“ikee” iPhone Worm Progeny Not So Harmless

iphone-malwareEarlier this week, we reported that the first iPhone worm had been created. It was called “ikee,” and all it did was change the default wallpaper on devices to an image of Rick Astley with “ikee is never going to give you up” printed across the top. It was relatively harmless, if annoying, and the hacker responsible claimed that it was more of a warning than anything else.

Hopefully many heeded that warning, since now a new virus has surfaced that uses the same M.O. as ikee, but that has a much more malicious intent and effect. Specifically, the new malware mines personal data from your device, using the very same exploit ikee revealed earlier in the week. Read More about “ikee” iPhone Worm Progeny Not So Harmless

iTunes 8.2 Update Available Ahead of 3.0 Release; QuickTime Security Flaw Patched

software_update

iTunes 8.2 became available for anyone and everyone with a Mac, not just developers, late yesterday. A pre-release version of the update has been available to registered iPhone developers since the release of iPhone OS 3.0 beta 4 a few weeks ago, and is required for those hoping to run the 3.0 software on their Apple (s aapl) handheld devices. The release at this time strongly suggests that iPhone OS 3.0 will go live very soon, possibly immediately following the WWDC keynote speech taking place next week.

Aside from adding support for the upcoming firmware revision, the iTunes 8.2 update also brings the usual stability enhancements and bug fixes, including a security patch involving “itms:” links used to open iTunes locations from the web. Parsing the URLs could lead to a stack overflow or arbitrary code execution, which would allow an attacker to completely take over the iTunes process. Read More about iTunes 8.2 Update Available Ahead of 3.0 Release; QuickTime Security Flaw Patched

More Mac Viruses, Similar Sources: Time to Worry?

Depending on how closely you stick to the word of the law, you may or may not be aware of the potentially dangerous trojan called “OSX.Trojan.iServices.A” unleashed on some of the Mac community last week via a pirated copy of iWork ’09. The trojan, discovered by Mac security software company Intego, allows the distributor of the malicious software to access and modify the affected system remotely, performing actions such as adding files. Such a vulnerability is potentially fatal to an operating system.

According to Intego’s numbers, more than 20,000 people have downloaded the affected file, a number which also says something about Apple’s (s aapl) ability (or desire?) to curb piracy of its proprietary software. Instructions on how to rid your computer of the virus in case you are among that unlucky 20,000 can be found here, but they can’t take away your shame.

Read More about More Mac Viruses, Similar Sources: Time to Worry?

Don’t Trust That Passcode

Ryan Naraine reported over at ZDNet Zero Day on a new iPhone vulnerability which lets anyone have full access to the majority of iPhone functionality despite your clever 4-digit passcode lock.

As mentioned by “greenmymac” and covered by The Register, full access to contacts (and, hence, browser, e-mail, SMS…) is as simple as a press of the “Emergency Call” key from the passcode entry screen, followed by a double-tap on the home button, which – as The Register puts it – “takes the miscreant into favourites…” (why we in the States leave out the “u” is a sad mystery).

As Alex Hutton points out, you can mitigate the threat by disabling the “home button double-tap” feature of your device.

Ryan gave the CVE database a scan and noticed that this is not Apple’s first encounter with this error. CVE-2008-0034, which was identified back in January and fixed in the 1.x series firmware, noted this issue and is yet-another sign of Apple’s lack of commitment to security on the iPhone (guess they should have fixed more than just bugs in 2.0.2).

It would be greatly appreciated if any readers in an enterprise configuration (i.e. with a stronger passcode and a centralized provisioning environment) would drop a note in the comments letting me (and other TAB readers) know if you are impacted by this vulnerability as well. All TAB readers are invited to post your your thoughts in the comments on Apple’s latest security faux-pax.

Microsoft Patches Office, Commits to VBA Support

Microsoft has been busy today, releasing security updates, announcing a new service pack and committing to restoring functionality to their Mac office suite.

Yep, It’s Patch Tuesday Again

Microsoft released security bulletin MS08-014 today that contains a patch to a remote code execution vulnerability effecting Microsoft Office 2004 & 2008 for Macintosh. Office 2004 is bumped up to version 11.4.1 and primarily contains security & stability fixes. Office 2008 bumps up to version 12.1.0 and includes security fixes along with a plethora of other improvements. Both updates are available via Office software update or via direct download from the aforementioned links.

Get Your Red Hot Office 2008 SP1!

Microsoft MacBU announced the availability of Office 2008 SP1 today in conjunction with the security patch. The 180MB download contains over 1,000 fixes including – what apparently was a major annoyance – the return of custom error bars and axis tick manipulation in Excel charts.

The full release notes are available for your perusal. Here are some other SP1 highlights:

Microsoft Office Excel

  • Compatibility. Improved compatibility with files exchanged between Excel 2008 for Mac and Excel 2003 and Excel 2007 for Windows
  • Custom Error Bars. Restored formatting option on the Error Bars panel for data series
  • Printing. More reliable printing for elements on Excel 2008 workbooks

Microsoft Entourage

  • Calendar. Significant enhancements to improve calendar view and all-day reminders with reoccurrence
  • Exchange Server support. Overall improvement to synchronization support, including removing attachments from Exchange Server messages and synchronizing to the server, as well as support for editing the contents of Exchange Server messages via AppleScript and synchronizing the changes to the server
  • E-mail images. Ability to send and view images in Entourage from third-party tools

Microsoft Office Word

  • Printing. Improved accuracy when orienting tables with cell shading
  • Document map. Improved reliability and responsiveness to select items
  • Notebook layout. Updated formatting, recording status and a variety of display options

Microsoft Office PowerPoint

  • Printing. Improvements to eliminate crashing when printing documents to high-dpi printers and increased overall printing speed by 10 times on some large presentations
  • Mobile viewing. Ability to view Mac .PPTX files on Windows Mobile phones
  • AppleScript. Ability to use the PowerPoint selection object in AppleScript to implement custom scripts that operate on the current selection in PowerPoint

Restoring Functionality (& Vulnerabilities)

Microsoft’s MacBU also announced (official press release) the return of Visual Basic for Applications (VBA) support to the next major release of Office for Mac. This is a mixed bag since VBA macros are a juicy vector for vulnerabilities but that same functionality is critical to many business processes that have been developed using the suite.

From the announcement:

Sharing information with customers as early as possible continues to be a priority for the Mac BU to allow customers to plan for their software needs.2 Although the Mac BU increased support in Office 2008 with alternate scripting tools such as Automator and AppleScript — and also worked with MacTech Magazine to create a reference guide, available at http://www.mactech.com/vba-transition-guide — the team recognizes that VBA-language support is important to a select group of customers who rely on sharing macros across platforms. The Mac BU is always working to meet customers’ needs and already is hard at work on the next version of Office for Mac.

When you install the security update or try out SP1, drop a note in the comments with your experiences and definitely let us and the MacBU know if they didn’t fix any of the issues you were having pre-SP1. Also, if you have any thoughts on the revival of VBA for Mac Office make sure to let us know in the comments as well.

(post updated to fix version errors & links)

Zero Day Exploit For QuickTime Flaw

InformationWeek is reporting that an Italian security researcher has posted a exploit for a zero-day vulnerability in QuickTime 7.3.1 that impacts both OS X and Windows versions of the software. This exploit will allow an attacker to execute malicious code on the target system.

The “researcher”, Luigi Auriemma, describes the exploit as being based on a flaw in QuickTime’s parsing of HTTP error messages and has not provided Apple with advance notice before publishing the proof-of-concept code. Symantec has confirmed that the flaw can produce a Denial of Service, but has not confirmed the remote code execution claim.
As of this post, Apple has not posted a fix to this issue, but here are some steps you can take to protect yourself (via US-CERT):

  • Uninstall QuickTime (OK, kinda extreme)
  • Block the rtsp:// protocol (given how much we love streaming media, not likely either)
  • Disable the RTSP protocol handler (reasonable, depending on your risk tolerance) Mac OS X users can disable the RTSP protocol handler by editing the ~/Library/Preferences/com.apple.LaunchServices.plist file with Property List Editor. Change the LSHandlerRoleAll value associated with the rtsp LSHanlderURLScheme to something other than com.apple.quicktimeplayer. This process can be simplified by using an application such as RCDefaultApp.
  • Disable QuickTime as the RTSP protocol handler on OS X (reasonable…you can pick RealPlayer as an alternative). To disable the RTSP registered protocol handler in OS X open ~/Library/Preferences/com.apple.LaunchServices.plist and look through ahundred or more entries to find RTSP and change it to something else.
  • Do not access QuickTime files from untrusted sources (duh). Attackers may host malicious QuickTime files on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.
  •