If you use any type of mobile device in your day to day life….keep reading. Ignorance can only bring you so far!
Two separate studies of mobile devices have found serious privacy and security issues. One of the studies found that smartphones and tablet PCs can be eavesdropped on when they are being used to make purchases, conduct online banking transactions, or access VPNs (virtual private networks). Another study uncovered a number of ways to break into Apple’s iOS, its operating system for mobile devices. It is likely that cyber criminals will increasingly turn to mobile devices in their attacks as the devices become more and more commonplace in business transactions.
Safari: Closes 80 Security Holes with version 5.1.4
Apple has released version 5.1.4 of its Safari web browser for Windows and Mac OS X. According to the company, the maintenance and security update addresses more than 80 vulnerabilities. The update also includes includes various stability and performance improvements as well as fixes for other non-security related bugs.
A majority of the security holes closed in 5.1.4 were found in the WebKit browser engine used by Safari. These include several cross-site scripting (XSS), cross-origin and HTTP authentication problems, as well as numerous memory corruption bugs that could be exploited by an attacker, for example, to cause unexpected application termination or arbitrary code execution.
The recent issue, where Google were accused of bypassing Safari’s privacy controls on cookies, also appears to have been addressed. Details of how Apple have fixed this though are not given. A bug in Safari’s Private Browsing mode that allowed page visits to be recorded in the browser history when the mode was active has been fixed.
On Windows systems, the browser update improves domain name validity checking in order to prevent attackers from using look-alike characters in a URL to visually spoof a legitimate domain and direct users to a malicious site – Mac OS X systems were not affected by this issue.
More can be found here: http://www.h-online.com/security/news/item/Safari-update-closes-security-holes-1470595.html
- Apple patches steaming heap of Safari bugs (go.theregister.com)
- Apple patches record number of Safari 5 bugs with monster update (infoworld.com)
- Apple releases Safari 5.1.4 update (applescoop.com)
- Apple Releases Safari 5.1.4 With Speed And Stability Improvements (cultofmac.com)
Alongside the launch of the “new iPad“, Apple released iOS 5.1 for the iPhone 3GS, 4 and 4S, the 3rd generation iPod touch, and iPad and iPad 2. The update includes fixes for 91 issues with CVE identifiers. The majority, 66 of the issues, are described as “unexpected application termination or arbitrary code execution” in WebKit due to memory corruption. These flaws were mostly found by Apple or members of the Google Chrome Security Team, while a number were found by Chrome special rewardwinner miaubiz.
Two screen lock bypass issues are fixed, including one, a race condition with slide to dial gestures that could bypass the passcode lock, discovered by Roland Kohler of the German Federal Ministry of Economics and Technology, and an uncredited discovery that Siri’s lock screen could be used to forward messages to an arbitrary user.
iOS 5 devices have automatic update support, and the update should be available “over-the-air” or via iTunes. Users who wish to force the update can use the Settings app, select General and then Software Update, ensuring the device is fully charged or on charge. Full details of all the issues fixed are given in About the security content of iOS 5.1 Software Update.
Many of the same WebKit issues are fixed in the iTunes 10.6 update to mitigate the possibility that a man-in-the middle attack could be used while browsing Apple’s iTunes Store to compromise a system. The iTunes 10.6 update is for Mac OS X and Windows systems and details of the fixes are available in About the security content of iTunes 10.6.
Apple Will Require Apps to Obtain User Permission Before Accessing Contact Data
US legislators sent a letter to Apple CEO Tim Cook asking why the company does not require iOS developers to obtain permission from users before apps download users’ contacts. The inquiry follows close behind news that the Path app downloaded users’ address books without their permission. Apple has responded to the question with a promise to change that policy so apps requiring use of address book data request that information explicitly.
*More on this story here:
[Editor’s Comment (SANs.org):
“I wonder if they will be in time to avoid a major disaster. I was surprised to read on slashdot that your data was safer on unapproved apps for jailbroken iPhones than on approved apps from Apple’s store”:
***Back story on NetsecurityIT.com: