Sep 25

Apple fixes security vulnerabilities with Apple TV 5.1 update

Apple iconLess than one week after iOS 6 arrived, Apple has released Update 5.1 for its 2nd and 3rd generation iOS-based Apple TV devices, adding several new features and closing a number of important security holes. According to Apple, Apple TV 5.1 addresses a total of 21 problems, some of which could be exploited by a remote attacker to, for example, cause a denial-of-service (DoS), determine which networks a device has previously accessed, or even execute arbitrary code on the device.

These include vulnerabilities in the LibXML library used by Apple TV, memory corruption problems in JavaScriptCore and the LibPNG library, a stack buffer overflow in ICU locale ID handling, an integer overflow, a double free bug in ImageIO’s handling of JPEG images and a buffer overflow in the LibTIFF library. For an attack to be successful, a victim must connect to a malicious Wi-Fi network, or open a specially crafted movie or image file.

Non-security related changes in the update include new screen savers, improvements to movie trailers, and support for Shared Photo Streams, SDH subtitles and iTunes account switching. Support for advanced network options using configuration profiles has also been added.

Further details on these vulnerabilities can be found in the company’s security advisory. Apple TVs periodically check for updates automatically and will alert users when an update is available; however, users can also manually update their 2nd and 3rd generation Apple TVs by selecting Settings ➤ General ➤ Software update.


Permanent link to this article:

Sep 24

Malware programmers start using Go

Go's GopherGoogle’s Go programming language has a growing number of users and, according to a report from Symantec, that number now includes some malware writers. The company says it recently found a trojan,Encriyoko, which included Go-based components, specifically a file named GalaxyNxRoot.exe. This file is a .NET-based dropper which pretends to be a rooting tool to trick users into running it, at which point it drops and launches two programs written in Go: PPSAP.exe and adbtool.exe.

PPSAP.exe is an information-gathering trojan which appears to collect system information which is then posted to a remote site. The adbtool.exe file downloads an encrypted file, zdx.tgz, and decodes it; the downloaded file is a DLL which is loaded and run. This then attempts to encrypt, using Blowfish, many different file formats including .c, .cpp. .go, .vb, .jpg, .png, .rar, .zip, any document files with doc, xls, ppt, mdb or pdf in the name and a range of other files based on whether their extensions include strings such as mce, dw, sh or pic. The contents of the encrypted files are most probably irretrievably lost as the zdx.dll program generates a random key unless a particular file is present.

Go is a relatively young language, introduced in 2009 by Google as an alternative to classic systems languages like C, C++ or Java. The dynamically typed language’s syntax is strongly based on C and is known for supporting concurrency as a feature native to the language. It is possible the malware authors were using the language, which has yet to enter the mainstream, because malware researchers were unlikely to be familiar with it and the code generated by its compiler.

Permanent link to this article:

Sep 24

Modularisation dropped from Java 8

Java iconThe project to modularise Java, Jigsaw, originally planned for Java 7 and deferred to Java 8, has now been pushed back to Java 9, which is due to arrive in 2015. Mark Reinhold, Chief Architect of the Java Platform Group at Oracle, says in his blog that his proposal to defer Project Jigsaw met with evenly divided feedback, but ultimately the decision rested with the Java SE 8 Expert Group (JSR337). That group showed all supporting the deferral of modularising Java’s run-time and a strong majority supporting the plan to push the entire modularisation effort to Java SE 9. A final and formal resolution is still pending but is unlikely to change course.

Despite the deferral, work on preparing the way for modularisation will still be done in Java 8, ready for Java 9. A Java Enhancement Proposal, JEP162 “Prepare for Modularisation”, sets out a plan to smooth the transition by making changes such as deprecating problematic APIs, adding command-line tools to show static dependencies and switching to ServiceLoader. These changes should make the eventual transition to modularisation easier.

The Oracle architect also believes that there is still progress to be made in the converging of Java SE and the high-end profiles of Java ME, and another proposal, JEP161 lays out a plan to define a number of subset profiles for Java SE which could allow the platform to be deployed and run on small devices. For example, an initial draft sees core libraries such as lang, io, nio and util making up a “Compact1” profile, with the addition of sql, xml, dom, sax and rmi making up “Compact2”; a “Compact3” profile would bring in many more libraries.

Reinhold closes by saying that “deferring Jigsaw to a Java 9 release in 2015 is by no means a pleasant decision,” but that it does appear to be the “best available option”.


Permanent link to this article:

Sep 23

Microsoft patches critical hole in Internet Explorer

Internet ExplorerWith an emergency update on Friday evening, Microsoft has closed the critical vulnerability in Internet Explorer that is already being actively exploited for attacks. The hole affects IE versions 6 to 9 and allows attackers to infect systems with malicious code when a specially crafted web page is visited. The vulnerability was disclosed last Monday, and a Metasploit module for it became available on Tuesday.

Microsoft also took this opportunity to close four similar holes that, the company said, were reported in confidence by security specalists and haven’t been exploited for attacks. Looking at their CVE numbers, these four vulnerabilities were reported well before the other hole was revealed on Monday. The vulnerabilities are based on “use-after-free” bugs that involve access to newly de-allocated memory areas. This causes IE to execute shell code that an attacker has injected into memory.

Microsoft says that the patch is being deployed via Windows Update; therefore, those who have the Windows Update feature enabled on their computers need to take no further action. Everyone else can manually download a suitable patch for their version of Windows.

The company has also made changes that benefit the early adopters of Windows 8 by updating the Flash Player that is integrated into IE 10 to the latest version. The update fixesa bug that enabled files to inject software via specially crafted fonts. With the new version of Internet Explorer, Microsoft has made the Flash plug-in a permanent browser component. This should, in theory, cause updates to reach users faster and more reliably because the browser will download and install them automatically.

Permanent link to this article:

Sep 22

WordPress for Android updated with all-new stats


The new version of WordPress for Android adds support for featured images and all-new stats Zoom
Source: WordPress

Support for featured images and all-new stats are the most notable features in the recent 2.2 release of the WordPress for Android mobile application. This new version now lets users set Featured Images from directly within the app; previously this could only be done using the web interface. After adding an image to the post, users can enable this option by tapping on it and selecting “Use as featured image”; the developers note that this requires WordPress 3.4.1 or later. 

WordPress for Android 2.2 also introduces a new stats view that includes information on, for example, Views by Country as well as Top Posts and Pages. The stats work out of the box for blogs hosted on; for self-hosted blogs, users will need to install the free Jetpack plugin to enable stats within the app. Other changes include performance improvements as well as various bug fixes that improve its overall reliability.

Shortly after WordPress for Android 2.2 arrived, the developers released an update, version 2.2.2, that fixed a problem with stats, updated Swedish, Hungarian and Catalan translations, and added Korean language support. WordPress for Android 2.2.2 is available to download from the Google Play Store and requires Android 2.1 or later. The app supports and self-hosted blogs running WordPress 3.0 or higher. Like WordPress, WordPress for Android is licensed under the GPLv2.

A new version of the WordPress for iOS app has also been released. Version 3.1.4 of the app adds support for the latest iOS 6 release as well as Apple’s new iPhone 5 smartphone. Other changes include fixes for problems with stats and remote logins, as well as bugs that caused the app to crash. The update is available to download from the iTunes App Store and requires iOS 4.3 or later.


Permanent link to this article:

Page 20 of 53« First...10...17181920212223...304050...Last »