Security Fix Issued for Xcode Tools

Apple has released a new version of Xcode Tools, its suite of developer tools, which contains two security fixes. Version 3.1 patches a buffer overflow which may occur when Core Image Fun House processes “.funhouse” files, and a possible disclosure of WebObjects session IDs. Xcode tools 3.1 may be obtained from the Downloads section of the Apple Developer Connection Member site. Membership is free for basic developer accounts.

iPhone 2.0 and iPod touch 2.0 Updates Include A Baker’s Dozen Security Fixes

Apple has released version 2.0 of its iPhone and iPod touch software; the former will update a first generation iPhone to the latest firmware, and the latter will update an iPod touch, providing such features as access to Apple’s now Apps Store. In this update are thirteen security fixes, for items ranging from WebKit to Safari, JavaScript and more. These updates are only available through iTunes.

Note that, with the iPod touch upgrade being a paid upgrade, it is possible that some users won’t want to spend the $10 for the new features, and will have iPods that are susceptible to some serious flaws, such as web site spoofing and cross scripting attacks. Apple really should have released a security fix for the previous (1.1.4) version of the iPod touch software; their assumption that everyone will pay for the upgrade puts many users at risk.

Apple Posts Security Update for Apple TV

Amidst the hoopla of the new iPhone and iPod touch Applications Store, the release of new iPhone software, and the coming of the 3G iPhone, Apple has released an update for the Apple TV which contains a number of security fixes. This update a half-dozen patches for things like viewing maliciously crafted images and videos, which can lead to arbitrary code execution. Apple provides the following installation note:

The Apple TV device will automatically check Apple’s update server on its weekly schedule. When an update is detected, it will download it, verify its signature, and install it.

This process may take up to a week depending on the day that the Apple TV device checks for updates. Alternatively, you may manually update your Apple TV using the TV interface by selecting Settings Update Software.

This update is only available directly to the Apple TV, and will not appear in your computer’s Software Update application, or in the Apple Downloads site.

It’s probably a good idea to check manually for this update, not only for the security fixes, but for the other new features it includes (access to MobileMe galleries, and the ability to pilot an Apple TV with an iPhone or iPod touch using the free Apple Remote application).

Apple Not Issuing Security Fixes for iPhone

Could it be that while issuing security updates for Mac OS X, Apple has forgotten to do the same for the iPhone and the iPod touch? According to a Washington Post article, Apple is four months behind with security fixes for Safari. Reporter Brian Krebs talked to security researcher Charlie Miller, who pointed out that the iPhone hasn’t been updated since February, in spite of a number of security vulnerabilities in mobile Safari. Miller said that he knows an exploit that can allow an attacker to “steal the victim’s call records or contacts, send text messages or read the user’s sent and received messages, and make outgoing calls, among other things.” Krebs suggests that the delay could have something to do with next week’s introduction of iPhone 2.0, but security issues should still be fixed as soon as possible. Apple may be putting its mobile users in danger by not issuing updates.

Bogus Apple Phishing E-Mails Spotted in the Wild

Bogus e-mails purporting to be from Apple have been spotted in the wild. They feature a subject line of “Important : Billing Problem” and an outdated .Mac graphic (if you’ve been following the Mac news, you know that .Mac is becoming MobileMe this month). The messages ask you to update your payment information so your service is not interrupted. The link in the e-mail message takes you to a well-crafted copy of an Apple Store page where you can enter your credit card information, which will be promptly sent on to organized crime minions who will use that number as much as possible.

Remember, you can check the URL behind any link in an e-mail message by hovering your cursor over the link, and waiting for a tooltip to pop up showing the URL. Also, if you click such a link, you can tell that it’s not Apple’s web site; just look at the first letters of the link (following www): in this case, it’s a hacked server that has a /media/www.apple.com/us/ path in it leading to the evil page. In these messages, clicking on the graphic takes you to an actual .Mac page (the Learning Center), perhaps to suggest that if that link is real then the payment information link is real as well.

Remember that Intego Personal Antispam can protect you from phishing e-mails by spotting when displayed URLs are different from the links behind them. But always check the URL in your browser when you click any link expecting to provide credit card information, just to be sure, and look for a padlock in your browser window showing that it is a secure page; hackers can’t spoof the padlock icon.

Apple Releases Mac OS X 10.5.4, Security Updates

Apple has released the latest update to Leopard, version 10.5.4, which in addition to fixing bugs and resolving problems, contains a number of security fixes. A total of 13 vulnerabilities are patched, touching such elements of the operating system as WebKit, Ruby, the SMB file server, and the Dock. This update does not, however, provide a fix for the ARDAgent vulnerability, that we recently wrote about. Perhaps it was too close to the release of the 10.5.4 update for Apple to get a fix in for this problem; or maybe Apple hasn’t figured out how to resolve the problem and maintain Apple Remote Desktop functionality. More information about this update, and download links, are available on this page. As usual, you can download the update using Software Update.

Together with this operating system update, Apple has released a security update far Macs running Tiger (Mac OS X 10.4), Security Update 2008-004, which fixes mostly the same problems as those corrected in Mac OS X 10.5.4. (Download links for this update are available here.) This update is available in four versions: PowerPC, Intel, and and Server PowerPC and Server Intel.

Finally, Apple has released Safari 3.1.2 for Mac OS X 10.4.11, which contains one fix for the program’s WebKit framework. Information about this update is available here.

So, whatever Mac or version of Mac OS X you run, fire up Software Update and see what updates are available for you.