Skip to content

Posts tagged ‘update’

1
Jun

Mac OS X Security Update 2011-003 adds MACDefender Protection [Updated]

Apple has released Security Update 2011-003 for Mac OS X 10.6 which updates the system’s built in ‘File Quarantine’ (aka. XProtect) mechanism to detect and remove OSX.MacDefender.A. More significantly, however, Apple has now enabled the ability for File Quarantine to receive daily updates to to its malware definition list, essentially giving Mac OS X a very simplistic built-in anti-virus. Now it’s just up to Apple to actually update the malware definitions list on a regular basis.

In System Preferences > Security > General, users can choose whether or not they want to “Automatically update safe downloads list”. I’m not sure “safe downloads list” is the best name for it however, as it doesn’t really help users understand what its purpose is. I highly recommend keeping this option checked. Note that the screenshot below is not a recommendation of what your preferences should look like, it’s merely highlighting the new option. For more into about configuring your Security settings check out Securing Leopard: Security, FileVault and Firewall (to be updated with this new setting shortly).

[Updated 01/06/2011] As I wholly expected, a new variant of MACDefender is already out in the wild that does not get detected by OSX’s File Quarantine. As File Quarantine is simply a blacklist of known malware, it does not have the ability to pick up on malware it doesn’t recognise. This will be a good test to see how quickly Apple responds and updates the File Quarantine definitions. If you installed the 2011-003 security update then your system is already set to check for new updates every 24 hours. Browse safe out there.

[Updated 02/06/2011] Apple has already updated the File Quarantine definitions for the latest MACDefender variant (OSX.MacDefender.C). Pretty good response time by Apple!

5
May

iPhone/iPad iOS 4.3.3 Fixes Location Tracking Bugs

Following the recent over-hyped “location tracking scandal“, Apple has released iOS 4.3.3 which fixes bugs in the Location Services on iPhone and iPad devices that caused them to store excessive location information. As detailed by Apple’s Q&A on Location Data, the location data stored on iOS devices (and backed up by iTunes) are merely a subset of Apple’s crowd-sourced location database of Wifi hotspots and cell towers, used to facilitate Location Services when GPS is unavailable or unreliable. The bugs were causing iOS to download this location cache even if Location Services were turned off, and to store the cache indefinitely, instead of being regularly purged.

This update contains changes to the iOS crowd-sourced location database cache including:

  • Reduces the size of the cache
  • No longer backs the cache up to iTunes
  • Deletes the cache entirely when Location Services is turned off

It’s nice to see Apple resolve this issue so swiftly, and these changes will help improve the privacy of iPhone and iPad users, regardless of whether they use Location Services. The only thing I would have added if I were Apple, is the ability for the user to clear the location cache in the device settings. It’s a button that could be easily added in Settings > Location Services.  Just sayin’!

6
Apr

WordPress 3.1.1 Patches Minor XSS Flaws

WordPress have released a minor 3.1.1 update which patches an XSS flaw on the database upgrade screens. The change log also mentions a strengthening of security mechanisms relating to media uploads, and fixes to potential PHP crashes caused by complex hyperlinks. The update also includes a number of other security and bug fixes.

It’s a fairly minor update that shouldn’t break any plugins. Update when ready.

24
Feb

WordPress 3.1 Released

WordPress “Reinhardt” 3.1 has been released, with the bulk of changes focused on the admin interface and functionality. Key improvements include:

  • A redesigned linking workflow
  • A funky new admin bar (hopefully it’ll be possible to customize this one)
  • A streamlined writing interface

I particularly like the new linking functionality, which simplifies linking to internal posts and pages on your site (screenshot below). No more having to find that page, and copy/paste the URL!

I was a bit apprehensive about updating, as it’s quite easy for plugins to break, and there’s no easy way to see the compatibility status of your plugins. If anyone feels up to it, I’d like to see a plugin that allows you to quickly check the compatibility status of all your installed plugins with regard to the next available version. That said, I updated, and it went flawlessly.

Other than that, this update does not have a significant impact in terms of security apart from the usual bug fixes.

8
Feb

WordPress 3.0.5 Update Fixes Security Issues

WordPress 3.0.5 has been released, and is primarily a security update focusing on vulnerabilities which can be exploited through untrusted user accounts. This follows the recent 3.0.3 and 3.0.4 updates which were also security-focused. If your WordPress installation does not have any non-admin users, then this update is less urgent, however it is recommended that you update as soon as possible anyway.

Here is a description of the five main updates:

Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.

One information disclosure issue was addressed that could have allowed an Author-level user to view contents of posts they should not be able to see, such as draft or private posts.

Two security enhancements were added. One improved the security of any plugins which were not properly leveraging our security API. The other offers additional defense in depth against a vulnerability that was fixed in previous release.

WordPress 3.1 is currently at RC4 and is expected to be officially released soon.

30
Dec

WordPress 3.0.4 Patches XSS Flaws in HTML Sanitation Library

WordPress have released an update (3.0.4), dubbed “the most important security release of the year”, that patches a core security bug in the HTML sanitation library (KSES). KSES is responsible for filtering user input and, as such, is used to protect WordPress sites from attacks such as Cross-Site Scripting (XSS). XSS vulnerabilities were discovered, however the details of these are not available (see below).

They rate this release “critical”, and so it’s recommended that all WordPress sites update as soon as possible. The full changeset for the 3.0.4 update is here. Security researchers are invited to review these changes to ensure the vulnerabilities have been fully fixed. Spread the news if you have any friends with a WordPress blog!

[Updated] One stored XSS exploit for 3.0.3 is available here.

23
Nov

iOS 4.2.1 Released with Free “Find My iPhone”

Apple has finally released the highly-anticipated iOS 4.2 (actual version is 4.2.1), bringing support for the iPad along with several other feature including AirPlay and AirPrint.

Along with this release, Apple has made the “Find My iPhone” functionality in MobileMe free to all iPhone, iPad and iPod Touch device owners. This service uses a combination of GPS, cell tower and wifi-network triangulation to obtain the location of the device, which can then be mapped. It also allows you to send messages, lock or completely wipe the remote device. To use this feature, you’ll need add a MobileMe account using your iTunes Apple ID by going to Settings > Mail, Contacts, Calendars > Add account. You can then track your device using the Find My iPhone app available in iTunes, or using the MobileMe web interface.

Users concerned about the privacy implications of this feature can easily disable it by going to Settings > Mail, Contacts, Calendar > Select your MobileMe account > Set ‘Find My iPhone’ to Off. Have a look at Apple’s KnowledgeBase article for more info on this feature.

iOS 4.2.1 brings with it a number of security updates (including Safari and numerous WebKit patches). Although it’s not mentioned in the update details, the previously-reported cool-but-deadly keylock bypass vulnerability has been fixed. Hit the jump for full details.

Related: Protecting and Recovering Your iPhone and iPad from Loss and Theft!

Read moreRead more

23
Nov

Adobe Reader X Brings Sandboxing with Protected Mode

Adobe recently released Adobe Reader X, the latest incarnation of their PDF viewer software. Over a year after Adobe’s promised ‘security push’ into Reader, and numerous vulnerabilities, exploits and malware, this version finally brings the hotly discussed sandboxing feature.

The sandboxing, or Protected Mode as Adobe call it, would restrict PDFs to an extremely limited running environment. Initially the sandbox will control any write operations attempted by PDFs, to try and prevent malware being written to disk. A later update is expected to bring ‘read’ control as well, to prevent information stealing.

Although this is a good step forward for Adobe Reader, it remains to be seen whether any of their changes will be effective at mitigating vulnerabilities that attempt to read/write directly from memory. It’ll be interesting to see what kinds of vulnerabilities will come out in the coming months.

Either way, Adobe Reader X brings a number of security fixes and improvements, and is thus a recommended update.

23
Nov

BackTrack 4 r2 “Nemesis” Released

[Update 10/5/2011] BT4r2 is now superceded by the new and improved BackTrack 5!

BackTrack 4 r2 (codename “Nemesis”) has been released and brings a number of updates aimed at improving “desktop responsiveness, better hardware support, broader wireless card support, streamlined work environment”.

Updates include an updated kernel (2.6.35.8) with improved wireless support, USB 3.0, faster responsiveness, pruned and new packages, and a new BackTrack wiki for more documentation and support.

Users with existing BT4 installs/VMs can simply perform an update using:

apt-get update && apt-get dist-upgrade

BackTrack 4 r2 is available as a 2GB ISO, or 2.4GB VMWare image, on the downloads page (the BT4 download links appear to have been removed in favour of BT5).

8
Sep

Safari 5.0.2 Update Fixes WebKit Bugs

Apple has released Safari 5.0.2 and 4.1.2 updates for Mac OS X and Windows which fix issues in both Safari and WebKit (the browser’s rendering engine).

The first issue, which only affects Safari on Windows systems, may lead to code execution if the user attempts to reveal the location of a downloaded file. The other two vulnerabilities include an input validation issue in WebKit’s handling of floating point data types, and a use-after-free issue in WebKit’s handling of elements with run-in styling. Both of these could be used to perform arbitrary code execution.

These two updates should be available in Software Update.

Hit the jump for Apple’s full patch info.

Read moreRead more

css.php