Apple Mac HQ

A rather large security flaw was discovered in iPhone 2.x software yesterday.  The flaw will leave your data open to prying eyes even if you have enabled password protection.  To reproduce the flaw try these steps:

1. Lock your phone so it requires a password to use
2. Slide to unlock, then hit the Emergency Call button
3. Double tap your home button
4. Click the blue arrow by a contact with an email address and click the email address
5. You’ll be taken to a blank email; hit cancel
6. Now you have access to all email accounts on your iPhone
7. You can do the same trick for text messages and Safari if you have a URL in a contact

Obviously this is a huge flaw if you have sensitive data on your iPhone.  The flaw only occurs if you have your Home Button set to Phone Favorites.  Apple has not released a fix, but you can change the Home Button function to another action and the flaw will no longer work on your phone.  Just follow these steps to change the Home Button function:

1. Open Settings
2. Click General then Home Button
3. Change the setting to anything but Phone Favorites.  I prefer Home since even setting it to iPod will allow access to your music.

Gizmodo has a video of the flaw in action.  Lets hope Apple fixes this flaw in the next software update.  I wonder if this will affect any businesses who are considering the iPhone as a BlackBerry or Windows Mobile alternative?  If I was an IT manager, this would seriously worry me about Apple’s commitment to security on the iPhone.

[Via TUAW]

Popularity: 15% [?]

A new 0day vulnerability was recently discovered in Safari at the CanSecWest security conference in Vancouver, Canada. Charlie Miller, Jake Honoroff, and Mark Daniel of Independent Security Evaluators were able to gain control of a MacBook Air on the second day of the hacking competition. In addition to trying to Hack OS X, teams were also trying to hack Windows Vista and Ubuntu Linux. The Macbook Air was the first of the three systems to be hacked.

The hacking contest began Wednesday where hacks were limited to over the network techniques. On that first day, no computers were hacked. It wasn’t until the second day when the Macbook Air was hacked in less than two minutes. On the second day, the rules were changed to allow attacks delivered via a website or email.

The vulnerability in Safari involved having the judges browse to a website with the malicious code installed. Once the judges visited the website, the team was able to retrieve a file from the Macbook Air.

The ISE team immediately signed a nondisclosure agreement relating to the vulnerability. TippingPoint, the contest sponsor, said Apple has been informed of the vulnerability. Last year’s contest was won by a QuickTime vulnerability, which was patched by Apple within two weeks. No word on what version of Safari was used in the attack.

[Via CNET]

Popularity: 21% [?]