Skip navigation

Monthly Archives: September 2007

Apple releases iPhone update 1.1.1

Apple released an update that fixes flaws

  • Bluetooth
  • Mail (2)
  • Safari (7)

The patch is only available via iTunes. iTunes checks for updates regardless where the phone is attached or not and applies the patch the next time the phone is attached.

Earlier in the week, Apple issued a warning about unlocked phones (Apple intends for the iPhone to work exclusively with AT&T’s network). They are releasing software that will allow users to buy music via the network, but when combined with the software used to unlock the iPhone, "will cause irreparable damage".

You can read the whole article .

Vulnerability in Adobe Acrobat

A few days ago, the presence of a vulnerability in Acrobat was disclosed. The source that discovered it is also the same source credited for a few other recent disclosures. Unlike the other cases though, the details about the actual vulnerability were not disclosed.

In an odd turn, many seem to be hung up on why this is being called a Zero Day by gnucitizen.org, when, by definition, an exploit has to exist. Personally, considering the ease at which the vulnerability can be exploited and the "payload" potential of the exploit, I’d rather not wait for an exploit before reacting.

The implications of an exploit of this vulnerability are serious. By "opening" a PDF with the exploit encoded inside, the user is subject to any action desired by the attacking PDF author. In one example, the PDF opened calculator on the local PC. To put this in terms of an attack, "Format C:", or "FTP ftp.exploitsite.com" come to mind. This could make the impact of recent storm worm variants (the ) seem pretty small. PDFs are widely used. After all, they are portable.

What I’d expect to see if a surge of spam containing exploit pdf code, web sites with embedded pdf code, and the likes. The only saving grace is that the details remain secret.

Regrettably, this vulnerability hasn’t got much attention, probably because of the mystery around the details of the exploit. But you can se a story on ZDnet . There is also a YouTube video of the exploit (can’t see the details) .

Interestingly, the gnucitizen.org site is unreachable today. You can see the initial release .

The National Institute of Standards and Technology (DHS and Cert) have added this vulnerability to the . They point out that this is a pre-advisory based on vague information; but claimed by a reliable researcher. That last part is the basis why I think this is worth mentioning.

Unsure what a Zero Day Exploit is? Click .

AOL changes Anti-Virus on all it’s users

Those that frequent this site know how favorable I am to Kaspersky products. AOL, whose AV engine was based on Kaspersky, recently changed to McAfee. This became evident from a PC I was looking at a few days ago. It was dragging badly, and the user reported that this suddenly occurred. The machine was lacking in power, but she had been using the PC in its current state for quite some time. She doesn’t have a broadband connection to AOL Dial-up services made sense to her. The odd thing was that the machine only struggled when it tried to connect to their network. All other dial up connections were sustainable.

I bring this AV change up for a couple reasons. One is that users should know about changes to their PC from service providers. The other is that in MY experience, McAfee is a resource hog. Legacy machines probably aren’t good candidates for this new AOL change.

Microsoft catching flack for “secret” updates

Over the past couple days, Microsoft has been taking heat for updates that are reported occurring behind the scenes; even thought update services have been disabled or configured to require user approval or intervention. Yet, users have reported that the Update Service itself has been updated.

Essentially, the uproar is about changes that have taken place without the user’s/PC-owner’s approval. It lends credence to some discussions about MS doing what they want and to hell with what we want.

Microsoft explains their actions in a report, saying that this "update" (was) is necessary to make sure the user still has the "choice" to receive or not receive updates.

This has some serious implications about what else MS could do to our machines; at-will. The privacy advocates and conspiracy nuts are going to have a field day with this. Right now, the flack is only on board, emails, and blogs. The other shoe will drop when the larger public finds out, and hears messages about why they should care.