Filed under: Security

New browser time -- and unfortunately, time to restart your Mac. Safari has been updated (for 10.4, 10.5 and 10.6 on the Mac side, and Windows XP/Vista/7 on the Win side); it includes the improvements noted:

• Performance improvements for Top Sites
• Stability improvements for plug-ins, and for sites with SVG graphics and online forms
• Fixes issues affecting settings changes to some Linksys routers and iWork.com user comments

There are also a slew of security fixes in this update; full list is in the continuation of this post, via the Apple Product Security mailing list.

The update weighs in at 31.8 MB on my Snow Leopard install, but your download size may vary. You can get it in Software Update or via the Safari download page.

A few Apple employees played some musical chairs this week. Executive Pablo Calamera, who was in charge of MobileMe while at Apple, is off to work as the CTO of Thumbplay, a company that peddles ringtones and music to mobile devices.

HR shouldn't have to change the big "35,000 employed worldwide" sign, though: former Mozilla security chief Window Snyder was picked up by Apple this week. She'll jump in as a senior security product manager, a job that will take advantage of her work both at Mozilla and previously at Microsoft, where she worked on both Windows XP and Windows Server 2003. Sure, she's got the experience, but has she ever worked for a company that does this for its incoming employees? Didn't think so.

In response to two critical vulnerabilities in Acrobat and Adobe Reader 9.3, yesterday Adobe released the 9.3.1 update for both applications; users of the older 8.x versions can update to 8.2.1 to resolve the security issues. One of the two vulnerabilities addressed would allow a malicious PDF to make unauthorized cross-domain requests; the other could crash the PDF application and possibly allow an attacker to gain access to other parts of the system.

The first flaw is related to a Flash Player issue that was revealed last week; if you have not updated Flash to the latest version (10.0.45.2 as of this moment, see your version & current versions here) & you aren't blocking Flash, you should go get the latest build right away. Although you can configure auto-update notifications in Flash Player, it's not clear if Mac OS X clients are consistently getting these reminders to update.

Even though Mac users are far less likely to be targeted by malware than our Windows-using friends and family, vigilance is still critical. Security analysis firm ScanSafe reported that it saw the percentage of exploits delivered via PDF files rise from 56% at the beginning of 2009 all the way up to 80% in the 4th quarter, so keeping those Adobe apps current -- or, better yet, using Apple's Preview app as the default PDF reader on Mac OS X -- is only prudent.

And now we're at the point in the iPad cycle where there's just enough information out there about it that people are interested, but not enough that they can discern credible information from scammers. That's the report of the BBC, which says that "hi-tech" scammers are using iPad-based searches to prey on users and install various types of "rogue security software." The news here isn't necessarily that scammers are out there scamming people (that happens all of the time), but it's that scammers are cashing in on the iPad frenzy to do so. Then again, that's probably not a huge surprise, either: they probably always latch onto whatever the hottest search topics are, and this past week, of course, it was the iPad.

In my own personal opinion, these fearmongering reports are the biggest scam of all. Even the BBC is only reporting this based on information from Symantec, and that's S.O.P. for the antivirus company: a) release a report that claims everyone is in danger and that viruses are everywhere, b) get some less-than-tech savvy journalist to believe it, and c) sell copies of your antivirus software and profit. In reality, if you click links only on trusted sites and keep an eye on everything coming in to your Mac, you don't need Symantec to tell you how to be safe. If you install "security software" that you happened to pick up while searching for iPad news, of all things, then you can't be surprised when your system gets compromised.

Earlier this week, Adobe updated both Acrobat and Reader to versions 8.2 and 9.3. These updates offer major security features and are recommended for all users.

In a security bulletin released on Tuesday, Adobe cites "critical vulnerabilities" that could crash your apps or "...potentially allow an attacker to take control of the affected system." Definitely something you'll want to avoid. They recommend that anyone using version 9.2 and earlier update to Adobe Reader 9.3 and Acrobat 9.3 right away. Likewise, those using Acrobat 8.1.7 should update to version 8.2.

You can get all of the details and downloads from Adobe here. Get patching, folks. You'll want these older versions off of your Macs. As usual, we ask that you let us know if anything goes wonky after updating.

[Via PC Magazine]

I better be careful next time I walk out of my Apple Store here in Santa Monica -- apparently burglars are targeting Apple Store customers here in the Los Angeles area. Over 100 customers have apparently been targeted after leaving the store and keeping a computer or other purchase in their car. The thieves wait for customers to walk away from Apple Store bags in their car, either at home or at another store, and then they break in and take them. For some reason, no computers have yet been returned, either, which makes cops think that they're possibly being "shipped out of the country or fenced right away." But of course that would require an organized ring, and police aren't even sure these are all related yet.

How to prevent this from happening to you? Don't leave an expensive computer unattended in your car (duh), or just make the Apple Store the last stop on your list. I've made a few pricey purchases while driving around out here (most recently, I picked up a PS3), and no matter what the neighborhood, I didn't feel safe about leaving it unattended. Even when I'm just carrying my iPod around, I always lock it out of sight in the glovebox before parking the car. As with all of these types of situations, a little bit of care goes a long way.

The internet has been ablaze with reports of jailbroken iPhones being infested with worms. The exploit takes advantage of unwitting jailbreakers who install OpenSSH on their iPhones via Cydia without taking into account all of the impacts on security. The most notable, and now famous, hole in this theory is that every iPhone ships with the same default password for both the all-powerful "root" user as well as the more-restricted "mobile" user.

Not surprisingly, Apple has officially commented on the situation noting that "the worm affects only a very specific set of iPhone users who have jail broken[sic] their iPhones and hacked it with unauthorized software." It is pretty clear from Apple's statement their feelings on the jailbreak community and its effects on the iPhone and iPod touch.

Luckily, if you need to have OpenSSH installed on your iPhone (who doesn't want a remotely-accessible, full UNIX terminal in their pocket?), there is a pretty simple solution to this problem that will prevent this breed of infestation from ever reaching your iPhone.

1. Remember, this only affects jailbroken iPhone owners who have installed OpenSSH...
2. Begin by installing MobileTerminal via Cydia (alternately, you can login via SSH from Terminal.app or a Cygwin-equipped Windows PC).
3. Type "login", you will be asked for a login name which should be "root" then a password which should be "alpine".
4. Type "passwd" then tap return, you will be asked to type the new password. Tap return and type the new password again.

Repeat this same process for the "mobile" user by replacing "root" with "mobile" in step 3. Also, when using passwd to change the password for "mobile" you may be asked the old password which would be "alpine". It is not necessary to use a different password for "root" and "mobile" but if you're highly security conscious, it wouldn't hurt. The second half of this post includes a screen image of my exact process working successfully on OS 3.1.2 with an iPhone 3GS.

In addition to changing the user passwords for your iPhone, another good security measure is to use one of the jailbreak apps like BossPrefs or SBSettings to have a toggle that will disable SSH when not in use. Obviously, having SSH disabled (or not installed) is the best defense against worms of this sort. Got any other iPhone security tips? Let us know in the comments!

Last month a Dutch iPhone user demonstrated how careless jailbreaking can cause trouble. Namely, after finding users who enabled SSH with the phone's default password intact, he sent those phones a message that read, "Your iPhone's been hacked because it's really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files." A similar worm caused phones to rickroll their owners.

They could have done worse. This week, someone has. Again from the Netherlands and again finding jailbroken iPhones with SSH enabled, F-secure reports that this infraction puts up an ING Direct login page that lets the hacker gather login credentials and, we assume, move funds to wherever they please. This version also changes the 'alpine' password to block users from getting to the phone via SSH.

We'll have more on this as the story develops, but the moral is this: If you jailbreak your iPhone, you should know what you're doing -- and you should change your SSH password.

[via Engadget & ZDnet Asia]

Despite some security-conscious enterprise experts pointing accusatory fingers at the rather bleak encryption story and only-recently fixed ActiveSync policy compliance on the iPhone platform, there's no doubt that IT and network professionals are grooving on the iPhone -- there are many apps designed for administrators to take control of their operations with a touch of a finger, and now Cisco has stepped in with an informational and alert resource that fits in your pocket.

The Cisco SIO (Security Intelligence Operations) to Go free app [iTunes link], requiring iPhone OS 3.0 or later, lets the paranoid properly alert and aware security professional keep tabs on the global threat landscape with Cisco's Cyber Risk Reports, Threat Outbreaks and Mitigation Bulletins, along with podcasts, blog posts and a slew of other branded content. There's also an IronPort-driven IP and email domain scanner, which will grab WHOIS data along with a brief reputation score for your hosts.

Having all this Cisco goodness in one place is handy, although the majority of the app's headlines link to pages on the Cisco site that remain largely iPhone-unfriendly -- even the press release announcing the app's launch is hard to zoom properly -- and there's none of the flexibility of a full-featured RSS reader to forward articles, bookmark or set read/unread points.

Still, as a gesture of goodwill towards the intersection of iPhone users and security professionals, it's a reasonable step. Cisco also has the WebEx Meetings app [iTunes link] and the Cisco Mobile telephony tool [iTunes link] in the store, both free.

[via TechCrunch]

For the last few days, some jailbroken iPhone users have found their home screen background a little different than they remembered. A hacker, going by the name "ikee," created a worm that changes the home screen background on jailbroken iPhones whose owners failed to change the default password after installing SSH. Simply jailbreaking your iPhone will not make you vulnerable to this sort of hack. The iPhone OS, in general, is also immune to this hack. Still confused? Let's back up a bit.

On jailbroken iPhones, SSH is installable with a package from Cydia that allows you to connect to your phone and make changes to the filesystem. It does this by logging into the root user with the password "alpine." After installing SSH, it is always recommended that you change "alpine" to the password of your choosing. This hack can only affect people who chose not to change that password -- no one else.

This hack originated in Australia, the home country of ikee, and has possibly spread to other iPhones in other countries, but we've been unable to verify that. A gentleman by the name of JD held an interview with the hacker over IRC and posted it to his blog. In ikee's own words, here's how the worm has spread:

...The code itself is set to firstly scan the 3G IP range the phone is on, then Optus/Vodafone/Telstra's IP Ranges (I think the reason Optus got hit so hard is because the other 2 are NAT'd) then a random 20 IP ranges. I'm guessing a few phones hit a range that another vulnerable phone was on.

Basically, once your phone is infected, the worm starts looking for other iPhones on the cellular network that use the root:alpine combination. Once it finds another vulnerable iPhone, it installs itself and begins the process again... and again... and again.

Luckily for the jailbreakers in the audience who may have been affected, there's really no harm done -- at least not with this version of the worm. According to the hacker, this was more of an experiment than anything else. The worm changes your background and then disables inbound SSH, which is a good thing. If SSH was left turned on, a similar worm could follow along but conceivably do much more damage. For instructions on how to delete this worm, read JD's interview with ikee. I would recommend reading the interview just for the information it presents; I found it pretty interesting. If you've got a jailbroken iPhone or iPod touch and you've never changed the default device password, now's the time. Here's how, if you are using terminal:

Type: ssh root@(iPhone IP address)
When prompted for the password type: alpine
Now you're connected the phone...
type: passwd
It should then prompt your for a new password -- type one that you'll remember. There's no easy way to reset it if you forget it.

That's it. Please remember to be responsibly secure with your devices. Hackers like ikee are troublesome, but this could have been much worse. While I don't personally condone his actions, he's prevented a lot of people from being vulnerable to more malicious attacks later down the road.

Thanks, James!

Most of us have really crappy, insecure passwords. Sure, we tack a couple of numbers or punctuation characters at the end of our cat's name, but that's a far cry from secure -- especially since we also have the equally nasty habit of using the same password on every single site/service/machine/device with which we have regular contact. We're not just asking for trouble, we're offering it a delectable stolen identity sandwich.

As most of us Mac folks know, a solution exists and it's called 1Password. If you've owned your Mac for more than an hour or so, chances are pretty good that you've been admonished to acquire this lovely app (maybe even by more than one person). Several of us at TUAW are big fans of 1Password, and today our pointy party hats are standing taller than ever thanks to the opening of the public beta for 1Password 3.

This new version brings with it a massive list of changes, improvements and new features -- a couple of which have helped me to realize the dream of being able to utilize 1Password data on OSes other than OS X. You see, like many other Mac enthusiasts, I use Windows at work. Obviously, this precludes me from fully embracing Mac-only software like 1Password, but thanks to a brand new feature called 1Password Anywhere, my pain is dulled.

1Password Anywhere allows you to take your 1Password data and open it using any modern web browser. I've tested this with Chrome, Firefox and IE under Windows XP and they all work wonderfully. Your data is still absolutely secure and stored behind the same master password that protects the data in 1Password proper. They didn't spare any detail, either -- 1Password Anywhere looks and feels remarkably similar to the native OSX application. The data is read-only in your browser, but being able to easily the strong passwords and paste them is worth the admission price. The truly enlightened will see the application of a service like Dropbox here -- just move your keychain file into your Dropbox and your passwords are now with you whenever you go.

When most people think about Apple and backups they probably think about Time Machine or perhaps even Time Capsule. But Apple has a lesser-known application which you might consider using.

The app, simply named Backup, was originally available only to .Mac users, but is now openly available on Apple's website. It lists "MobileMe account" as one of its requirements. If you do not have a MobileMe account, each backup is limited to 100 MB. The good news is that for what I am suggesting, 100 MB will be completely sufficient for most people. Follow along as I use Backup to create a complete and scheduled backup of personal data and settings on my Mac.

First, install and launch the application. Choose Plan > New Plan from the menu.

If you have a MobileMe account, choose the "Personal Data & Settings" option (second from the top), click the "Choose Plan" button, and then skip the next paragraph.

Face it: your address book and your contacts, they're personal. They reveal a lot about you: your friends, your business partners, your cake buying proclivities, and more. The address book you see at the top of this post appears to be for someone in the Denver area. I know that because of the REI Denver listing and Le Bakery Sensual on 6th, which I drive by whenever I head East from Broadway.

These contacts, along with their notes, their phone numbers, dates of birth, and other information say a lot about the person whose address book this is, and also about the people who appear in that contact list, with all their personal and professional info.

There's one big problem. The screen shot you see wasn't made by the person who owns this me.com account. Under certain very specific conditions, Apple is inadvertently sharing data from other people's accounts. Ouch.

A TUAW reader sent us a video made as he renewed his me.com account from the UK. The address book data he accessed during that time included this Denver-based set shown here, as well as data from an Ireland-based user of Polish descent (all his contacts were back in Poland although his business was based in Ireland).

This all went down during the period when his MobileMe account was renewing. Each time he logged off and back on, he was presented with yet another set of contacts--none of them his. He writes, "Each time I logged off and on I got a different address book. All the other options were disabled (because my renewal was being processed) but clicking the Contacts icon showed me *an* address book," just not his address book.

With a little Internet-fu, he checked out some of the numbers and found that they were valid and operational. This leads him to believe that this is real data. My inspection of the local Denver data from his screen shots convinces me of the same. Further inspection of work addresses and personal family names makes us believe we know whose Denver-based address book this is. We've attempted to contact this person but as yet have not heard back.

The address book glitch ended once the registration process finished, leaving our TUAW reader with a series of screen shots and videos and a deep concern about Apple's ability to safeguard personal data. He's already contacted Apple about the bug. "I contacted them by two means: their web-chat thing where they told me that they 'had no reports of such an issue'. They suggested closing and reopening Safari (helpful eh?) and a generic autoresponse saying they'd reply within 5 days when i sent an email." He adds, "I don't think the people manning the help desk appreciated the seriousness of the situation."

TUAW has sent a heads-up to Apple and will keep monitoring the situation to see how it develops.

Appearing alongside the Mac OS X 10.6.1 update, Apple released another update today: Security Update 2009-004 is out for users of Leopard and Tiger. This update patches several vulnerabilities, including the security issue with Flash that was also part of Mac OS 10.6.1.

It's available now through Software Update and is applicable for Mac OS X Leopard, Tiger (PPC and Intel) and Tiger Server (PPC and Universal).

It's not that we have anything against the Flash plugin for Mac browsers. Well, other than the fact that it's crashy, and slow, and makes our laptop fans spin up like we're doing wind tunnel testing for the Air Force. But other than that, we have nothing against it -- and it's lovely that the new 64-bit version of Safari in Snow Leopard can isolate Flash-related stalls and hiccups from the main browser process for enhanced crash protection. Very nice.

Unfortunately, as pointed out initially by Graham Cluley over at the security and anti-virus vendor Sophos, the version of the Flash plugin that Apple bundles with Snow Leopard is old. It's the 10.0.23.1 version, old enough that it has some notable vulnerabilities versus the currently shipping 10.0.32.18 version. You can check which version of the plugin you have by visiting this Adobe check page. Even if you had the current build on your machine before upgrading to Snow Leopard, the upgrade process replaces your Flash with the vintage Flash instead -- poor form! Cluley recommends, and Adobe concurs, that the best thing to do is head over to Adobe's download site and get the most up-to-date version instead.

It's understandable that Apple had to lock down a version of the Flash plugin for inclusion in the OS golden master, but if you're gonna do that then you've got to provide an integrated method for users to update to the current build when the time comes (like, say, via an OS-wide Software Update utility). Downgrading user security while upgrading OS versions is a rotten way to run a railroad.

[Side note, does Cluley's narration in the video above make you wonder if, just maybe, he's moonlighting as Ben 'Yahtzee' Croshaw over at The Escapist? NSFW!]

Thanks to everyone who sent this in.