Apple has released its third major update to Leopard; the 10.5.3 update appears now in Software Update. This mammoth update is 420 MB (the server version is 489 MB) and offers fixes, enhancements and improvements for everything from iCal to graphics drivers. Included with this update are twenty-six security fixes, for the kernel, Mail, iCal, Apache web server and much more. All in all, this update contains 35,000 files, patching just about every part of the system.
You can get more information about the contents of the security update here. If you want to download only the security update (for Macs running Mac OS X 10.4.11 or those not wanting to apply the full 10.5.3 update (though we don’t see any reason why you would not want to do this), you can download the security update alone here. (You can also download combo updaters for 10.5.3 on this page; it’s a 536 MB update for Mac OS X client and 632 MB for Mac OS X Server.)
Intego NetBarrier contains a useful feature that can help you find out who owns Internet addresses, either domain names or numerical IP addresses. Called “Whois”, this function taps into public databases of domain name registration (DNS) information, and in most cases will show you who owns a given domain name, or which provider owns a specific numerical IP address. While owners can choose to be anonymous, most don’t, so you’ll see the name of the company that owns the name or address, and contacts for them.
To access the Whois function, click the ? icon at the bottom-right of the NetBarrier window, or press Command-Option-4. A window displays. Then, enter a domain name or IP address in the Domain field, and click the Whois button or press the Enter key. The large text field below gives you information about the domain, fetched from publicly accessible information servers. You can save this information to a text file by clicking the Save… button.
You can also use the Whois function to find if a given domain name has been reserved, or that date at which a domain name expires. All in all, you can find out a lot about domains and IP addresses with this easy-to-use function.
If you have an iPhone, you’re aware that you can set a passcode to prevent thieves (or acquaintances) from browsing your stuff. But how secure is that passcode? It turns out that it’s only sort-of secure. iPhone Atlas has published an article showing that this passcode can be bypassed. Now, before you worry about your significant other checking for clues, the procedure described is not simple, and certainly not for the average user. It involves preparing a custom iPhone RAM disk, and issuing commands to the device via the command line. But, as the article says, “can be accomplished in mere minutes by anyone who has physical access to an iPhone.” Be aware.
In a recent article, we discussed that refurbished iPhones may contain personal data, since Apple does not wipe the hard drives clean. While there is no tool to fully reformat an iPhone (the “restore” procedure you can perform from iTunes merely erases catalogue data and re-installs firmware), there are ways you can, if not securely delete your data, at least overwrite it. The Securosis web site has an article explaining how to do this.
Basically, this involves filling the iPhone with as much music as possible, so its storage is overwritten. Securosis suggests doing this three times, with three different playlists; this overwrites the original data three times. This is a simple and prudent way to cover your tracks. Think about doing it if you have to send an iPhone for repair or exchange.
The ZDNet Zero Day security blog published an article about three iCal vulnerabilities, saying that Apple should be patching these security holes very soon. These holes “could enable client-side attacks on Mac users, using rigged Web sites or malicious attachments.” As described on the Core Security web site, the vulnerabilities are the following:
The most serious of the three vulnerabilities is due to potential memory corruption resulting from an resource liberation bug that can be triggered with a malformed .ics calendar file specially crafted by a would-be attacker.
The other two vulnerabilities lead to abnormal termination (crash) of the iCal application due to null-pointer dereference bugs triggered while parsing a malformed .ics files. The hability to inject and execute arbitrary code on vulnerable systems using these two vulnerabilities was researched but not proven possible.
Exploitation of these vulnerabilities in a client-side attack scenario is possible with user assistance by opening or clicking on specially crafted .ics file send over email or hosted on a malicious web server; or without direct user assitance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server.
The ZDNet article says that Apple will be patching these vulnerabilities soon, but this is atypical of Apple, who generally waits to release several security fixes together in an upgrade. In the meantime, “beware of strange links and e-mails with requests to add/open calendar (.ics) files.”
Phishing e-mails have been spotted recently claiming to be from the iTunes Store, asking the recipients to log into an iTunes billing update page and give away their credit card numbers. These e-mails are no different from other attempts to get eBay, PayPal and bank users to give up their identity. While they may fool some, a bit of reflection should tell you that Apple would never send such an e-mail: all your iTunes account management – including your billing information – is done via the iTunes application itself, and never on a web page in a browser. So if you get one of these messages, you can just press the Delete key.