a gig of memory and 150 MB of hard drive space for this, especially after seeing how they treat Windows computers.
[via Macworld]