Some security issues have been found in the original release of iOS7. Apple has just released 7.0.2 to address the problems.
Full announcement below.
Wayne Billing
Classroom Technology Support
Audio Visual and Classroom Technology Support
130 Machray Hall Building
204-474-6649
204-807-3153 (cell)
204-474-7625 (fax)
Wayne_Billing(a)umanitoba.ca<mailto:Wayne_Billing@umanitoba.ca>
Begin forwarded message:
From: <security-announce-request(a)lists.apple.com<mailto:security-announce-request@lists.apple.com>>
Subject: Security-announce Digest, Vol 10, Issue 23
Date: 26 September, 2013 2:00:23 PM CDT
To: <security-announce(a)lists.apple.com<mailto:security-announce@lists.apple.com>>
Reply-To: <security-announce(a)lists.apple.com<mailto:security-announce@lists.apple.com>>
Send Security-announce mailing list submissions to
security-announce(a)lists.apple.com<mailto:security-announce@lists.apple.com>
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.apple.com/mailman/listinfo/security-announce
or, via email, send a message with subject or body 'help' to
security-announce-request(a)lists.apple.com
You can reach the person managing the list at
security-announce-owner(a)lists.apple.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Security-announce digest..."
Today's Topics:
1. APPLE-SA-2013-09-26-1 iOS 7.0.2 (Apple Product Security)
----------------------------------------------------------------------
Message: 1
Date: Thu, 26 Sep 2013 10:33:46 -0700
From: Apple Product Security
<product-security-noreply(a)lists.apple.com>
To: "security-announce(a)lists.apple.com"
<security-announce(a)lists.apple.com>
Subject: APPLE-SA-2013-09-26-1 iOS 7.0.2
Message-ID: <E44FE6C6-1A57-4F03-8F5A-9DC14B3B09B6(a)lists.apple.com>
Content-Type: text/plain; charset=us-ascii
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-09-26-1 iOS 7.0.2
iOS 7.0.2 is now available and addresses the following:
Passcode Lock
Available for: iPhone 4 and later
Impact: A person with physical access to the device may be able to
make calls to any number
Description: A NULL dereference existed in the lock screen which
would cause it to restart if the emergency call button was tapped
repeatedly. While the lock screen was restarting, the call dialer
could not get the lock screen state and assumed the device was
unlocked, and so allowed non-emergency numbers to be dialed. This
issue was addressed by avoiding the NULL dereference.
CVE-ID
CVE-2013-5160 : Karam Daoud of PART - Marketing & Business
Development, Andrew Chung, Mariusz Rysz
Passcode Lock
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
see recently used apps, see, edit, and share photos
Description: The list of apps you opened could be accessed during
some transitions while the device was locked, and the Camera app
could be opened while the device was locked.
CVE-ID
CVE-2013-5161 : videosdebarraquito
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.0.2".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJSQ2o5AAoJEPefwLHPlZEwmj8P/04PIEJuGhf8hv/IdYIHMLol
chQHK/MXigk+aH9BriQbFpqAyByqyh9x4+6hJeywWdtF7u6SzfbRgBNoPWEZw0d8
VrtVBMi2VeNRTxOJWV+rivA7xA2doxkLSIILHzDVenj8JeNO87q85KsrhRmzmeaa
jUojdE9o/0OGjjF1WuDM4UDGx/TzhpUoqzFR1hSP41g87xsYp/gRTV/R3821lxG6
8sUSeJ4l8qHFQKIUPAxJaSie8JbbK8Yeturix6sMCvYZdougtd7oMV5TxJVZXbC1
ePZUvhfVwuD7y5bFx2VKYvci5oFMgOlNyFZMDrkpM8BF2UsfEmvoHQPLwzYSdXXs
5wY/nwbuKm57Wq8PH0H3hyt4ycH0YB1YqxtY8oPjREJioA6mLHNGs70HFHvf+zjW
7ukGnI7c2efMMjoM0+UCmo03/5Wh8ji0tjrDjvM3gybm8keXH/cZPF13/kihXrs/
M6QVgWWjCO/IqhUh4MGDWzfzCqg+hlNJLAR/r1TocuDb4/NWj/nI2FHIoDIsNYjR
XZ9qw0sIqsTF3nqf3zKhxEtXENEpSnGR7xGJ6xjcy8BCobHn81m7XKpnQFaNBido
C669zPmyF0B6W0LiRmwvCp0Z6ielE0Tu3f9jsikOT/NUEqGFPtBhqR238G1rmHzH
6vDxXI1d8H2uZqoShAaZ
=Nryx
-----END PGP SIGNATURE-----
------------------------------
_______________________________________________
Security-announce mailing list
Security-announce(a)lists.apple.com
https://lists.apple.com/mailman/listinfo/security-announce
End of Security-announce Digest, Vol 10, Issue 23
*************************************************
….from:
http://gizmodo.com/one-huge-reason-to-not-switch-to-android-or-windows-1301…
[cid:5E9208DD-A124-4A7E-8485-84531F7D6E1F@cc.umanitoba.ca]<http://kylenw.kinja.com/>
KYLE WAGNER<http://kylenw.kinja.com/> Thursday 2:00pm<http://gizmodo.com/one-huge-reason-to-not-switch-to-android-or-windows-1301…>
One Huge Reason to Not Switch to Android or Windows<http://gizmodo.com/one-huge-reason-to-not-switch-to-android-or-windows-1301…>
[cid:FAFB100C-495C-48A8-8835-98DD38400F91@cc.umanitoba.ca]
iPhone pre-orders start tonight, and for a lot of people, that means deciding if you want to spend two years (or more) with a phone you've never held. The irony is, if you're not sure you want to commit for the full two years, then the answer is cut and dry: Get an iPhone.
I've been trying to ditch my MacBook Air for an ultrabook for almost a year now. I just can't do it. Not because of Windows 8 or the laptops running it—those are great<http://bit.ly/15QyPXN>—but because I upgrade frequently. In order to do that without living out of a refrigerator box, I re-sell my old laptop to help pay for my new one. And that's kept me buying Apple stuff, even after it ceded ground in build quality and design, because reselling anything that isn't Apple is a losing proposition.
It's been this way for years, of course, and this is the same reason I need a new phone, hate iOS, but hesitate to buy anything but an iPhone. The thing is, right now, Apple's no longer the obvious choice. You don't just go out looking for a new laptop and say, Oh, obviously, MacBook for me, like you did in 2009. Same goes for the iPhone, and to a lesser extent, the iPad. There's real choice now, real competition, but it doesn't matter. No one wants to buy anything fromyou, gently used, unless it's made by Apple.
This isn't opinion. It's fact. We talked with executives from NextWorth<http://www.nextworth.com/> and Gazelle<http://www.gazelle.com/>, two of the largest sell-it-now, sell-it-easy operations out there, who were kind enough to share some data with us. They agreed: Just buy Apple if you're looking to get any cash back from your purchase.
By NextWorth's count, the iPhone 4S and Samsung Galaxy S 2—the two premiere phones you'd be replacing in this two-year contract cycle on Android or iOS—are separated by a wide margin. The 4S retains more than a third of its original MSRP ($197 as of 8/29), while the S2 is down at 13 percent, which is well ahead of all other Android handsets from that generation. Meanwhile, you could have sold your old iPhone 5 for a healthy 36 percent of its initial value, as opposed to just 26 percent for the Galaxy S3. These are expensive products, which means those are big gaps, and again, the Samsung phones are the clear leaders of the non-iPhone pack. Everyone else fares much worse. The HTC One, a basically brand new and awesome phone, only gets you $104 right now.
The individual prices here have shifted in the past few days, following the new iPhone announcement, obviously, but the fundamental calculus will remain in place for the next several product cycles.
Gazelle doesn't paint a much more flattering picture. In fact, looking across the past few years of data, it's Apple in a landslide. Check out this graph from earlier this year:
[One Huge Reason to Not Switch to Android or Windows]SEXPAND
Broken Apple phones actually keep pace with LG's phones, and are only about $50 behind HTC. And Gazelle's current data mirrors what we saw earlier this year, and what Nextworth sees now:
[One Huge Reason to Not Switch to Android or Windows]SEXPAND
"Not only do Apple products hold their value well, but the demand for them is extremely high," Anthony Scarsella, Gazelle's Chief Gadget Officer, told us.
And not by a little. By a lot. "It's a factor of two," says NextWorth's CMO Jeff Trachsel. "Apple products are generally worth about twice as much as other devices at the same period in their lifecycle."
Even more telling is what neither of the vendors is involved in: Windows PCs and laptops. "One issue around them is obviously they don’t hold as much value as a premium Apple product," Scarsella says. "There are a lot of different build configurations and models, and have a lower MSRP. And just the demand for those products, there’s a lot more availability overseas, as well as the US."
Translation: Good luck getting anyone to take that Dell off your hands.
The same goes for categories like Windows 8 tablets (though the Surface is attracting some attention), and until recently, Android tablets, which sell, but are being hindered by their low starting values, which cause a lot of potential buyers to just opt for a brand new device instead.
Why does this happen?
The divide happens for two, maybe two and a half, reasons. First, there are just too damn many of everything but Apple products, and Apple's done a good job of cultivating a "Buy Apple or Buy Something Else" mentality. That's the supply part. The other reason, not surprisingly, is demand. Both demand for the entire Apple "half" of that equation, and just as importantly, demand overseas, where Apple products often aren't as readily available.
If you've ever tried to sell your old PC or laptop, you know that first reason to be true. And that's not because of the quality of hardware anymore (though in the past, that sure didn't help). It's the configurations. "More choice is never a bad thing," you might see shouted on an all caps in an Android or Windows or Linux comments section. Except, that's extremely not true when it comes to resale.
"Personally, I’ve sold laptops online before. You definitely have a different kind of buyer," Scarsella says. "Maybe a more tech-savvy buyer who’s looking for something very specific. With all the models out there, you need to know what you have, and understand the value there." But those buyers are far rarer than the ones who want no part of matching up processor SKUs.
Thankfully, that's already changing. Android phones have seen a nominal amount of consolidation. There are still a ton of phones and tablets coming out, but most of the premium lines have whittled down to just one "hero" phone. Still, that means HTC competing with Samsung competing with Nokia competing LG for space in humanity's brain pans, while at the same time competing with lower-priced Android models. This is how a platform like Android wins the market share war<http://bit.ly/V4sBQ7>, but it's not a recipe for strong resales.
PCs are in the same bind. All the OEMs like Lenovo and Acer and Samsung and Dell are focusing on premium lines with just a few products. And they're really damn nice, too. The Acer S7 11-inch is lust-worthy. Ditto the Samsung Series 9, Lenovo Yoga, and Dell XPS 13. The All-in-One lines are getting there too, running basically neck-and-neck with iMacs now. But they're all still just "Windows laptops" or "Windows desktops" to most folks.
So what should you do?
It'll take years for this dynamic to change. The design and build from Windows and Android and even Windows Phone OEMs is right there. But public perception can trail five or ten years, and even then, without a clear winner (like, say, a Microsoft Surface Laptop<http://bit.ly/UAIJ10>) they'll still have to deal with Spam vs. Apple.
For now, I'm waiting on this next generation of computers. The second generation of ultrabooks was such a massive improvement over the first that it feels like this may well be the year that someone just falls out of bed and makes the perfect laptop. But it'll have to be pretty special to make up for the hundreds of dollars lost to upgrading out of a low-demand piece of hardware. That goes for the phone, too, if I continue to be an idiot and pay full price for a Verizon model to keep an unlimited data plan I don't even need.
Now, a lot of you might not feel the need to upgrade every year, or even every two years. That's fair. But just know that for the millions of people who do sell early, Apple's got a pretty inescapable hook in them.
Apple Inc's stand on JAVA from: http://support.apple.com/kb/HT5648
To help limit exposure to potential Java web app vulnerabilities, try to follow this best practice:
• Enable Java in your web browser only when you need to run a Java web app.
• Confine your web browser only to the websites that need the Java web app. Do not open any other websites while the Java web plug-in is enabled.
• When you are done, disable the Java web plug-in. See How to disable the Java web plug-in in Safari<http://support.apple.com/kb/HT5241>
…from:
http://blog.trendmicro.com/trendlabs-security-intelligence/java-native-laye…
Aug28
Java Native Layer Exploits Going Up<http://blog.trendmicro.com/trendlabs-security-intelligence/java-native-laye…>
11:34 am (UTC-7) | by Jack Tang (Threats Analyst)<http://blog.trendmicro.com/trendlabs-security-intelligence/author/jacktang/>
[cid:C0519326-20FA-4330-B240-0A86DE8287B7@cc.umanitoba.ca]<http://www.facebook.com/sharer.php?u=http://blog.trendmicro.com/trendlabs-s…>
Recently, security researchers disclosed two Java native layer exploits (CVE-2013-2465 and CVE-2013-2471). This caused us to look into native layer exploits more closely, as they have been becoming more common this year. At this year’s Pwn2Own competition at CanSecWest, Joshua Drake showed CVE-2013-1491, which was exploitable on Java 7 running on Windows 8. CVE-2013-1493 has become a popular vulnerability to target in exploits kits such as Blackhole.
To understand why these exploits are becoming more common, some understanding of Java’s architecture is helpful. Java exploits can be divided into two types: Java layer exploits and Java native layer exploits.
[cid:98796DF5-6A2B-4F1C-A93A-1E0B1F3533C0@cc.umanitoba.ca]
Figure 1. Java security model
The above graph shows the Java security model. Java layer exploits target vulnerabilities in the Java layer runtime, which lets applications bypass the Security Manager and call high privilege functions. These exploits have the following characteristics:
* Can be created with less effort, because attackers need not bypass operating system-level protections.
* Are cross-platform (i.e., work with multiple operating systems)
Similarly, Java native layer exploits target the Java native layer runtime. These exploits are harder to create, as they need to bypass OS-level protections like ASLR and DEP. In addition, the skills needed to create native layer exploits are more difficult to acquire.
[cid:55ED4DDE-CA1D-425B-AB86-31A4254F9247@cc.umanitoba.ca]
Figure 2. Timeline of common Java vulnerabilities
In the past, Java layer vulnerabilities were more common, but that is no longer the case. Before 2013, there was a 3:1 ratio of Java layer vulnerabilities to Java native layer vulnerabilities. Starting this year, however, we are now seeing more native layer flaws. Why is this the case?
* A large amount of the vulnerabilities of are present in the Java native layer code. In the June 2013 Java SE Critical Patch Update Advisory, approximately half of all the vulnerabilities fixed were in the Java native layer code.
* Attackers are becoming more skillful in creating exploits. In the past, while there were many native layer vulnerabilities, less exploits were present because attackers did not always have the skill to create the necessary exploits.
This year, however, attackers clearly have the capability to take advantage of native layer vulnerabilities. Two methods of exploitation are becoming more common,
One is to make use of a Java array length overflow to tamper with the java.beans. Statement object’s AccessControlContext member. To do this, the following steps are necessary:
1. Prepare a Java Array object on a heap.[cid:28A07EF0-F21E-4BBC-9F9F-38600A510D56@cc.umanitoba.ca]
Figure 3. Step #1
2. Trigger a Java native layer vulnerability. The array object’s length is overflowed to a very large value.[cid:6EEA4532-7DE9-4175-883A-34377F8299F7@cc.umanitoba.ca]
Figure 4. Step #2
3. An attacker can then use the array object to get or set the following buffer precisely. They can tamper with the following java.beans.Statement object’s acc field, which points to a AccessControlContext object. In general, the acc field will be tampered to point to a full permission AccessControlContext object. This will let arbitrary code be run on the affected system.
[cid:D8AA3DCC-BE0E-4739-906F-239E7BE60BBF@cc.umanitoba.ca]
Figure 5. Step #3
This exploit method requires that both the buffer which can be used to trigger vulnerability and the buffer which needs to be overwritten are in the same heap. It requires some knowledge and skill to ensure that this is the case. In addition to this, information leaks and ROP shell code attacks were demonstrated at Pwn2Own 2013. It gets the module base address by targeting a Java native layer vulnerability and constructing ROP shell code to hijack the execution context. We believe that 2013 will see more similar exploits along these lines.
We urge users to carefully evaluate their usage of Java is necessary and ensure that copies of Java that are used are updated, to reduce exposure to present and future Java flaws.
Update as of 9:28 AM PDT, Sept. 2, 2013
Trend Micro Deep Security provides protection for threats targeting CVE-2013-2465, CVE-2012-4681, CVE-2012-1723 via the following rules:
* 1005598 – Identified Malicious Java JAR Files – 3
* 1004870 – Identified Suspicious Jar File
* 1005093 – Java Applet Field Bytecode Verifier Cache Remote Code Execution Vulnerability
* 1005640 – Oracle Java storeImageArray() Invalid Array Indexing Vulnerability
Wayne Billing
Classroom Technology Support
Audio Visual and Classroom Technology Support
130 Machray Hall Building
204-474-6649
204-807-3153 (cell)
204-474-7625 (fax)
Wayne_Billing(a)umanitoba.ca<mailto:Wayne_Billing@umanitoba.ca>
[NOTE: you can check which version of FLASH (if any) is running on your OS X machine at:
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html ]
….from:
http://lists.apple.com/archives/security-announce/2013/Sep/msg00001.html
* Subject: APPLE-SA-2013-09-10-1 OS X: Flash Player plug-in blocked
* From: Apple Product Security <email@hidden<mailto:email@hidden>>
* Date: Tue, 10 Sep 2013 19:22:10 -0700
APPLE-SA-2013-09-10-1 OS X: Flash Player plug-in blocked
Due to security issues in older versions, Apple has updated the
web plug-in blocking mechanism to disable all versions prior to
Flash Player 11.8.800.94.
Information on blocked web plug-ins will be posted to:
http://support.apple.com/kb/HT5655
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
Wayne Billing
Classroom Technology Support
Audio Visual and Classroom Technology Support
130 Machray Hall Building
204-474-6649
204-807-3153 (cell)
204-474-7625 (fax)
Wayne_Billing(a)umanitoba.ca<mailto:Wayne_Billing@umanitoba.ca>
…from:
http://allthingsd.com/20130911/that-apple-tv-refresh-is-coming-next-week/
That Apple TV Refresh Is Coming Next Week
Peter Kafka
SEPTEMBER 11, 2013 AT 3:00 AM PT
[apple_tv_cook]<http://i1.wp.com/allthingsd.com/files/2013/09/apple_tv_cook.png>Nope, Apple didn’t show off new Apple TV hardware yesterday.
And Apple didn’t talk about new software for its Web video box, either. But it’s still coming.
People familiar with the company’s plans said that Apple TV is scheduled for an internal overhaul on Sept. 18, the same day Apple releases its iOS 7 mobile operating software<http://allthingsd.com/20130910/ios-7-ships-september-18/>.
The one new feature I’m aware of is a tweak to Apple’s AirPlay system. I didn’t do a great job of explaining this before, so here’s another stab: The new software will allow people who have purchased content from Apple’s iTunes store to play that stuff on other people’s TVs, via its AirPlay system.
The key part is that they will be able to tell an Apple TV box they don’t own to stream the media they do own, directly from the cloud. That’s a change from the current system, which requires users to download stuff to their iPhones and iPads and fling it to the TV from there. It also echoes the way Google’s new Chromecast device works.
Hope that makes more sense.
I had thought Apple might have talked about this yesterday<http://allthingsd.com/20130906/apple-wont-introduce-new-apple-tv-box-next-w…>, but Tim Cook and company didn’t mention Apple TV in any way<http://allthingsd.com/20130910/coming-up-apple-expands-the-iphone-family-at…>.
You might assume that this means they don’t think the software overhaul is significant. Or you might argue that they didn’t want to spend much time discussing anything besides their new phones. Note, for instance, that iTunes Radio, which is also in the works, didn’t get any stage time. (Correction: Thanks to several of you who pointed that iTunes Radio did in fact get a brief mention yesterday.)
Wayne Billing
Classroom Technology Support
Audio Visual and Classroom Technology Support
130 Machray Hall Building
204-474-6649
204-807-3153 (cell)
204-474-7625 (fax)
Wayne_Billing(a)umanitoba.ca<mailto:Wayne_Billing@umanitoba.ca>
