Apple Issues iPhone Security Update

After hackers recently pointed out some vulnerabilities in the iPhone’s browser, Apple must have got right to work to get them patched. As of this morning, Apple made the first official security update for the iPhone available.

The vulnerabilities were recently discovered by three researchers - Dr. Charlie Miller, Jake Honoroff and Joshua Mason of the software security team at Independent Security Evaluators which is an information security consulting firm.

The security vulnerabilities: a big gaping hole was hiding in the iPhone’s Safari browser software, which could let hackers take control of your iPhone.

Basically a hacker could use a bit of nasty code and Wi-Fi, then could gain full administrative access to the iPhone and its software.

The newly released iPhone 1.0.1 update only patches these holes. It does not offer any new widgets or features. The actual sections of code being repaired are in the iPhone’s WebCore and WebKit.

Talking with friends this morning, the update process is pretty quick. It took about 10 seconds to download the patch and then a full six minutes for the patch to be installed on the iPhone. After the patch was installed, the iPhone rebooted itself and the patching was complete.

Apparently there isn’t any noticeable change in the way the iPhone’s browser operates or functions but of course if you have an iPhone, you’ll want to download and install this patch right away.

Mozilla Patches Firefox Releases Version 2.0.0.6

Still battling vulnerabilities that could allow the Firefox browser to pass dangerous data to third-party applications like Microsoft’s Internet Explorer, Mozilla just released Firefox 2.0.0.6 to fix the problem.

The following security issues have been fixed:

• MFSA 2007-27: Unescaped URIs passed to external programs
• MFSA 2007-26: Privilege escalation through chrome-loaded about:blank windows

Be sure to go grab the latest version of Firefox to protect you against these security vulnerabilities.

Microsoft Office 2003 SP3 May Be Here Soon

Be on the lookout for a free upgrade to Office 2003 in the form of another service pack.

Office 2007 may have recently been released, but many companies and individuals are sticking with Office 2003 for now.

There’s a learning curve for the software’s new interface and besides, even the standard version costs $239.99 USD as an upgrade from Best Buy, though the upgrade is included in Software Assurance contracts.

Yesterday, a download referring to the service pack appeared on Microsoft’s Web site.

The download, “Office 2003 Service Pack 3 Administrative Template (ADM), OPAs, and Explain Text Update” only includes policy settings and documentation, but more could be on the way.

This download includes the following updates:

• Policy settings that provide the ability to block file format settings to prevent users from opening or saving specific file types and file formats in Microsoft Office Excel 2003, Microsoft Office PowerPoint 2003, and Microsoft Office Word 2003.
• An updated Excel 2003 workbook (Office 2003 Group Policies.xls) that describes policy settings listed in the various Administrative Template and OPA files. It supports changes to the Office 2003 SP3 policy settings.

This update replaces the previously available Office 2003 Service Pack 2 Administrative Template (ADM), OPAs, and Explain Text Update download.

Mozilla Patches Firefox Releases Version 2.0.0.5

Mozilla released Firefox 2.0.0.5 with patches for several vulnerabilities, including the “highly critical” security bug that has been plaguing both Firefox and Microsoft’s Internet Explorer.

Security researcher Thor Larholm called the problem an input validation flaw. He explained in a blog post that when Firefox is installed on a system, it registers a URL protocol handler.

When IE encounters a reference to content inside the FirefoxURL URL scheme, it calls ShellExecute with the EXE image path and passes the entire request URL without any input validation.

That means if someone using IE visits a Web page that tries to call a Firefox URL, the Microsoft browser will launch Firefox with no other prompting, passing it the URL.

Neither browser, according to Mozilla, sanitizes the URL, which would allow an attacker to make Firefox execute malicious JavaScript code. The user would have to visit a maliciously crafted Web page or open a malicious e-mail. User interaction is required.

Despite the online debate that has been swirling over whether the flaw resides in Microsoft’s IE or Mozilla’s open-source browser, Window Snyder, Mozilla’s “chief security something-or-other at Mozilla,” said in a blog post that they would take care of the issue.

A Mozilla advisory released on Tuesday pointed out that the patch would not fix the vulnerability in Internet Explorer.

“The vulnerability is exposed when a user browses to a malicious Web page in Internet Explorer and clicks on a specially crafted link,” noted Advisory 2007-23. “That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious Web page without escaping the quotes.

Firefox and Thunderbird are among those which can be launched, and both support a ‘-chrome’ option that could be used to run malware.

“Note: Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data,” the advisory added.

Firefox 2.0.0.5, according to an advisory, also patches a flaw that crashes the browser with evidence of memory corruption, along with another flaw that enables unauthorized access to wyciwyg:// documents.

Also being patched is a bug that causes privilege escalation and another that causes file type confusion.

Someone Needs To Make E-mail Security Easier

Why can’t anyone invent secure e-mail that doesn’t require an advanced degree to use?

Part of the reason is that standards are still too lax or too numerous.

Corporate-wide key management is too onerous, making it difficult to make changes and keep your e-mail certificates in synch as staff comes and goes.

And while there are a few solid products to choose from, interoperability is still miserable and plenty of difficult implementation issues exist.

Most products assume that users only own one machine, making it harder to manage e-mail that originates from multiple PCs and multiple operating systems.

Yahoo, Microsoft and others have been working for several years on sender authentication with little to show for it.

Microsoft maintains a page on Sender ID, just one of the many competing attempts to take control over this situation. One simple solution is to put up a simple Web message form to send secure messages.

Far too many steps are involved to exchange secure messages. You still need to understand lots about public key infrastructure, certificate management and how your e-mail client works.

Until these issues are resolved, secure e-mail will continue to confound most of us.

Why can’t Microsoft make a more secure Windows OS?

Have you had enough with cleaning up your Windows OS after some security exploit?

Tired of hearing gripes from your users, proclaiming that all they did was surf what they thought was a perfectly innocent Web site before their PC crashed and burned?

So why can’t Microsoft make a more secure version of Windows to protect us all from these situations?

Give them points for trying: At least Vista and IE v7 attempt to lock things down more than what was possible with XP, something that’s finding lots of appeal with IT managers who are considering these upgrades.

But still. Look at what Microsoft did with Vista’s firewall. The firewall available on XP (and only with Service Pack 2) didn’t block outbound connections, which made it easier for the bad guys to turn your PC into a spam-creating zombie.

Vista includes this ability, but it’s so difficult to set up and too obscure to configure that you’re still better off with a third-party firewall.

Just think of the entire software infrastructure Microsoft could eliminate overnight if Windows were more resilient. Anti-spyware, antivirus, personal firewall, anti-phishing tools would all be unnecessary. Nice to dream about, even for just a moment.

Instead, the harsh reality is that corporate IT managers have had to develop elaborate schemes for locking down their Windows desktops, eliminating security weaknesses and curtailing numerous options that are part of the Windows OS.

Too bad there isn’t a more secure desktop OS readily available.

Actually, I was just playing. I can think of two secure desktop Operating System’s right off the top of my head:

• Fedora OS (Linux-based)
• Macintosh OS X (based on FreeBSD UNIX)

Too bad that most corporate IT shops can’t use them for their bread-and-butter applications. One day my friends, one day.

← Previous Page — Next Page →

• Categories

  • Apple
  • Blogging
  • Film & Animation
  • Food
  • Freelancing
  • Fun & Humor
  • Fun Facts
  • Gaming
  • Geek
  • Geekipedia
  • General
  • Google/SEO
  • Guest Blogger
  • Hacking
  • Health
  • Instant Messaging
  • Laptop
  • Memories
  • Microsoft
  • Movies
  • Music
  • News Room
  • Open Source
  • Photoshop Fun
  • Picture of the Day
  • Projects
  • Quote of the Day
  • Random Thoughts
  • Rants
  • Search
  • Second Life
  • Security Patches
  • Software
  • Technology
  • This Day in Tech
  • Toys & Gadgets
  • Travel
  • Videos
  • Web
  • Wireless
  • Word of the Day
  • WordPress

• Archives

  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • August 2006
  • July 2006
  • June 2006
  • May 2006
  • April 2006
  • March 2006
  • February 2006
  • January 2006
  • December 2005
  • November 2005
  • October 2005
  • September 2005
  • August 2005
  • July 2005
  • June 2005
  • May 2005
  • April 2005
  • March 2005
  • February 2005
  • January 2005
  • December 2004
  • November 2004
  • September 2004
  • August 2004
  • July 2004
  • June 2004
  • May 2004
  • April 2004
  • March 2004
  • February 2004
  • January 2004
  • November 2003
  • October 2003
  • September 2003
  • July 2003
  • June 2003
  • May 2003
  • April 2003
  • March 2003
  • February 2003
  • January 2003
  • December 2002
  • November 2002
  • October 2002
  • September 2002
  • July 2002
  • April 2002
  • April 2000

• Links

• Recent Posts

  • ASUS V1S Laptop
  • ASUS U3S-3P092E Laptop
  • ASUS U1F Laptop
  • ASUS F3Sv-AP075G Laptop
  • ASUS F3E Laptop
  • ASUS Eee PC 4G Laptop
  • ASUS EEE PC 2GS-W CELM-900M
  • Aspire 5052AWXMi laptop
  • Apple MacBook White 2.1GHz laptop
  • Apple MacBook Pro 17″ 2.5GHz laptop

Meta

• Log in
• WordPress
• XHTML

• American Cell phones

Recently Written

• ASUS V1S Laptop
• ASUS U3S-3P092E Laptop
• ASUS U1F Laptop
• ASUS F3Sv-AP075G Laptop
• ASUS F3E Laptop
• ASUS Eee PC 4G Laptop
• ASUS EEE PC 2GS-W CELM-900M
• Aspire 5052AWXMi laptop
• Apple MacBook White 2.1GHz laptop
• Apple MacBook Pro 17″ 2.5GHz laptop

Blogroll

Find It

Admin

• Log in
• WordPress
• XHTML

Credits

Powered by Vertigo & WordPress
WordPress Themes by Brian Gardner -

EPA - Leather Sofa