• apple,  ios 15,  iphone 13,  security

    Apple Releases iOS 15.0 Build 19A346

    On Friday, I received my iPhone 13 Pro Max which I am really enjoying. Yesterday, while out and about, I happened to check Software Update, and noticed that Apple released an iOS 15.0 update with build number 19A346.

    In the above screen captures, you can see iOS 15.0 as shipped on iPhone 13 Pro Max (left) and iOS 15.0 on the same iPhone 13 after updating (right). The release notes did not say much other than it was a security update.

    “This update provides important security updates and fixes an issue where widgets may revert to their default settings after restoring from a backup.”

    The link provided in the release notes to the Apple Security Updates page as of the time of this post, had not yet been updated with the details of iOS 15.0 19A346.

    However, a piece by Jim Salter writing for Ars Technica may shed some light as to what’s going on.

    “[A] security researcher who goes by illusionofchaos dropped public notice of three zero-day vulnerabilities in Apple’s iOS mobile operating system. The vulnerability disclosures are mixed in with the researcher’s frustration with Apple’s Security Bounty program, which illusionofchaos says chose to cover up an earlier-reported bug without giving them credit.”

    Apple has received criticism in the past for being slow to acknowledge bugs reported by security researchers. And, when vulnerabilities are confirmed, Apple can be equally slow to credit researchers and provide pay outs as part of the company’s Security Bounty program.

    According to Salter, the security researcher, who goes by the name of illusionofchaos has posted example code of how the exploits work, meaning that an nefarious programmer can use the code to whip up a new malware attack against iOS devices.

    My suggestion is that anyone who is running iOS 15.0 check Settings > Software Update for iOS 15.0 (19A346) and install it as soon as reasonably possible.

    Interestingly, the same update was not available for my 10.5-inch iPad Pro nor my iPhone XR running the iOS 15.1 Public Beta.

  • mac os x,  macintosh,  security,  vintage

    Mac OS X 10.4 Tiger’s Java Updates

    Running Mac OS X Tiger? You’ll have some Java updates to apply!

    When restoring vintage Macs, I like to upgrade Mac OS / Mac OS X / OS X to the latest release to make sure that I have the very latest software on my gear. For my latest project, I am installing Mac OS X 10.4 Tiger and all of the available updates from DVD and Software Update. Looks likes Java has had quite a few updates.

  • firefox,  mozilla,  security

    Upgrade Firefox Now

    In an eyebrow raising announcement, users of Mozilla’s Firefox browser are urgently warned to upgrade to Firefox 72.0.1, Firefox Extended Support Release (ESR) 68.4.1, and Thunderbird 68.4.1 (which uses the Firefox engine) or later right away.

    All software have bugs, and Mozilla’s software is no exception. Also, bad guys will ruin everything on the Internet.

    What makes this warning from the United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) so important is that there are active attacks being made on Firefox compromised websites that have been infected with malicious web pages. Once an unpatched version of Firefox is successfully exploited, an attacker will be able to gain control over the Mac or Windows PC that the browser is running on.

    The CISA cybersecurity warning reads:

    “Mozilla has released security updates to address a vulnerability in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.

    The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 72.0.1 and Firefox ESR 68.4.1 and Thunderbird 68.4.1 and apply the necessary updates.”

    Mozilla has provided directions for upgrading your copy of Firefox to the latest release on their support website.

    Keep yourself safe. Apply this update, even if you normally do not like to apply software patches and upgrades.

  • apple,  ios 11,  mac os x,  security,  update

    Apple Issues ‘Meltdown’ and ‘Spectre’ Patches for iOS, macOS, Safari


    Today, Apple has posted a set of updates that are designed to patch recently reported vulnerabilities found in Intel and ARM CPU processors. These are very important security updates. You should install them as soon as you can.

    Apple Software Updates


    Ready for your downloading and installing pleasure are:
    * iOS 11.2.2 for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
    * macOS High Sierra 10.13.2 Supplemental Update
    * Safari 11.0.2 for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6

    The Apple support website always links to the latest security patch updates.

    The Short Story

    The vulnerability, which impacts all modern Intel and ARM CPUs, can be found in just about every PC, smartphone, and tablet on sale. Microsoft Windows, Linux distributions, and hardware vendors all need to update patches to prevent the “Meltdown” and “Spectre” vulnerabilities from being exploited and granting cyber-attackers access to highly sensitive data that is held in a computer’s protected memory space.

    Confused about all of this processor vulnerabilities and patching? It’s totally understandable. If you really want to understand what’s going on, check out Rene Ritchie’s excellent Meltdown and Spectre FAQ at iMore.com.


  • airport,  apple,  ios,  mac os x,  security,  tvos,  watchos

    With a Pair of AirPort Updates, Apple Completes Wi-Fi Vulnerability Patching

    On December 12, Apple released a pair of AirPort firmware updates to close the WPA2 key reinstallation attack vulnerability. The vulnerability was first publicly announced in October, after alerting vendors of the vulnerability much earlier in the year.

    Apple AirPort Extreme/AirPort Time Capsule base station firmware version 7.7.9 and AirPort Express firmware 7.6.9 both include the patch that protects against the WPA2 key reinstallation attack. The Common Vulnerabilities and Exposures (CVE) numbers that these patches address are CVE-2017-9417, CVE-2017-13077, CVE-2017-13078, and CVE-2017-13080.

    The AirPort firmware updates can be applied using the iOS AirPort Utility, available for free from the Apple iOS App Store. If you have an Apple AirPort running in your home or office, you need to update it right away to close this serious vulnerability.

    About this time last year, I wrote about my doubling-down on Apple AirPort hardware in the face of media reports (aka: rumors) that Apple had abandoned the AirPort product line. I still hold that there are much better Wi-Fi solutions available today, even for die hard Apple fans like us. The Wirecutter (https://thewirecutter.com/reviews/best-wi-fi-mesh-networking-kits/) has a very good review of mesh network Wi-Fi devices from vendors such as Eero and Netgear. You really should be running them over Apple’s AirPort at this point. Still, despite Apple reportedly walking away from AirPort, as a customer, I am glad that Apple tool on the task of releasing a pair of security updates for the aging devices. It seems only fair to customers, since Apple is still selling the AirPort hardware online and in retail stores.

    What About My Other Apple Gear?

    Apple updated iOS 11, macOS, watchOS, and tvOS back in October. If you are running iOS 11.1, watchOS 4.1, tvOS 11.1, or the latest versions of macOS High Sierra 10.13, Sierra 10.12, or El Capitan 10.11 you have already installed the WAP2 patch.  Use the Software Update feature of these operating systems to verify that you are up-to-date or install the latest software releases if need be.

    If you are still running macOS/OS X Mavericks 10.10, you should consider upgrading to High Sierra to gain the WPA2 patch. Mavericks and earlier versions of macOS will not be patched.

    What About Everything Else?

    The WPA2 key reinstallation vulnerability is not a flaw or vulnerability that is specific to Apple hardware and software. It is a flaw in the WAP2 system itself. Thankfully, the flaw can be fixed with software. What that means, though, is that to improve your chances of being protected against attacks using the WAP2 vulnerability, you must patch all of your Wi-Fi equipment, including routers/modems, smart devices (i.e.: light bulbs, switches, and cameras), TVs, Blu-ray player, and gaming consoles, for example.

    Learning More About the WAP2 Vulnerability

    To learn more about the KRACK WPA2 key reinstallation vulnerability, and to see just how catastrophic the vulnerability can be, see Mathy Vanhoef’s summary website and Krebs’ What You Should Know About the ‘KRACK’ WiFi Security Weakness blog post.


  • apple,  mac,  security

    Apple Issues Security Update for ‘root’ Vulnerability


    Yesterday, an unusually dangerous security vulnerability in macOS 10.13.1 High Sierra was uncovered.  Less than 24-hours later, Apple has issued a patch to correct the situation.  The vulnerability allowed access to the Unix ‘root’ account – the most powerful ID on a Unix system – without the use of a password.


    Apple support article HT208315 gives you the specifics about this vulnerability.  If you haven’t already done so, go to the Mac App Store and install Security Update 2017-001.  It is a small update that does not require the Mac to be rebooted.

    John Gruber over at Daring Fireball received a statement from Apple stating the company’s regret and apology for rolling out High Sierra 10.13.1 with this bug in it.  The statement to Daring Fireball also noted that “starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.”

    It was later reported, again by Gruber, that the Security Update 2017-001 patch inadvertently breaks file sharing in macOS High Sierra.  If you experience the post Security Update 2017-001 file sharing bug, Apple has posted support article HT208317 on how to fix file sharing.  To apply the file sharing bug fix, open Terminal.app and issue the command:

    sudo /usr/libexec/configureLocalKDC

    There is no output from the command.  When you are done, quit Terminal.

  • apple,  ios 9,  iphone 6 plus,  iphone 6s,  security

    The Curious Case of the iOS 9.3.1 “Hey, Siri” Contacts, Photos Vulnerability

    Late last night, my father of all people, tipped me off to a story making the rounds on the Internet about a security vulnerability with an iPhone 6s or iPhone 6s Plus running iOS 9.3.1.  The reported vulnerability allowed a malicious user to by-pass the iPhone’s lock screen using the hands free “Hey, Siri” command.  When successfully executed, an attacker would be able to see all of the contacts and photos on the device.

    Quartz has an article up on their site that starts off with:

    “You might want to wait before downloading the latest version of Apple’s operating system for iPhones.

    If you own an iPhone 6S or 6S Plus and have upgraded to iOS 9.3.1, other people can access your contacts and photos without entering a passcode to unlock the phone. It’s an elaborate and finicky but nonetheless startling loophole.”

    With my iPhone 6s Plus unlocked and running iOS 9.3.1, the “finicky” exploit worked.  However, if I repeated the process with my iPhone locked, the attack was stopped dead in it’s tracks.

    This morning I tried to reproduce the attack, I received a notice from Siri that I needed to unlock my iPhone first.  I made this short video that was posted to YouTube this afternoon.

    [youtube https://www.youtube.com/watch?v=O_BrmKI3W9Y]

    Oddly, the security settings that AppleInsider.com reported as needing to be turned off to prevent the attack were still enabled on my iPhone.  Curious.

    So what happened?

    This afternoon, Fortune.com has an article up that the Siri-related problem was corrected by Apple from Apple HQ.

    “While initial reports and claims from the bug’s discoverers said that the issue was an iOS 9 glitch, it turns out it was a Siri problem. On Tuesday morning, after seeing the rash of reports on the issue, Apple issued an update to Siri fixing the problem. Therefore, users who were previously subject to the issue are now safe and do not require a software update to get the fix.”

    Security and privacy conscious iPhone 6s and iPhone 6s Plus users can go back to their day without further worry.

  • apple,  ios 8,  iphone,  security,  touch id

    Apple To Enhance iPhone Unlock Security with iOS 8.3 [Updated]

    Apple is further enhancing their iPhone unlock security with the upcoming release of iOS 8.3; which is currently in beta testing.
    PIN code required when TouchID is not
    used to unlock the device in 48 hours

    My pal, and fellow 1SRC Palm Podcast host, Jeff Kirvin, has informed me that iOS requires a PIN or passcode if not used for 48 hours right now with iOS 8.2.

    I hate it when he’s right.  I still think this is a good feature.

    In the future, if you have not unlocked your iPhone using Touch ID in the past 48 hours, you be required to reenter your PIN or passcode.  With iOS 8.0 up to and including iOS 8.2, Apple only required that you enter your PIN or passcode after restarting your iPhone.  

    The above screen appeared after I left my iPhone 5S running a beta version of iOS 8.3 at home for two days.
    I think that while this may generate a few help desk calls when iOS 8.3 is deployed to corporate iOS devices that get left at work or unused over the weekend, it is  a really good move for people who may accidentally lose their device.
    Apple has not announced when iOS 8.3 will ship.  The pre-release software is being tested by registered developers (a $99 annual fee is required to join the program) and by select members of the iOS and OS X public beta testers.
    Some bloggers believe that iOS 8.3 will ship next month at about the same time the Apple Watch is released.
  • adobe,  flash,  linux,  security,  windows

    Upgrade to Adobe Flash Player 14.0.125 Now

    Adobe has issued a security bulletin urging Flash users to upgrade to the latest release, version 14.0.125.  Windows PCs, Macs, and machines running Linux with unlatched versions of Flash are vulnerable that could allow an attacker to take control of the computer.

    “Adobe has released security updates for Adobe Flash Player and earlier versions for Windows and Macintosh and Adobe Flash Player and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions[.]”

    You can download the latest version of Adobe Flash Player for your Windows PC, Macintosh, or Linux machine from Adobe Flash Player download website.

    Today’s full APSB14-16 security bulletin can be read on the Adobe website.

  • security,  target

    Target Had Warning of Security Risks

    A new article by The Wall Street Journal says that officials at Target were made aware of the potential security risks that lead to the November 27 – December 18 attack last year.

    “Target Corp.’s computer security staff raised concerns about vulnerabilities in the retailer’s payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers, people familiar with the matter said.”

    In Target’s defense, the Journal also reports:

    “The sheer volume of warnings that retailers receive makes it hard to know which to take seriously. Target has an extensive cybersecurity intelligence team, which sees numerous threats each week and could prioritize only so many issues at its monthly steering committee meetings, the former employee said.”

    As an IT professional, I find a report like this to be disappointing.  It’s a constant battle between setting business objectives and setting priorities and “good house keeping” such as installing infrastructure and security upgrades and patches.  Sometimes those priorities get muddy.
    As a Target customer who had their personal data stolen in the breach, I’m more than annoyed to learn that the situation was preventable.  It is also my opinion that most of these types of breaches are preventable with frequent software updates.
    I think security breaches, both large and small, along with the ever growing data stockpile that companies are amassing about their customers is a growing concern for customers and IT departments alike.  We all know that our online habits are being tracked and that companies are collecting an amazing amount of personal data about who we are so that this information can be used to either make more money from you with targeted advertising or by selling the collected information to third-parties.
    While I don’t think that personal data collection will go away anytime soon, if ever, I would hope that as a society, we put new laws and limits on what businesses and clearing houses can do with the data they collect about us.
    Click the source link below to read the full article online (login required).
    [Via WSJ.com…]