Security Fix Issued for Xcode Tools

Apple has released a new version of Xcode Tools, its suite of developer tools, which contains two security fixes. Version 3.1 patches a buffer overflow which may occur when Core Image Fun House processes “.funhouse” files, and a possible disclosure of WebObjects session IDs. Xcode tools 3.1 may be obtained from the Downloads section of the Apple Developer Connection Member site. Membership is free for basic developer accounts.

iPhone 2.0 and iPod touch 2.0 Updates Include A Baker’s Dozen Security Fixes

Apple has released version 2.0 of its iPhone and iPod touch software; the former will update a first generation iPhone to the latest firmware, and the latter will update an iPod touch, providing such features as access to Apple’s now Apps Store. In this update are thirteen security fixes, for items ranging from WebKit to Safari, JavaScript and more. These updates are only available through iTunes.

Note that, with the iPod touch upgrade being a paid upgrade, it is possible that some users won’t want to spend the $10 for the new features, and will have iPods that are susceptible to some serious flaws, such as web site spoofing and cross scripting attacks. Apple really should have released a security fix for the previous (1.1.4) version of the iPod touch software; their assumption that everyone will pay for the upgrade puts many users at risk.

Apple Posts Security Update for Apple TV

Amidst the hoopla of the new iPhone and iPod touch Applications Store, the release of new iPhone software, and the coming of the 3G iPhone, Apple has released an update for the Apple TV which contains a number of security fixes. This update a half-dozen patches for things like viewing maliciously crafted images and videos, which can lead to arbitrary code execution. Apple provides the following installation note:

The Apple TV device will automatically check Apple’s update server on its weekly schedule. When an update is detected, it will download it, verify its signature, and install it.

This process may take up to a week depending on the day that the Apple TV device checks for updates. Alternatively, you may manually update your Apple TV using the TV interface by selecting Settings Update Software.

This update is only available directly to the Apple TV, and will not appear in your computer’s Software Update application, or in the Apple Downloads site.

It’s probably a good idea to check manually for this update, not only for the security fixes, but for the other new features it includes (access to MobileMe galleries, and the ability to pilot an Apple TV with an iPhone or iPod touch using the free Apple Remote application).

VirusBarrier X5 Reviewed on Macworld: “The Gold Standard”

Macworld has just published a review of VirusBarrier X5. They point out that the program is, indeed, simple, fast and non-intrusive, and the author of the review especially likes the program’s performance:

This antivirus program scans files very quickly and, perhaps more important, with very little impact on your Mac’s resources.

And…

VirusBarrier performed well. It found all the test viruses on my Mac, including some Windows-only viruses; logged everything; and dealt with the test viruses quickly and appropriately.

And the review sums up the program very well: “If you’re in the market for a fast-working antivirus program, VirusBarrier X5 (10.5.2) is the gold standard.”

Serious Flaw in DNS System Found and Patched

Security researchers have gotten together for a rare concerted effort in issuing patches to fix a security flaw in the DNS system, the addressing scheme used to convert numerical IP addresses into names. As CNet reports, “Currently, it may be possible to guess these transaction ID values in advance and assert a malicious server as the authoritative DNS server for a popular bank or e-commerce site.”

Vendors of DNS servers have begun issuing patches, and vendors of DNS clients have been contacted. In addition, vendors in countries other than the US will be contacted via their country’s computer security organizations. The vulnerability will be made public in one month, so all those working with DNS servers and clients will have to patch their hardware by then. However, the article does not state what will happen if such devices are not patched, and if users will have any way of knowing that they are using insecure DNS servers.

Intego Video Tutorials on YouTube

Intego has created a page on YouTube, which contains links to four video tutorials for its software. The YouTube page lets you view these videos, and subscribe to the page, so when we add more videos you can be alerted.

You can get to the individual videos via the following links: Intego VirusBarrier X5, Intego Personal Backup X5, Intego ContentBarrier X4, and Intego Personal Antispam X5. Check them out, and, if you like what you see, go to the Intego website where you can download fully-functional demos of the programs, and purchased them online, immediately.