Sep 23

Microsoft patches critical hole in Internet Explorer

Internet ExplorerWith an emergency update on Friday evening, Microsoft has closed the critical vulnerability in Internet Explorer that is already being actively exploited for attacks. The hole affects IE versions 6 to 9 and allows attackers to infect systems with malicious code when a specially crafted web page is visited. The vulnerability was disclosed last Monday, and a Metasploit module for it became available on Tuesday.

Microsoft also took this opportunity to close four similar holes that, the company said, were reported in confidence by security specalists and haven’t been exploited for attacks. Looking at their CVE numbers, these four vulnerabilities were reported well before the other hole was revealed on Monday. The vulnerabilities are based on “use-after-free” bugs that involve access to newly de-allocated memory areas. This causes IE to execute shell code that an attacker has injected into memory.

Microsoft says that the patch is being deployed via Windows Update; therefore, those who have the Windows Update feature enabled on their computers need to take no further action. Everyone else can manually download a suitable patch for their version of Windows.

The company has also made changes that benefit the early adopters of Windows 8 by updating the Flash Player that is integrated into IE 10 to the latest version. The update fixesa bug that enabled files to inject software via specially crafted fonts. With the new version of Internet Explorer, Microsoft has made the Flash plug-in a permanent browser component. This should, in theory, cause updates to reach users faster and more reliably because the browser will download and install them automatically.

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/09/microsoft-patches-critical-hole-in-internet-explorer/

Sep 22

WordPress for Android updated with all-new stats

 

The new version of WordPress for Android adds support for featured images and all-new stats Zoom
Source: WordPress

Support for featured images and all-new stats are the most notable features in the recent 2.2 release of the WordPress for Android mobile application. This new version now lets users set Featured Images from directly within the app; previously this could only be done using the web interface. After adding an image to the post, users can enable this option by tapping on it and selecting “Use as featured image”; the developers note that this requires WordPress 3.4.1 or later. 

WordPress for Android 2.2 also introduces a new stats view that includes information on, for example, Views by Country as well as Top Posts and Pages. The stats work out of the box for blogs hosted on WordPress.com; for self-hosted blogs, users will need to install the free Jetpack plugin to enable stats within the app. Other changes include performance improvements as well as various bug fixes that improve its overall reliability.

Shortly after WordPress for Android 2.2 arrived, the developers released an update, version 2.2.2, that fixed a problem with stats, updated Swedish, Hungarian and Catalan translations, and added Korean language support. WordPress for Android 2.2.2 is available to download from the Google Play Store and requires Android 2.1 or later. The app supports WordPress.com and self-hosted WordPress.org blogs running WordPress 3.0 or higher. Like WordPress, WordPress for Android is licensed under the GPLv2.

A new version of the WordPress for iOS app has also been released. Version 3.1.4 of the app adds support for the latest iOS 6 release as well as Apple’s new iPhone 5 smartphone. Other changes include fixes for problems with stats and remote logins, as well as bugs that caused the app to crash. The update is available to download from the iTunes App Store and requires iOS 4.3 or later.

 

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/09/wordpress-for-android-updated-with-all-new-stats/

Sep 21

Microsoft and Xamarin collaborate on Azure Mobile Services

Azure logo

Microsoft has announced that it is open sourcing the software development kit (SDK) for its Azure Mobile Services backend for Windows Store applications. The company has also said that it will partner with Xamarin to expand the SDK to support the iOS and Android platforms.

Azure Mobile Services is a framework that provides features such as login capabilities and remote data storage for mobile applications; it runs on Microsoft’s Azure which offers a hybrid Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) environment to developers.

The code for the SDK is made available under the terms of the Apache 2.0 Licence and can be downloaded from GitHub. According to the company, it will be fully supported and the developers are actively looking for contributions to the project. Xamarin, in turn, has made a preview for its cross-platform implementation for the Mobile Services client frameworkavailable under the same licence. According to the company, “the framework, which is a port of Microsoft’s own Mobile Services client library, will make it easy for developers to use Microsoft’s hosted backend in their Xamarin-powered Android and iOS applications.”

Xamarin is maintaining the open source C# implementation Mono and is selling commercial versions for Android and iOS development which have proven popular with game developers.

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/09/microsoft-and-xamarin-collaborate-on-azure-mobile-services/

Sep 21

Apple closes security holes in Mac OS X and Safari

Apple iconApple has released updates for versions 10.6 (Snow Leopard), 10.7 (Lion) and 10.8 (Mountain Lion) of its Mac OS X operating system that close a number of critical security holes. Mac OS X 10.8.2 and 10.7.5, and Security Update 2012-004 for Mac OS X 10.6.8 address a wide range of security vulnerabilities. These include information disclosure and denial-of-service (DoS) problems, bugs in the sandbox that could allow a malicious program to bypass restrictions, memory corruption bugs, and buffer and integer overflows. According to Apple, many of these could be exploited by an attacker to cause unexpected application termination or arbitrary code execution. Among the changes in the updates are new versions of Apache, the BIND DNS server, International Components for Unicode, the kernel, Mail.app, PHP, Ruby and the QuickTime media player, all of which correct security problems.

In addition to the fixes in Mac OS X 10.7.5, the update also includes Gatekeeper, a security feature from 10.8 Mountain Lion. By default, this feature automatically rejects applications that have not been signed with a valid Apple-issued Developer ID, but this setting can be changed. Gatekeeper includes three levels of security for running applications downloaded from the internet: “Mac App Store”, “Mac App Store and identified developers” and “Anywhere”. The first of these only runs applications downloaded from the Mac App Store, while the second option only allows applications from the store and from developers who have signed their program with their Developer ID. The last option allows all applications to run, regardless of whether they are signed with a Developer ID or not.

The company also released an update to its Safari web browser, version 6.0.1. This first update to Safari 6 from July addresses multiple information disclosure vulnerabilities, including one which could allow Autofill contact information to be sent to maliciously crafted web sites. As usual, the majority of the holes closed in Safari were memory corruption bugs found in its WebKit browser engine which could, for example, be exploited by an attacker to cause unexpected application termination or arbitrary code execution. For an attack to be successful, a victim must first visit a specially crafted web site.

Further details about the vulnerabilities closed, including a full list of fixes, can be found in Apple’s security advisories. Mac OS X 10.8.2 (Client Standard UpdateClient Combo Update, Mac OS X 10.7.5 (Client Standard UpdateClient Combo UpdateServer Standard UpdateServer Combo Update) and Security Update 2012-004 (ClientServer) for Mac OS X 10.6 are available from Apple’s Support Downloads page; at the time of writing, Safari 6.0.1 is not yet listed for download from the site. Alternatively, Mac OS X users can upgrade to the latest releases using the built-in Software Update function. All users are advised to upgrade as soon as possible.

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/09/apple-closes-security-holes-in-mac-os-x-and-safari/

Sep 20

Pwn2Own: iOS vulnerability reveals user data

Pwn2Own WebKitDuring this year’s Mobile Pwn2Own hacking competition, two Dutch security researchers managed to access user data saved on an iPhone 4S. According to a report from the IDG News Service, calling up a manipulated web site with iOS 5.1.1 was all that was needed to introduce malicious code that then sent any pictures, videos, address book data and browsing history saved on the device to the attackers’ server.

The report says that the security vulnerability that was used for the attack, which is in the WebKit browser engine used by the mobile version of Safari, can also be exploited for other iOS devices; the security researchers say that this has not yet been fixed as of the golden master version (Build 10A403) of iOS 6, which Apple released Wednesday evening. The two researchers told ZDNet that they developed the exploit in their free time over the course of three weeks and were awarded with a $30,000 prize as part of the Pwn2Own contest.

Details of the vulnerability were apparently only shared with the competition organiser, the TippingPoint’s Zero Day Initiative, which plans to pass the exploit on to Apple.

 

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/09/pwn2own-ios-vulnerability-reveals-user-data/

Page 20 of 52« First...10...17181920212223...304050...Last »