Apple news, part two
Jul 13, 2008 8:23:53 GMT
Post by CharlieChomper on Jul 13, 2008 8:23:53 GMT
Most of these are security-related issues, hence why I wanted to keep them separate. I almost succeeded, save that the new iPhone was released yesterday along with an issue (non-security-related) that arose as a result and as it's an Apple product, I felt it might be better to add it to this thread versus creating an entirely new one just for it.
Edited to add disclaimer: My apologies for the length as I didn't realize at the time I initially wrote this, that it would be quite this long...
That said, I'll start with the iPhone article. This may already be "old news" to some, but for those that haven't heard this yet or know the full extent of what happened, it appears that the release of the new iPhone caused problems for both users of the old iPhone as well as those wishing to purchase a next-generation iPhone. It seems the company didn't entirely learn their lesson last year when the first iPhone was released as what essentially happened, was that the servers became so incredibly overloaded with activation requests (for those who own/owned the first-generation phones, it was required to de-activate the old phone by way of the same servers="bricked" iPhones, since it wasn't possible to try and activate the new phones and the old phones became unusable). Oddly enough given Apple's earlier claims, those with the new phones were told they should be able to activate their phones through iTunes for whenever the servers come back online (anyone having problems accessing or had noticed problems with iTunes, that's also the reason why).
I mention this as odd due to Apple's earlier stating that this would not be possible to attempt, in light of the company's attempts to keep anyone from attempting to "unlock" the new phone the way they were able to with the old phones as well as by claiming the only way the new phones supposedly even could be activated was at the shops they were purchased in.
So far, incidentally, I just read today that a few people--despite Apple claiming it would be impossible and that they had taken measures to prevent it--did manage to "unlock"/hack (in the true sense of the word--not the malicious misuse of it) the new iPhones already, despite this only being the second day of their being out.
However, getting to the security-related issues and starting with Mac OS X, anyone who may have previously thought that Trojans and malware or that attempts to take over and "root" a computer were limited to Windows may want to reconsider that thinking. There currently exists a very serious vulnerability involving Applescript (so far, it's been confirmed that both OS X "Tiger" and OS X "Leopard" are both vulnerable--the security researchers are still investigating just how far back this problem actually goes, however). Unfortunately, as with most vulnerabilities, some of the more malicious-minded out there have already released a trojan that would allow someone to get in and take over the computer, essentially "rooting" it.
As though that weren't enough, it's been discovered that there currently is another trojan on the loose also targeting OS X. The second works by the user opening up a poker program on OS X (specifically, a game called Ace in the Hole). From there, they're prompted for their password, claiming that there was a "corrupt preference file" detected. The trojan then takes complete control over the user's computer.
Admittedly, this vulnerability wasn't made public until mid last month--well after it was discovered and confirmed and Apple being made aware of its very existence, as is the standard procedure and protocol of the security groups, however, as well as given enough time to release an update or patch to potentially fix the first exploit. Both Trojans were first announced nearly a week later, with the first vulnerability apparently having begun (given current evidence) development by the more maliciously-minded sometime in mid-May (long before it became publicly known...).
Initially, at least, with the Applescript vulnerability, it was given a "low" rating for risk of a vulnerability as most of the observers assumed at the time, given the nature of it, it would have been limited to just someone who had physical access to the computer. Instead, due to the trojan that exploits it, the rating has been raised to the current highest threat level and the other trojan currently carries a high given both the nature of it as well as the means by which it can spread.
Currently, there is no way to remove either of the trojans if a system becomes "infected" or "compromised" without resorting to a complete reformat/reinstall (as is usually recommended in the event of a system becoming "rooted"--this goes for most other operating systems as well as it's the only "guaranteed" way to ensure that whomever took control of the computer doesn't retain it as it's often impossible to know the full extent of the damage. Sadly, it can also sometimes mean saying farewell to one's files for that same reason).
For those wanting to read some basic information about both trojans (complete with screenshots for the second one), you can do so here.
Onto the second issue (although, not security-related nor is it limited to OS X). For those unaware, OS X is actually built on a free, open source member of the Unix family known as BSD (in fact the developers of OS X were or still are also BSD developers). One of the developers of a variant of BSD called OpenBSD, in searching for the source of a bug the project had been contacted regarding a bug, came to find that the bug was 25-years old. How this affects OS X is that this same bug was confirmed to exist in all variants of BSD--including OS X. The "fix" for it, however, happened in a period of less than a few days for OpenBSD and other variants of BSD--it's not clear as to whether or not it has been (or will be) fixed or addressed by Apple yet, however.
The next two articles actually involve Safari with respect to Windows and a security vulnerability it has created for users of both XP and Vista which can cause what's known as a "carpet bomb" (it allows attackers to "litter" the desktop with scores of executable files). The problem was initially thought to be limited to a vulnerability introduced with Safari and as well as its effect on IE (in combination with IE-related exploits, this same attack can cause the attackers to potentially run unauthorized software in Windows without the victim's consent or being able to stop them). It has since been confirmed that this same Safari vulnerability also appears to be affecting Firefox users (users of any 2.0 build as well as the new 3.0 build--on a related note, expect to see an update to FF3 coming soon
).
For Microsoft's part, they did release a security warning and advisory as early as the end of May and had begun work on a patch that should have been released. Apple, however, initially refused to patch this vulnerability. After it gained enough widespread attention and ire directed at them, they did release a patch--however, it didn't appear to completely resolve the problem and it is still very possible, it seems, for an attacker to try and use such an attack on anyone using or who even just has Safari installed. Needless to say, there are a number of people within the tech/techie community (this includes those involved in security matters) who are very angry about this and the possible risks it puts upon users.
Given the situation and issue, Microsoft has released a warning to Windows users not to use Safari while the Mozilla group has been very hard at work on addressing the matter from their end--at least, with respect to Firefox3 (they're recommending users of FF2 to upgrade to 3, if they haven't done so already for when their solution to the problem or updates is released).
Edited to add disclaimer: My apologies for the length as I didn't realize at the time I initially wrote this, that it would be quite this long...
That said, I'll start with the iPhone article. This may already be "old news" to some, but for those that haven't heard this yet or know the full extent of what happened, it appears that the release of the new iPhone caused problems for both users of the old iPhone as well as those wishing to purchase a next-generation iPhone. It seems the company didn't entirely learn their lesson last year when the first iPhone was released as what essentially happened, was that the servers became so incredibly overloaded with activation requests (for those who own/owned the first-generation phones, it was required to de-activate the old phone by way of the same servers="bricked" iPhones, since it wasn't possible to try and activate the new phones and the old phones became unusable). Oddly enough given Apple's earlier claims, those with the new phones were told they should be able to activate their phones through iTunes for whenever the servers come back online (anyone having problems accessing or had noticed problems with iTunes, that's also the reason why).
I mention this as odd due to Apple's earlier stating that this would not be possible to attempt, in light of the company's attempts to keep anyone from attempting to "unlock" the new phone the way they were able to with the old phones as well as by claiming the only way the new phones supposedly even could be activated was at the shops they were purchased in.
So far, incidentally, I just read today that a few people--despite Apple claiming it would be impossible and that they had taken measures to prevent it--did manage to "unlock"/hack (in the true sense of the word--not the malicious misuse of it) the new iPhones already, despite this only being the second day of their being out.
However, getting to the security-related issues and starting with Mac OS X, anyone who may have previously thought that Trojans and malware or that attempts to take over and "root" a computer were limited to Windows may want to reconsider that thinking. There currently exists a very serious vulnerability involving Applescript (so far, it's been confirmed that both OS X "Tiger" and OS X "Leopard" are both vulnerable--the security researchers are still investigating just how far back this problem actually goes, however). Unfortunately, as with most vulnerabilities, some of the more malicious-minded out there have already released a trojan that would allow someone to get in and take over the computer, essentially "rooting" it.
As though that weren't enough, it's been discovered that there currently is another trojan on the loose also targeting OS X. The second works by the user opening up a poker program on OS X (specifically, a game called Ace in the Hole). From there, they're prompted for their password, claiming that there was a "corrupt preference file" detected. The trojan then takes complete control over the user's computer.
Admittedly, this vulnerability wasn't made public until mid last month--well after it was discovered and confirmed and Apple being made aware of its very existence, as is the standard procedure and protocol of the security groups, however, as well as given enough time to release an update or patch to potentially fix the first exploit. Both Trojans were first announced nearly a week later, with the first vulnerability apparently having begun (given current evidence) development by the more maliciously-minded sometime in mid-May (long before it became publicly known...).
Initially, at least, with the Applescript vulnerability, it was given a "low" rating for risk of a vulnerability as most of the observers assumed at the time, given the nature of it, it would have been limited to just someone who had physical access to the computer. Instead, due to the trojan that exploits it, the rating has been raised to the current highest threat level and the other trojan currently carries a high given both the nature of it as well as the means by which it can spread.
Currently, there is no way to remove either of the trojans if a system becomes "infected" or "compromised" without resorting to a complete reformat/reinstall (as is usually recommended in the event of a system becoming "rooted"--this goes for most other operating systems as well as it's the only "guaranteed" way to ensure that whomever took control of the computer doesn't retain it as it's often impossible to know the full extent of the damage. Sadly, it can also sometimes mean saying farewell to one's files for that same reason).
For those wanting to read some basic information about both trojans (complete with screenshots for the second one), you can do so here.
Onto the second issue (although, not security-related nor is it limited to OS X). For those unaware, OS X is actually built on a free, open source member of the Unix family known as BSD (in fact the developers of OS X were or still are also BSD developers). One of the developers of a variant of BSD called OpenBSD, in searching for the source of a bug the project had been contacted regarding a bug, came to find that the bug was 25-years old. How this affects OS X is that this same bug was confirmed to exist in all variants of BSD--including OS X. The "fix" for it, however, happened in a period of less than a few days for OpenBSD and other variants of BSD--it's not clear as to whether or not it has been (or will be) fixed or addressed by Apple yet, however.
The next two articles actually involve Safari with respect to Windows and a security vulnerability it has created for users of both XP and Vista which can cause what's known as a "carpet bomb" (it allows attackers to "litter" the desktop with scores of executable files). The problem was initially thought to be limited to a vulnerability introduced with Safari and as well as its effect on IE (in combination with IE-related exploits, this same attack can cause the attackers to potentially run unauthorized software in Windows without the victim's consent or being able to stop them). It has since been confirmed that this same Safari vulnerability also appears to be affecting Firefox users (users of any 2.0 build as well as the new 3.0 build--on a related note, expect to see an update to FF3 coming soon
). For Microsoft's part, they did release a security warning and advisory as early as the end of May and had begun work on a patch that should have been released. Apple, however, initially refused to patch this vulnerability. After it gained enough widespread attention and ire directed at them, they did release a patch--however, it didn't appear to completely resolve the problem and it is still very possible, it seems, for an attacker to try and use such an attack on anyone using or who even just has Safari installed. Needless to say, there are a number of people within the tech/techie community (this includes those involved in security matters) who are very angry about this and the possible risks it puts upon users.
Given the situation and issue, Microsoft has released a warning to Windows users not to use Safari while the Mozilla group has been very hard at work on addressing the matter from their end--at least, with respect to Firefox3 (they're recommending users of FF2 to upgrade to 3, if they haven't done so already for when their solution to the problem or updates is released).
