flaw

Apple to fix iPhone security flaw in next iOS

Apple has acknowledged a newly-discovered security flaw in the iPhone and is promising to offer a fix with next month's release of iOS 4.2.

The new flaw allows someone to access the phone dialer on a locked iPhone by punching a certain sequence of buttons, thereby giving them the ability to make phone calls, send e-mails, and access the address book. Confirmed by Wired Magazine, the Boy Genius Report, and other online sources, the flaw was reportedly first discovered and posted by a user on the MacRumors online forum on October 22.

Bypassing the lock requires someone to … Read more

Microsoft, Adobe: PDF security flaw treatable

Microsoft and Adobe Systems have announced that a recently released Microsoft toolkit can be used to block zero-day attacks targeting a security flaw in Adobe's Acrobat and Reader programs.

In an advisory published Friday, Microsoft detailed how its Enhanced Mitigation Experience Toolkit 2.0 could be used to short-circuit the threat. Adobe, which has not yet released a patch, updated its original advisory to reflect the new information.

Adobe considers the flaw to be "critical"--it could let an attacker take control of any of the millions of computers running what is far and away the most … Read more

Microsoft warns about application security flaw

Microsoft issued an advisory on Monday about a security issue that could leave many Windows applications vulnerable to attack.

The advisory deals with a type of attack mechanism known as DLL preloading, or binary planting. Although the attack mechanism is not new or entirely unique to Windows, Microsoft acknowledged that there appears to be a new remote-attack vector that could allow more systems to be attacked quickly.

Two researchers at the University of California at Davis published a paper earlier this year on how programs that were vulnerable could be automatically detected. In recent days, security expert and Metasploit creator … Read more

Apple releases iOS patch to fix PDF security flaw

Apple has quickly released a patch for the recently uncovered security flaw with how Mobile Safari handles PDF files in iOS 4.0.1 and earlier for the iPod Touch and iPhone, and iOS 3.2.1 and earlier for the iPad.

The iPhone Dev Team uncovered the flaw and released software that took advantage of it to jailbreak iOS devices when you visit its Web site.

A week ago, CNET reported that Apple was preparing a fix, but there was no mention of when Apple would release it.

The update to fix this problem should now be available via … Read more

Apple's ally: Engineer says Consumer Reports study flawed

As iPhone 4 hits seem to keep piling up, Apple finds a friend in an electromagnetic engineer and self-described "mobile topic expert" who claims that Consumer Reports failed to provide a truly scientific test of the antenna issues facing Apple's iPhone 4.

Bob Egan, now a technology blogger and global head of research & chief analyst at the TowerGroup, claims that the Consumer Reports study, which had the popular independent customer advocacy group unable to recommend purchasing the iPhone 4, has many inherent flaws and can barely be counted as scientific.

Egan writes, "Bottom line. From … Read more

Cisco warns of 'highly critical' SIP flaw

Cisco Systems has issued a range of security advisories giving details of 11 vulnerabilities in IOS, the operating system on which many of its products run.

One of the vulnerabilities, described as "highly critical," could lead to a hacker compromising the affected system or launching a denial-of-service attack against it. The advisories, issued Wednesday, are part of Cisco's twice-yearly schedule of security updates for IOS.

The highly critical vulnerability affects IOS version 12 devices running SIP, a protocol used by many businesses to set up and tear down voice and video calls. IOS version 12 is widely … Read more

Mozilla patches critical flaws

Mozilla has released fixes for five security holes in older versions of Firefox, while a security company has warned of a zero-day flaw in the latest version of the popular browser.

Mozilla issued patches Wednesday for versions 3.5.8 and 3.0.18 of the browser, sending out fixes for the latter even though it had said it would stop supporting Firefox 3.0 in January. In its security bulletin, the company said the vulnerabilities had previously been resolved in Firefox 3.6, which was launched on January 21. The five flaws addressed by Mozilla included three the company … Read more

Zero-day flaw found in Web encryption

A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt Web pages, has been made public.

Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for Web transactions.

Ray, who works with Dispensa at two-factor authentication company PhoneFactor, explained in a blog post this week that he had initially discovered the flaw in August and demonstrated a working exploit to … Read more

Windows 7, Vista zero-day flaw reported

Microsoft said on Tuesday that it is investigating reports of a zero-day vulnerability affecting Windows 7 and Vista.

The flaw in Windows 7 could allow an attack which would cause a critical system error, or "blue screen of death," according to researcher Laurent Gaffie.

Gaffie wrote in his blog that the flaw lies in a Server Message Block 2 (SMB2) driver.

"SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality," wrote Gaffie in a blog post Monday.

Gaffie said he had contacted Microsoft. Comments on his blog by other users said … Read more