The Mac Security Blog
Intego has released an update to VirusBarrier X6, its malware and network protection program. The latest version, 10.6.6, available via Intego’s NetUpdate, provides a number of performance enhancements and bug fixes, and notably provides full compatibility with iTunes 9.1.1 for scans of the iPhone, iPad and iPod touch.
This free update is strongly recommended for all users of VirusBarrier X6
Adobe has released a security update for Photoshop CS4 (not the currently shipping version), to correct what the company calls critical vulnerabilities. These vulnerabilities “could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious .ASL, .ABR, or .GRD file must be opened in Photoshop CS4 by the user for an attacker to be able to exploit these vulnerabilities.”
The Photoshop 11.0.2 update corrects these flaws, and also provides other fixes for the program. It can be downloaded here.
Data on an iPhone 3GS is supposed to be encrypted, using “highly secure hardware encryption that enables instantaneous remote wipe.” This encryption, which uses very secure 256-bit AES, is supposed to be unbreakable, at least in normal conditions.
Well, it seems this is not the case. Security researcher Bernd Marienfeldt discovered that this does not work as advertised. Marienfeltd discovered the following:
I uncovered a data protection vulnerability, which I could reproduce on 3 other non jail broken 3GS iPhones (MC 131B, MC132B) with different iPhone OS versions installed (3.1.3-7E18 modem firmware 05.12.01 and version 3.1.2 -7D11, modem 05.11.07) , all PIN code protected which means the vulnerability bypasses authentication for various data where people most likely rely on data protection through encryption and do not expect that authentication is not in place.
In short, by connecting an iPhone to a computer running Linux, Marienfeldt found that he was able to access some user data, such as “music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents” and more.
Marienfeldt does report, however, that he has been in contact with Apple, and that they are unable to reproduce what he found. There will certainly be more to follow regarding this vulnerability.
Apple has released their Snow Leopard Security Configuration Guide, a detailed 272-page PDF that examines all of the built-in security settings in Snow Leopard, Mac OS X 10.6. This is not for novices, however. As Apple points out on the download page:
To use these guides, you should be an experienced Mac OS X user, be familiar with the Mac OS X user interface, and have at least some experience using the Terminal application’s command-line interface. You should also be familiar with basic networking concepts.
Certain instructions in the guides are complex, and deviation could result in serious adverse effects on the computer and its security. The guides should only be used by experienced Mac OS X users, and any changes made to your settings should be thoroughly tested.
So let the reader beware!
Aza Raskin of Mozilla has demonstrated a new type of phishing attack that takes advantage of the way people user tabs in browsers. In this attack, a user visits a hacked web page. If they go away from that page for a certain amount of time – either to another tab in their browser, or to another window – the page reloads with a page that could be designed to trap users in a phishing scam. Assuming that the user has many browser tabs open, or many windows, they may return to the page and think that they had logged out of a certain service. In the above proof-of-concept example, a Gmail page is displayed, but this could be a bogus bank page, PayPal login page, or Amazon.com page.
This proof-of-concept demonstration works in Firefox and Safari (as well as other WebKit browsers), but we have not tested it with other browsers.
For now, there’s no way to indicate that the page has changed, and users should be extremely careful before logging into any webmail, bank or online commerce site page. Make sure to check the URL carefully if you see an unexpected login screen.
Just after Apple announced SSL for its MobileMe web apps, Google, not to be outdone, has announced an SSL search option for use with Google searches. If you use the https://www.google.com address to access Google, “an encrypted connection is created between your browser and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party on your network.” Using this address displays not only a padlock in your browser, but also a different logo:
As with many new Google products, this one has the “beta” label, but this is explained by the fact that:
it currently covers only the core Google web search product. To help avoid misunderstanding, when you search using SSL, you won’t see links to offerings like Image Search and Maps that, for the most part, don’t support SSL at this time. Also, since SSL connections require additional time to set up the encryption between your browser and the remote web server, your experience with search over SSL might be slightly slower than your regular Google search experience.
So if you want to use this new service, make sure to bookmark it; there’s no way to set it as the default search engine with Safari’s Search box. If you use Firefox, or some other browsers, however, you can add this as one of the search engines available from that browser’s search field.