Adobe has issued a security bulletin covering a dozen bugs in its Flash Player application, a widely used browser plug-in. Adobe says:
Critical vulnerabilities have been identified in the current versions of Adobe Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
However, they go on to say, “We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009.” It’s odd that they would issue an alert on the 30th and say they expect to provide an update by the 31st. It’s not clear if the update they’re providing fixes these vulnerabilities or whether there’s another update to be issued.
Unfortunately, most users rarely update Flash, since it’s not an application and doesn’t do automatic checks for updates. Given the risks of infected Flash content, and the ability for that content to run on any web page with no user interaction, Adobe should add some kind of auto-update check to the Flash plug-in. As it stands, the only way users know they need to update the software is when they read an article such as this, or if, in rare cases, they visit a page that requires a specific version of Flash and they find that their plug-in is out of date.
As reported by Forbes and others, security researchers Charlie Miller and Collin Mulliner plan to demonstrate today, at the Black Hat security conference in Las Vegas, how hackers can take over iPhones by sending them specially-crafted SMSs. Hackers that take over phones in this manner can do things including, “dialing the phone, visiting Web sites, turning on the device’s camera and microphone and, most importantly, sending more text messages to further propagate a mass-gadget hijacking.”
We initially reported this bug four weeks ago, and Miller informed Apple of the vulnerability, giving the company plenty of time to issue a fix. Yet nothing has come from Cupertino since then, and we’re all wondering if Apple will be able to release a security update before this exploit gets into the wild.
Of course, if it does, and the security researchers are the cause of such an attack being used, that would raise questions of just how much information they should make public. We have seen in the past that, following Apple’s delay in releasing security updates, researchers have gone public with exploits, but this one seems like it could have serious effects if it spreads.
Apple has published a support document discussing the risks and dangers inherent in jailbreaking an iPhone, or “installing software that makes unauthorized modifications to the iPhone OS.” The risks, according to Apple, include the following:
- Device and application instability
- Unreliable voice and data
- Disruption of services
- Shortened battery life
- Compromised security
- Inability to apply future software updates
We’ve discussed the issue of compromised security on jailbroken iPhones here in the past. Apple says that, “Security compromises have been introduced by these modifications that could allow hackers to steal personal information, damage the device, attack the wireless network, or introduce malware or viruses.” In fact, the jailbreaking an iPhone depends on exploiting of a vulnerability in the iPhone’s OS. It is true that jailbroken iPhones – or phones of any type – are inherently less secure than “normal” phones. Security updates made to the device’s OS cannot be applied if the user wants to use a jailbroken phone, at least not until the jailbreaking process itself is updated following the issuing of patches. Jailbreaking requires third-party software that is modified after every update to the iPhone’s OS, and there is a period between an update and the release of new jailbreaking software during which users are especially vulnerable.
Nevertheless, jailbreaking remains popular. This is one of the reasons why Intego added the ability to scan an iPhone or iPod touch to VirusBarrier X5. (See this article for more on scanning an iPhone or iPod touch with VirusBarrier X5.) If you jailbreak your iPhone, you should be extremely careful, and you should check it often for malware.
Intego has long had an extensive presence in Apple’s online and brick-and-mortar stores, with the company’s software available in all Apple retail stores, and in online stores in many countries around the world, and has just joined Apple’s online stores in Thailand, South Korea and Malaysia.
In addition, a number of promotions are available for Intego products in the US and UK stores. Get a specially priced bundle containing Intego VirusBarrier X5 and NetBarrier X5 in the US Apple online store. And, there’s an additional bonus available for this package: purchase the Intego VirusBarrier X5 & NetBarrier X5 Bundle between 07/28/09 and 12/31/09 and receive $10 off by Mail-In Rebate.
The same bundle is available UK store as well, and in all the other European Apple online stores.
Get special multi-seat VirusBarrier X5 family packs, for home users with up to three Macs, or business packs, for small businesses with up to five Macs, in the UK store. (Check other European stores for the same offer.)
In a recent article, we discussed the iPhone’s hardware encryption. Linking to an article on TidBITs, written by Rich Mogull, we relayed his belief that this hardware encryption was reliable. In his article, Mogull says, “Assuming you follow my other recommendations, it’s highly unlikely even a knowledgeable attacker could break into a lost phone and retrieve your data.”
But it turns out that Mogull is wrong; or at least according to Jonathan Zdziarski, an iPhone developer and teacher of an iPhone forensics workshop. In a Wired article, Zdziarski is quoted as saying, “I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.” He also claims that it is as simple to get data from an iPhone 3G as it was on previous models, and that simple, free software allows malicious users to quickly access data. “Live data can be extracted in as little as two minutes, and an entire raw disk image can be made in about 45 minutes.”
Well, we’re not going to choose sides and get involved in this debate: one security researcher says that the iPhone is secure, and another doesn’t. Like in many areas, people do disagree. Perhaps the best advice we can give is not to store any truly confidential data on your iPhone; for example, don’t keep credit card numbers there, because if you lose the phone, whether it takes minutes or hours, a hacker might be able to find that number. Getting physical access to any device, be it a cellphone or a computer, greatly increases the possibility that a hacker will access your data. So don’t lose your phone, and don’t leave anything sensitive on it.
Adobe is in the security news again, as a zero-day Flash vulnerability threatens Adobe Reader, Acrobat and Flash. On Adobe’s security blog, a brief post says that, “Adobe is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information.”
According to Inforworld, “An Adobe spokesman early Wednesday confirmed that the vulnerability was an issue within Flash content that is inserted into a PDF (Portable Document Format) file. Users can drop Flash movies into PDF files, for instance.” Infoworld also reports that attacks exploiting this flaw have been seen in the wild, as does PC World’s Security Alert blog.
We’ve said it before, but if you need to view PDFs – and who doesn’t – use Apple’s excellent Preview application, which is relatively safe. Adobe’s Reader and Acrobat programs are regularly the source of security issues, and, in most cases, users can get by with Preview. One of the only times they may need an Adobe application is to fill out forms in PDF documents.