Category: Applications


Apple has shipped a high-priority iOS update to fix multiple security holes affecting the browser used on iPhones, iPads and iPod Touch devices.

The iOS 5.1.1 update fixes four separate vulnerabilities, including one that could be used to take complete control of an affected device.

Here’s the skinny of this batch of updates:

  • A URL spoofing issue existed in Safari. This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems.
  • Multiple security holes in the open-source WebKit rendering engine. These could lead to cross-site scripting attacks from maliciously crafted web sites. These vulnerabilities were used during Google’s Pwnium contest at this year’s CanSecWest conference.
  • A memory corruption issue in WebKit. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue was discovered and reported by Google’s security team.

This patch is only available via iTunes. To check that the iPhone, iPod touch, or iPad has been updated:

  1. Navigate to Settings
  2. Select General
  3. Select About. The version after applying this update will be “5.1.1″.

Ryan says: As always, do not update to 5.1.1 if your iPhone is unlocked or jailbroken already or if you plan doing this in the future.

Sexting, or the act of sending sexually explicit messages or photographs between mobile phones, continues to grow increasingly popular. Mobile users often have private photos posted to the Internet without their permission, and politicians and celebrities alike have taken explicit photos that using mobile devices that were eventually leaked. Unfortunately for Anthony Weiner, the congressman wasn’t aware of an iPhone app by the name of Snapchat. The program is available for free in Apple’s App Store and allows users to send photos that self-destruct within 1-10 seconds. Images cannot be saved in the app, and Snapchat will even notify users if the recipient takes a screenshot — though there is no way to prevent screenshots from being taken, of course. It should also be noted that images are stored on the developer’s servers, and while the company “attempt(s) to delete image data as soon as possible after the message is transmitted,” it cannot guarantee messages will always be deleted. “Messages, therefore, are sent at the risk of the user,” the company’s privacy policy warns.

Source: Forbes / BGR

Location services company Navizon has a new system, called Navizon I.T.S., that could allow tracking of visitors in malls, museums, offices, factories, secured areas and just about any other indoor space. It could be used to examine patterns of foot traffic in retail spaces, assure that a museum is empty of visitors at closing time, or even to pinpoint the location of any individual registered with the system. But let’s set all that aside for a minute while we freak out about the privacy implications.

Most of us leave Wi-Fi on by default, in part because our phones chastise us when we don’t. (Triangulation by Wi-Fi hotspots is important for making location services more accurate.) But you probably didn’t realize that, using proprietary new “nodes” from Navizon, any device with an active Wi-Fi radio can be seen by a system like Navizon’s.

Navizon’s technology is also reminiscent of the location data provided to retailers and marketers by Skyhook’s Spotrank system, which has a different set of pros and cons: That data is available for every point on the planet, but it only includes devices running Skyhook software.

The rollout of this technology means there are now at least three ways that users can track their locations indoors, where GPS is generally useless — bluetooth beacon, Spotrank (and proprietary vendor) databases of Wi-Fi hotspots, and Navizon’s I.T.S. nodes. It also marks the second way (that I know of) for you to be tracked via the location of your phone, whether you want to be or not. (The first requires access to your cell phone carrier, and is used for example to locate your position when you make a 911 call.)

It shouldn’t be surprising that carrying around a little RF transmitter in your pocket makes you visible to all sorts of tracking technology. Maybe it’s simply the (inevitable) commercialization of this fact that is somehow unnerving.

 

 

Source: Technology Review

More than half a million Apple computers have been infected with the Flashback Trojan, according to a Russian anti-virus firm.

Its report claims that about 600,000 Macs have installed the malware – potentially allowing them to be hijacked and used as a “botnet”.

The firm, Dr Web, says that more than half that number are based in the US.

Apple has released a security update, but users who have not installed the patch remain exposed.

Flashback was first detected last September when anti-virus researchers flagged up software masquerading itself as a Flash Player update. Once downloaded it deactivated some of the computer’s security software.

Later versions of the malware exploited weaknesses in the Java programming language to allow the code to be installed from bogus sites without the user’s permission.

Dr Web said that once the Trojan was installed it sent a message to the intruder’s control server with a unique ID to identify the infected machine.

“By introducing the code criminals are potentially able to control the machine,” the firm’s chief executive Boris Sharov told the BBC.

“We stress the word potential as we have never seen any malicious activity since we hijacked the botnet to take it out of criminals’ hands. However, we know people create viruses to get money.

“The largest amounts of bots – based on the IP addresses we identified – are in the US, Canada, UK and Australia, so it appears to have targeted English-speaking people.”

Dr Web also notes that 274 of the infected computers it detected appeared to be located in Cupertino, California – home to Apple’s headquarters.

Java’s developer, Oracle, issued a fix to the vulnerability on 14 February, but this did not work on Macintoshes as Apple manages Java updates to its computers.

Apple released its own “security update” on Wednesday – more than eight weeks later. It can be triggered by clicking on the software update icon in the computer’s system preferences panel.

The security firm F-Secure has also posted detailed instructions about how to confirm if a machine is infected and how to remove the Trojan.

Although Apple’s system software limits the actions its computers can take without requesting their users’ permission, some security analysts suggest this latest incident highlights the fact that the machines are not invulnerable.

“People used to say that Apple computers, unlike Windows PCs, can’t ever be infected – but it’s a myth,” said Timur Tsoriev, an analyst at Kaspersky Lab.

Apple could not provide a statement at this time.

Ryan: Download Apple’s security update for the Flashback Trojan here.

Source: BBC News

It’s never fun to have to issue a warning, but a new study by the LA Times indicates that the Factory Reset function on Android devices may not work as advertised. The site worked with a security expert to run a test on BlackBerry, Android, and iOS devices as well as PCs. It discovered that important, sensitive data could be retrieved on a large portion of Android devices even after the Factory Reset feature had been properly used.

Robert Siciliano, an identity theft expert from McAfee performed the experiment, where he purchased 30 used devices (mostly smartphones and laptops) from random users on Craigslist. His goal was to see how smart people were about removing their personal information from phones, but as it turns out, even though a majority of owners did correctly Factory Reset their Android devices, he was still able to retrieve vital data like “Social Security numbers, child support documents, credit card account log-ins, and a host of other personal data.” This finding is all the more disturbing since he could find no problems with the way iPhones, iPads, or BlackBerry devices delete their data. The only other weak link was Windows XP, which is so old it’s almost expected.

We’ve reached out to Google’s Android team to try and learn more about this potential vulnerability, but have not heard back as of publication. We’ll update this article if and when we get some answers.

Until we learn more, we don’t recommend that you don’t sell your used Android devices to anyone that you don’t know or trust. It’s quite possible that personal information could be leaked from it.

Ryan: I’ve owned a couple Android phones and I also have the Galaxy Tab.. I am back to BlackBerry and using the 9900, I find Android Phones to drop calls and bug out with force close errors more often like I like when using a phone.  And I can’t seem to drop this keyboard.. emails are much quicker on a BlackBerry than other devices. It would be interesting if RIM decided to let other companies use their keyboard design.

Source: DigitalTrends

Just moments after researchers from VUPEN used two zero-day vulnerabilities to hack into the Internet Explorer 9 browser, I caught up with Mike Reavey, senior director in the Microsoft Security Response Center (MSRC) to get his response to the attack and some information on what happens next.

 

Microsoft Security Response Center (MSRC) director Mike Reavey talks about the CanSecWest Pwn2Own challenge that saw a successful exploit of two zero-day vulnerabilities in the Internet Explorer 9 browser.

Source: ZDNet

 

“Well, if we have to sell hardware we will.”

That’s what Steam developer and gaming company co-founder Gabe Newell told Penny Arcade.

Anonymous sources told gaming website The Verge that Valve was working on a project that would form the center of what they’re calling “The Steam Box,” a console that could have a Core i7 CPU, 8GB of RAM, and an NVIDIA GPU. The system may be able to bridge the age-old divide between PC games and consoles by putting PC games onto living room TVs. It makes sense: hardware has proved a curious divide for too long.

And most interesting, Valve may not just be gunning against the Xbox and the Playstation. It might also be going after the probable reboot of Apple TV, and by extension, cable itself.

Newell had fighting words against the Apple model of pretty-looking devices and tight control over software, and it seems like they will be pursuing an open model along the lines of Google’s Android.

“They build a shiny sparkling thing that attracts users and then they control people’s access to those things,” Newell told The Seattle Times in a reference to Apple.

With both Xbox and Playstation continually moving away from being pure gaming systems and angling towards being all-in-one entertainment devices, and now Apple and Valve moving into the game as well, the battle for living room entertainment looks like it’s about to get much more interesting.

Source: Forbes

Apple, which continues to disrupt the mobile space with its patent litigation, has successfully won a case against rival Motorola, in which a photo management patent was infringed.

The German court ruling said that the “zoomed in” mode for viewing photos on Motorola’s Android handsets infringed the Apple-held patent, but not the “zoomed out” mode. EU Patent No. EP2059868 originally derived from another patent, which allowed photos to ‘bounce’ when they are over-scrolled; because people will attempt to claim anything nowadays.

FOSS Patents author Florian Mueller understands that Apple could order the destruction of devices if it chooses so.

“If Apple enforces the ruling, it can even require Motorola to destroy any infringing products in its possession in Germany and recall, at MMI’s expense, any infringing products from German retailers in order to have them destroyed as well.”

Having said that, Motorola played down the fears that devices could be subject to such ghastly ends by saying that doesn’t expect the ruling to affect future sales, and that it has “implemented a new way to view photos”, reports Bloomberg with a spelling mistake.

While Motorola can continue selling the devices, it did not comment on Mueller’s comments that would lead to ultimately the mass graves of Motorola phones. Motorola has said that it has already sought a workaround to prevent its smartphones from infringing Apple’s patent, thus rendering the court’s judgement effectively useless.

It appears from this, that not only is Germany a hot bed of patent activity, litigation — and frankly, trolling — but while one company sues another, the defendant in each case is more often than not forced to simply modify the software of the phones.

If you thought the patent wars were all in Apple’s favour, you would be wrong. It was just over a week ago when Apple pulled the plug on its iCloud and MobileMe push email feature within the borders of Germany, after Motorola won a patent claim of its own.

Source: ZDNet

Another day, another iOS security concern. Today’s confidence-defeating news comes from Nick Bilton at the New York Times. Bilton writes at the paper’s Bits blog that a loophole has been discovered in iOS which allows third-party developers access to your iPhone, iPad, or iPod touch’s photo and video location data… as well as the actual photos and videos themselves. It appears that if an app asks for photo location data on your device (and you approve the request for permission), that application will also be able to slurp down the photos and videos stored on your phone without any further notification. The Times report mirrors an earlier story from 9to5 Mac which detailed security issues on the platform.

Bilton had an unnamed developer create a dummy application which would replicate the offending functionality, and the developer was able to easily poach location information as well as photos and video from a test device. Other developers — such as Curio co-founder David E. Chen — sounded off on the issue. Chen told the Times that, “The location history, as well as your photos and videos, could be uploaded to a server. Once the data is off of the iOS device, Apple has virtually no ability to monitor or limit its use.” Camera+ developer John Casasanta said that, “It’s very strange, because Apple is asking for location permission, but really what it is doing is accessing your entire photo library.” The article also suggests that this loophole may have been introduced with the release of iOS 4 in 2010.

We reached out to Apple about the issue, but the company declined to comment.

All hope might not be lost, however. We spoke to sources familiar with the situation, and were informed that a fix is most likely coming for the loophole. According to the people we talked to, Apple has been made aware of the issue and is likely planning a fix with an upcoming release of iOS. Those sources also confirmed that the ability to send your photos and videos to a third-party is an error, not an intended feature. If we had to guess, the fix will likely come alongside a patch for Apple’s other recent security issue — the ability for apps to upload your address book information without warning.

This story has clear echoes of that controversy, which came to light when a developer discovered that the app Path was downloading all of your device’s contact information to the company’s servers. In a follow-up report, we discovered that Path wasn’t the only app grabbing your info.

It will be interesting to see how Apple reacts to security breaches of this nature in the future. The company has long made it clear that it’s working to respect user’s privacy; at a glance it looks like these recent slip-ups are exceptions, not the rule.

Source: The Verge

Do you like the Windows ‘Start’ button? Well, if you do, you’d better get used to it being gone in Windows 8 because it seems that Microsoft has removed it from the latest builds of the operating system.

Here’s a leaked screenshot from the near-final Windows 8 “Consumer Preview” version (build 8220) which comes to us via PCBeta.com:

Notice the absence of the traditional Start button? I’ve reached out to a few contacts who confirm to me that the button has indeed been removed and replaced with a hotspot in the corner that will duplicate the functionality offered by the old button.

The Start button was first introduced in Windows 95, and has been present in every version of Windows since.

Now here’s the real question … does Microsoft intend to permanently remove the Start button, or is this a trial balloon and Microsoft is looking to see what the feedback from users will be?

Source:  PCBeta