Unpatched iPhones/iPads secure connections not so secure | Naked Security.
Yesterday I wrote about Apple’s latest fixes for iWork and iOS and encouraged folks to update. Now that more information is available it is clearly critical that all users update as soon as possible, unless they only use their device for telephone calls.
The flaws in iOS 4.3.4, 4.2.9 and 5.0b3 and lower are a lot more serious than Apple’s description of their fix: “This issue is addressed through improved validation of X.509 certificate chains.”
Do not do any e-commerce or banking transactions until you upgrade.
Sparse iPhone, iPad Screen Space Aids Phishers | threatpost.
Pinched screen real estate on iPhone devices may make it easier for users to be fooled into using bogus “phishing” Web sites, according to an analysis by researcher Nitesh Dhanjani.
In a post on the SANS Application Security Street Fighter Blog on Monday, Dhanjani called attention to the common practice of hiding the Web address once Web pages and applications have loaded. That practice, coupled with the ability of application programers to render screen elements that can mimic real address bars, could throw open the door to the kinds of phishing attacks that modern browsers have long since rendered ineffective.
Dhanjani recommends URLs be displayed within the applications and more importantly that Apple (1) makes this a policy and (2) sets default behaviors to encourage this policy.
You can read Dhanjani’s post in its entirety at Insecure Handling of URL Schemes in Apple’s iOS.
Via NetworkWorld, Sophos is reporting that Ping, Apple’s new social network add-on to iTunes, is “drowning in scams and spam.” Sophos says, “Apple has not implemented any form of automated spam or URL filtering in Ping,” although they do appear to be filtering profile photos for obscenity and copyright infringement.
This comes on top of other generally negative reviews of Ping:
– Can Ping be saved?
– Apple’s Ping is a big pile of steaming dung
– Ping is neither social, nor is it a network. Discuss.
The biggest issue seems to be lack of integration with Facebook.
With the increasing popularity of mobile devices like iPhones and Android-based phones, we are beginning to see targeted malware, raising the question, do we need anti-malware for our mobile devices? ReadWriteWeb Enterprise was prompted to write an article on this topic as a result of the Android game Tap Snake which was reported to be spyware.
It appears the mobile anti-malware market is fairly immature:
I took to the opportunity to test a few of the anti-malware apps available on the market: antivirus free from droidSecurity, Lookout, Symantec‘s Norton Mobile Security for Android beta, and Smobile. I was also going to try SmrtGuard, but I couldn’t get the app to activate before Tap Snake was removed from Android Market. Of those four apps, only one detected Tap Snake as a potential threat.
The article goes on to say that tightly controlling what apps can be loaded onto mobile devices may all enterprises need at this time.
Critical vulnerabilities appearing in both iPhones and Android phones point to the need for third party security products.
Apparently Juniper and McAfee think so. Juniper recently announced that it was acquiring SMobile Systems for $70 million. McAfee acquired TenCube. Another product in this space is Lookout.
Finally, which operating system do you think is more secure? Do you prefer closed vs. open source? Here is a recent article from Network World discussing this issue.
It looks like Apple was working on a fix for the Safari auto-fill vulnerability after all. According to MacRumors, “As noted in the security documentation accompanying today’s release, Safari 5.0.1 and 4.1.1 address an AutoFill security flaw disclosed last week that could allow a malicious site to obtain a user’s Address Book information, including name, company affiliation, city/state/country, and email address.”
More news from Secunia via ars technica. Apple has surpassed Oracle as the software company leader in security vulnerabilities. Microsoft is third. You can read the details here.
Also of note in the Secunia report, in the world of Windows, third party application vulnerabilities far exceed those found in Windows itself. And unfortunately, many third party applications do not have as well developed automated patch updating services as Microsoft.
Jeremiah Grossman posted information on a very serious Safari privacy vulnerability which Apple has not yet patched. Here is a the lead paragraph of Jeremiah’s post:
Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5, with a combined market browser share of 4% (~83 million users), has a feature (Preferences > AutoFill > AutoFill web forms) enabled by default. Essentially we are hacking auto-complete functionality.
Jeremiah says he notified Apple on June 17th. Other than what appears to be an automated email reply, there has been no response. Since Apple had not responded in a meaningful way, Jeremiah decided to go public, as the 83+ million Safari v4 and v5 users have a right to know so they can change the Autofill configuration to protect themselves.