Security

A leading Mac OS X researcher says Apple has not kept the iPhone operating system up to date with patches it has issued for the desktop.

The iPhone runs a stripped-down version of Mac OS 10.5 and automatically checks for security updates. The last update for the phone, 1.1.4, was issued in February.

That means iPhone users are still vulnerable to a flaw discovered by Charlie Miller in March.

During the CanSecWest conference, Miller found and used a buffer overflow in Safari in the Apple WebKit to win a $10,000 "Pwn to Own" contest. … Read more

Google released a free tool Tuesday that should help Web developers find and fix cross-site vulnerabilities.

The tool, RatProxy, is described by Google as "a semi-automated, largely passive Web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex Web 2.0 environments."

The tool is versatile, detecting and ranking a broad class of vulnerabilities. Included are script injections, cross-site trust attacks, content-serving vulnerabilities, cross-site request forgeries (XSRF), and cross-site scripting (XSS).

RatProxy runs on Linux, FreeBSD, … Read more

Last weekend, several hundred Lithuanian Web sites were defaced with pro-Soviet and anti-Lithuanian slogans, according to The New York Times.

Last Friday, Lithuanian government sites were warned of an impending Web attack and mounted appropriate defenses. Several hundred commercial sites did not do so and over the weekend took the brunt of the attack. By Monday, most all of the sites had been restored.

As with last year's Estonian denial-of-service attacks, the new attacks appear to be in reaction to a law outlawing the display of Soviet symbols in Lithuania. Germany has similar laws outlawing the display of Nazi … Read more

On Thursday, Opera released version 9.51. The new version fixes a few security vulnerabilities and resolves some stability issues. One of the fixes addresses an arbitrary code execution vulnerability that was not previously made public.

Meanwhile, Mozilla released Firefox 2.0.15 with a dozen security fixes, including a few remote-execution vulnerabilities.

Current Firefox 2 users should, however, upgrade to Firefox 3, which includes antimalware protection and other security features.

On Thursday, Microsoft announced four security bulletins for Patch Tuesday next week. The pre-announcement is intended as a heads up for IT departments before Patch Tuesday. All four are considered important, the second-most serious ranking by the software giant.

Among the important patches, two affect vulnerabilities within Windows, with one potentially causing remote code execution, while the other involves spoofing. Another bulletin affects Windows and Microsoft SQ Server and involves privilege elevation. The final bulletin affects Microsoft Exchange Server and also involves privilege elevation

Early Wednesday, antivirus vendor Sophos reported that some visitors to the Sony PlayStation site may have been prompted to download an antivirus scanner.

Pages promoting the PlayStation games SingStar Pop and God of War contained SQL-injected code. Visitors to those specific game pages would see a fake antivirus scan , then a message that their computer was infected with different viruses and Trojan horses. Warned, the user would then be asked to purchase the scanner to remove the bogus malware.

The injected code linking to the scanner has since been removed.

Sophos said the attack could have downloaded malicious payloads, but … Read more

On Wednesday, Microsoft announced new security features within the upcoming release of Internet Explorer 8 Beta 2. The features are designed to combat the rising tide of drive-by downloads and malicious scripts contained within carefully crafted links embedded in e-mail and Web pages. Most of the new features require systems to be running Windows Vista SP1 or Windows XP SP3.

Perhaps the most anticipated addition is Internet Explorer's new antimalware protection. Opera 9.5 and Firefox 3 both recently added antimalware protection. Safari has so far not announced plans for similar protection. Using mostly its own antimalware technology, Microsoft … Read more

A group of researches on Tuesday said 637 million Web users are surfing with outdated Internet browsers and therefore at greater risk of Web-based attacks.

Using data collected from Google Web searches and security firm Secunia, the researchers, Stefan Frei (of ETH, Zurich), Thomas D?bendorfer (Google), Gunter Ollmann (IBM ISS), and Martin May (ETH, Zurich), analyzed the browsers used in a new report (PDF). They did so in an effort to understand why so many recent attacks by criminal hackers have been aimed at the browser, and why those attacks have been so successful.

Overall the authors found that … Read more

Taking a cue from Morgan Spurlock who lived on fast food for 30 days in the Super Size Me documentary, McAfee gathered volunteers from around the world who would, for one hour a day, surf the Internet, signing up for various newsletters, filling in various forms. As they did so, the participants were asked to blog about their experiences.

On Tuesday, McAfee released the results of the experiment it called S.P.A.M., or Spammed Persistently All Month.

Over the course of the month, McAfee's test subjects accumulated 104,000 spam messages, or roughly 70 per day per … Read more