Apple has released iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod touch to address vulnerabilities in the CoreAudio, ImageIO, Recovery Mode and WebKit packages. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or obtain sensitive information.
US-CERT encourages users and administrators to review Apple article HT4013 and apply any necessary updates to help mitigate the risks.
Tag Archives: iPhone
Apple Releases iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod touch
Filed under Security Advisories
Tagged as 3.1.3, CoreAudio, denial of service, DoS, ImageIO, iPhone, iPhone OS, iPod, OS, touch, vulnerability
Tagged as 3.1.3, CoreAudio, denial of service, DoS, ImageIO, iPhone, iPhone OS, iPod, OS, touch, vulnerability
App Store is the next big target for cyber crooks
Filed under Security News
Tagged as App Store, criminals, Cyber, iPhone, malware, smartphone, target
Tagged as App Store, criminals, Cyber, iPhone, malware, smartphone, target
Experts say that the next frontier for writers and distributors of malicious software is the smartphone market, which is not adequately secured and growing at a rapid pace.
Nick Jones, an analyst at research firm Gartner, told Secure Computing magazine that Apple's App Store is a likely target for malware purveyors. "There is no way that Apple can afford to inspect the code of every application that goes onto the App Store. They do some lightweight inspection and testing, it goes up on the App Store and there is not a lot to stop it doing something malicious," said Jones.
Secure Computing writes that the App Store has served more than a billion downloads since its launch in 2008, and that 100,000 applications have been approved for distribution via the popular service. Enterprises have little control over the security of iPhones being used for business because they are frequently purchased by employees for both business and personal use.
The first iPhone malware vector has been different, with worms afflicting jailbroken iPhones with a variety of symptoms ranging from simple harassment to attempted identity theft.
Nick Jones, an analyst at research firm Gartner, told Secure Computing magazine that Apple's App Store is a likely target for malware purveyors. "There is no way that Apple can afford to inspect the code of every application that goes onto the App Store. They do some lightweight inspection and testing, it goes up on the App Store and there is not a lot to stop it doing something malicious," said Jones.
Secure Computing writes that the App Store has served more than a billion downloads since its launch in 2008, and that 100,000 applications have been approved for distribution via the popular service. Enterprises have little control over the security of iPhones being used for business because they are frequently purchased by employees for both business and personal use.
The first iPhone malware vector has been different, with worms afflicting jailbroken iPhones with a variety of symptoms ranging from simple harassment to attempted identity theft.
Want to secure your iPhone against intruders? There’s an app for that
Cisco Systems today released a free iPhone app that will allow users to receive security updates and the latest news on web threats, as well as aggregating additional security related content for iPhone users.
According to CNET security correspondent Elinor Mills, the app will draw on data from Cisco's Security Intelligence Operations (SIO) system, which itself collects real-time information from 700,000 sensors located at important locations throughout the internet. Mills says that Cisco uses this data to detect spam campaigns and various types of malware attack.
The SIO To Go app will also allow users to investigate websites and email addresses from their iPhones, comparing the data to watch lists maintained by Cisco's SIO. Cisco executive Marie Hattar said that "[the app] improves the means by which IT departments are alerted to threats, and it provides added confidence and device flexibility as Cisco customers are shielded from these breaches."
Jailbroken iPhones have made security headlines in recent weeks as malware programmers exploited loopholes to create the first two iPhone worms found in the wild.
According to CNET security correspondent Elinor Mills, the app will draw on data from Cisco's Security Intelligence Operations (SIO) system, which itself collects real-time information from 700,000 sensors located at important locations throughout the internet. Mills says that Cisco uses this data to detect spam campaigns and various types of malware attack.
The SIO To Go app will also allow users to investigate websites and email addresses from their iPhones, comparing the data to watch lists maintained by Cisco's SIO. Cisco executive Marie Hattar said that "[the app] improves the means by which IT departments are alerted to threats, and it provides added confidence and device flexibility as Cisco customers are shielded from these breaches."
Jailbroken iPhones have made security headlines in recent weeks as malware programmers exploited loopholes to create the first two iPhone worms found in the wild.
Not just a Rick roll anymore: Second iPhone worm does the damage
In the wake of last weekend's ikee iPhone worm - which switched the background pictures of jailbroken iPhones to a picture of Rick Astley - iPhone-Privacy-A has struck, and its payload is much more harmful than a mere internet prank.
UK-based tech site The Register reports that the worm was first discovered by computer security firm Intego, which specializes in Mac-based threats. "When connecting to a jailbroken iPhone, this tool allows a hacker to silently copy a treasure trove of user data from a compromised iPhone: email, contacts, SMSs, calendars, photos, music files, videos, as well as any data recorded by any iPhone app," Intego told The Register.
Both ikee and iPhone-Privacy-A operate via the same exploit in jailbroken iPhones, a default password that many users keep in the secure shell remote access framework that allows the device to use networks and software that it was not originally designed to.
As the mobile broadband market becomes more and more important to the tech industry, malware attacks against smart phones are expected to rise, according to analysts.
UK-based tech site The Register reports that the worm was first discovered by computer security firm Intego, which specializes in Mac-based threats. "When connecting to a jailbroken iPhone, this tool allows a hacker to silently copy a treasure trove of user data from a compromised iPhone: email, contacts, SMSs, calendars, photos, music files, videos, as well as any data recorded by any iPhone app," Intego told The Register.
Both ikee and iPhone-Privacy-A operate via the same exploit in jailbroken iPhones, a default password that many users keep in the secure shell remote access framework that allows the device to use networks and software that it was not originally designed to.
As the mobile broadband market becomes more and more important to the tech industry, malware attacks against smart phones are expected to rise, according to analysts.
New iPhone worm is never gonna give you up
Apple partisans routinely tout their ostensible immunity to the majority of computer threats, but a new worm that targets user-modified iPhones may make their faces as red as Rick Astley's hair.
The worm, known as ikee, is not thought to be particularly malicious - its only purpose seems to be to change the iPhone's background to a picture of cult singer Rick Astley and display the message "ikee is never gonna give you up." The worm is thought to be related to a popular internet prank, where users expecting certain content are redirected instead to a YouTube video of the singer's hit song "Never Gonna Give You Up."
The malware appears to work only on iPhones that users have "jailbroken," or made usable on networks other than Apple's partner AT&T. Having installed the usual Unix secure shell (SSH) but not changed the password makes the device vulnerable to ikee.
An unemployed Australian programmer, Ashley Towns, is said to be responsible for creating ikee. In an interview with an employee of his ISP, Towns said that the intent of ikee was to demonstrate vulnerabilities in jailbroken iPhones.
The worm, known as ikee, is not thought to be particularly malicious - its only purpose seems to be to change the iPhone's background to a picture of cult singer Rick Astley and display the message "ikee is never gonna give you up." The worm is thought to be related to a popular internet prank, where users expecting certain content are redirected instead to a YouTube video of the singer's hit song "Never Gonna Give You Up."
The malware appears to work only on iPhones that users have "jailbroken," or made usable on networks other than Apple's partner AT&T. Having installed the usual Unix secure shell (SSH) but not changed the password makes the device vulnerable to ikee.
An unemployed Australian programmer, Ashley Towns, is said to be responsible for creating ikee. In an interview with an employee of his ISP, Towns said that the intent of ikee was to demonstrate vulnerabilities in jailbroken iPhones.
iPhone security flaw: deleted emails not really deleted
A blogger at the gadget site Gizmodo has uncovered a potential email security flaw in iPhone OS 3.0. After deleting emails it is still possible to recover them using the search function, even though the emails no longer appear in the main mail interface, the site reported.
A purported Apple insider told Gizmodo that the company is aware of the issue and would probably have a fix for the flaw in iPhone OS 3.1.
The problem with being able to access emails that were supposed to have been deleted is that a user could accidentally open old messages containing links to malware or malicious attachments that could be used to hijack the iPhone.
Security firm Trend Micro recently surveyed iPhone users and found that they are more likely to send and receive email as well as click on URLs in email or open an email attachment than other smartphone users.
Nearly half of the iPhone users surveyed (44 percent) said surfing the web from their phone is as safe or safer than from a PC, despite the fact that many do not have security software on the phone.
Other iPhone security risks have been uncovered by hackers, including the ability to take over the iPhone to steal data or send out spam using a maliciously crafted text message.
A purported Apple insider told Gizmodo that the company is aware of the issue and would probably have a fix for the flaw in iPhone OS 3.1.
The problem with being able to access emails that were supposed to have been deleted is that a user could accidentally open old messages containing links to malware or malicious attachments that could be used to hijack the iPhone.
Security firm Trend Micro recently surveyed iPhone users and found that they are more likely to send and receive email as well as click on URLs in email or open an email attachment than other smartphone users.
Nearly half of the iPhone users surveyed (44 percent) said surfing the web from their phone is as safe or safer than from a PC, despite the fact that many do not have security software on the phone.
Other iPhone security risks have been uncovered by hackers, including the ability to take over the iPhone to steal data or send out spam using a maliciously crafted text message.
Black Hat: Hacker exposes iPhone SMS flaw
Filed under Security News
Tagged as Black Hat, crash, exposes, flaw, hacker, iPhone, SMS, vulnerability
Tagged as Black Hat, crash, exposes, flaw, hacker, iPhone, SMS, vulnerability
A professional hacker and security researcher exposed a flaw in Apple's iPhone 3GS which could allow a hacker to hijack the phone as part of a botnet or crash the phone, at the Black Hat 2009 security conference in Las Vegas.
Charlie Miller, an authority on Mac OS X security and the co-author of the Mac Hacker's Handbook, said a SMS flaw could allow an attacker to use text messages to remotely execute malicious code to hijack the device or cause it to crash.
Miller, who had discussed the iPhone security bug at a security conference in Singapore earlier this month, said previously he was able to use a vulnerability in the way the iPhone receives text messages to remotely crash the phone.
He said hackers could theoretically exploit the vulnerability to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations or hijack the phone as part of a botnet to send SMS spam or launch distributed denial-of-service attacks (DDoS).
Miller also warned that "jailbreaking" an iPhone to add software or capabilities not offered by Apple leaves the device vulnerable to hacking and viruses.
"If you care about security, don't use a jailbroken iPhone," Miller said.
Charlie Miller, an authority on Mac OS X security and the co-author of the Mac Hacker's Handbook, said a SMS flaw could allow an attacker to use text messages to remotely execute malicious code to hijack the device or cause it to crash.
Miller, who had discussed the iPhone security bug at a security conference in Singapore earlier this month, said previously he was able to use a vulnerability in the way the iPhone receives text messages to remotely crash the phone.
He said hackers could theoretically exploit the vulnerability to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations or hijack the phone as part of a botnet to send SMS spam or launch distributed denial-of-service attacks (DDoS).
Miller also warned that "jailbreaking" an iPhone to add software or capabilities not offered by Apple leaves the device vulnerable to hacking and viruses.
"If you care about security, don't use a jailbroken iPhone," Miller said.
iPhone may be vulnerable to SMS security flaw
Apple's iPhone 3GS may have a SMS flaw that could allow an attacker to remotely execute malicious code or hijack the device as part of a botnet, security researcher Charlie Miller said last week at a network security conference in Singapore, according to IDG News Service.
Miller, an authority on Mac OS X security and co-author of The Mac Hacker's Handbook, said he was able to use the vulnerability in the way the iPhone receives text messages to remotely crash the phone. Miller said he reported the vulnerability to Apple.
He said hackers could theoretically exploit the vulnerability to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations or hijack the phone as part of a botnet or to launch distributed denial-of-service attacks, IDG News reported.
Miller also warned that "jailbreaking" an iPhone to add software or capabilities not offered by Apple leaves the device vulnerable to hacking and viruses.
"If you care about security, don't use a jailbroken iPhone," Miller said, according to IDG News.
Miller, an authority on Mac OS X security and co-author of The Mac Hacker's Handbook, said he was able to use the vulnerability in the way the iPhone receives text messages to remotely crash the phone. Miller said he reported the vulnerability to Apple.
He said hackers could theoretically exploit the vulnerability to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations or hijack the phone as part of a botnet or to launch distributed denial-of-service attacks, IDG News reported.
Miller also warned that "jailbreaking" an iPhone to add software or capabilities not offered by Apple leaves the device vulnerable to hacking and viruses.
"If you care about security, don't use a jailbroken iPhone," Miller said, according to IDG News.