The Mac Security Blog
Apple has updated versions 4 and 5 of its Safari web browser to fix a total of 15 flaws, including one that could allow “Safari’s AutoFill feature [to] disclose information to websites without user interaction,” and one where “Accessing a maliciously crafted RSS feed may cause files from the user’s system to be sent to a remote server.” The new versions are 4.1.1 and 5.0.1.
This update also includes a number of other fixes, and turns on Safari’s new extensions feature. The new versions are available via Software Update, or from Apple’s Safari Download page.
Intego has released an update to its VirusBarrier X6 security program. The latest version, 10.6.7, provides performance enhancements for the program’s real-time scanner, archive scanning feature, and iPhone, iPod touch and iPad scanning. This free update is 24 MB, and users can download and install the new version using NetUpdate, Intego’s global update program.
Citibank has issued a warning to users that its iPhone app contains a critical flaw, that could expose user information to hackers. This information is stored in a hidden file, and it is simple to access this file on a lost or stolen iPhone. Security researcher Charlie Miller said, “By their statement, I’m guessing that the file isn’t encrypted.” He also pointed out that such data is also saved to the host computer that syncs with the iPhone, which is probably more at risk than the iPhone itself.
In any case, users of this software should upgrade immediately to the latest version available from the App Store.
The Library of Congress has issued a statement that allows the breaking of copyright protection in certain cases, as part of the fair use doctrine of copyright law. This statement covers the protection applied to a smartphone to limit access to the file system and prevent users from installing software, among others. It is this latter protection that prevented users from having the right to jailbreak iPhones.
As the Librarian of Congress says,
Persons who circumvent access controls in order to engage in noninfringing uses of works in these six classes will not be subject to the statutory prohibition against circumvention.
There are six “classes of works” where such circumvention is now allowed:
- Movies (or TV shows) on DVDs, protected by CSS.
- Computer software used on wireless telephone handsets, for questions of interoperability.
- Computer software circumvented to access a specific type of wireless network.
- Video games, if such circumvention is performed for testing, security audits, etc.
- Computer software protected by dongles which are damaged or obsolete (i.e., no longer compatible with current hardware).
- Ebooks that prohibit text-to-speech features on hardware. (Note: there is a discrepancy between the six classes presented in the Library of Congress’s statement and the full document from the Federal Register linked to in the next paragraph. In the latter document, this specific case, the text-to-speech issue, is listed as being refused.)
It’s the second class that affects the iPhone, and other smart phones, as well as the third case. (A complete text of the ruling from the Federal Register is here in PDF form. It more specifically addresses the issue of jailbreaking and the iPhone.)
Apple has issued a statement regarding this decision:
Apple’s goal has always been to insure that our customers have a great experience with their iPhone and we know that jailbreaking can severely degrade the experience. As we’ve said before, the vast majority of customers do not jailbreak their iPhones as this can violate the warranty and can cause the iPhone to become unstable and not work reliably.
We have often stressed that jailbreaking is a risky procedure, irrespective of any warranty issues; it can open up an iPhone or other device to security threats. While it is now considered legal in the US, it still carries a broad number of risks, and we still recommend that users do not jailbreak their iPhones.
Oops! A security update issued last week for the Firefox web browser seems to have had an issue. According to a Mozilla Foundation security advisory, the security fix wasn’t fixed. So you’ll need to re-download a new version of Firefox and update it again. Follow the usual instructions for the update (see our previous post).
The Mozilla Foundation has issued an update for the Firefox web browser, to fix a number of critical vulnerabilities. Firefox 3.6.7 fixes eight critical security issues, along with two vulnerabilities rated “high” and four rated “moderate”. These fixes are presented here.
Users can use the program’s auto-update feature, or download the latest version of Firefox from this page.