security update
Latest
Google's Pixel 6 April update arrives with camera and charging fixes
Google's April update has now arrived, on time for once, with fixes for several key issues around charging, the camera and security.
Google Drive security update could leave some file links broken
Google will add a resource key to Drive links generated for sharing.
Apple releases a security fix for OS X Network Time Protocol issue
Today Apple release a new security update for OS X's Network Time Protocol service. Apple recommends users with Yosemite, Mavericks, and Mountain Lion install the update as soon as possible. There is no official word on what exactly the update covers. When you go to Apple's page for more information you are met with this update: For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. According to MacRumours the update apparently addresses a security issue announced by the U.S. government on December 19. The issue, originally discovered by Google's Security Team, gives attackers the potential to execute arbitrary code using ntpd privileges.
League of Legends compromised; North American accounts and transactions accessed
Riot Games has just issued a letter to League of Legends players revealing that North American account information has been compromised by hackers. According to the message, usernames, email addresses, "salted password hashes," and real names were accessed. Riot insists that password information is unreadable but that players with easy-to-guess passwords might be at risk. Also accessed were hashed and salted credit card numbers from around 120,000 transactions made in 2011. Riot noted that the payment system in question has not been used since July of 2011 and that it is "taking appropriate action to notify and safeguard affected players." If your information was affected, you will receive an email from Riot. All North American players will be required to change their passwords "to stronger ones that are much harder to guess." In the meantime, keep an eye on your accounts for any suspicious activity.
Apple releases Security Update 2013-003 for Snow Leopard, Lion and Mountain Lion
Apple has released Security Update 2013-003 for Snow Leopard, Lion and Mountain Lion. No details have yet been provided by Apple as to what specific security issues the updates address, but all the updates are available through Software Update or via Apple's website. The only description provided with the updates reads: "Security Update 2013-003 is recommended for all users and improves the security of Mac OS X." Direct links to the updates are below: Security Update 2013-003 for Mountain Lion Security Update 2013-003 for Lion Security Update 2013-003 for Snow Leopard
OS X Lion hits 10.7.5 with most recent update, brings improved security with Gatekeeper
While the latest software for OS X Lion isn't nearly as exciting as a couple of other updates that Apple released today, Lion users will find a few worthwhile improvements within the new OS X 10.7.5 update. Most importantly, the latest software introduces Gatekeeper, a security feature from Mountain Lion that makes it more difficult to inadvertently install malicious software. The update also brings improved WiFi reliability for the iMac (late 2009 and newer) and squashes a bug that'd caused Launchpad icons to become rearranged. You'll find an even greater number of fixes / improvements after the break, and it's also worth a mention that even Snow Leopard users have received a bit of love today in the form of a security update. Want to prove you're a good cat owner? Go ahead and check for new updates right away.
North American players may now update their security questions
As an update to the security breach last week, players on North American realms will now be prompted to change their security question and answer when logging in to their Battle.net accounts. The security breach included no financial information; however, answers to personal security questions were compromised, as well as some information related to Mobile Authenticators. In addition to the security question update, players may now also update their Mobile Authenticators as well. Please note, this is only in regards to North American accounts; players in Europe need to do neither of these things. And remember, if you are a North American player and have not changed the password on your account, doing so is an excellent idea. Nethaera As a precaution following our recent security update, players on North American servers please take a moment to visit Battle.net account management, where you will be prompted to change your security question as well as update your Mobile Authenticator. There you'll also find helpful tips and an FAQ, as well as instructions on how to add additional layers of security to your account, including the Battle.net Authenticator or the Mobile Authenticator for those that aren't already using one. source
Blizzard security breach, no evidence that financial data was compromised
Mike Morhaime, the president of Blizzard Entertainment, reported today in a blog post posted on the official Blizzard website that a list of email addresses for Battle.net users, answers to security questions, and information relating to the Mobile and Dial-in Authenticator program were illegally accessed by outsiders. The security hole has been closed, but Blizzard is officially recommending that all Battle.net users change their passwords immediately. In the coming days, players will be prompted to automatically change their security questions and update their mobile authenticator software. A FAQ is available here. The full post is below. Mike Morhaime Players and Friends, Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened. At this time, we've found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed. Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts. We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well. In the coming days, we'll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we'll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here. We take the security of your personal information very seriously, and we are truly sorry that this has happened. Sincerely, Mike Morhaime source
Daily Update for May 15, 2012
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get all the top Apple stories of the day in three to five minutes for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the inline player (requires Flash) or the non-Flash link below. To subscribe to the podcast for daily listening through iTunes, click here. No Flash? Click here to listen. Subscribe via RSS
Adobe issues security update for Flash player, warns against IE exploit
Internet Explorer associated with an exploit? Color us shocked. Facetiousness aside, it's seriously about time you switched over to Chrome or Firefox (as a mitigation tool; not a foolproof solution), and if you're a desktop user relying on Flash Player, well... it's about time you updated that, too. Adobe has just released a security update for Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x. We're told that these updates "address an object confusion vulnerability (CVE-2012-0779) that could cause the application to crash and potentially allow an attacker to take control of the affected system." Adobe specifically mentions an exploit that targets Flash Player on Internet Explorer for Windows, where a user is duped into clicking on a malicious file delivered in an email message. Hit up the source link for more information on getting your system out of The Danger Zone. Which, conveniently, can be looped as you update with a click after the break. [Thanks to everyone who sent this in]
HTC acknowledges long-running WiFi security flaw, says it kept it quiet to prevent exploits
As far back as September, security researchers discovered a "critical" bug in many HTC Android handsets that exposed users' WiFi credentials to any hacker who cared to look. The flaw affected recent devices like the Thunderbolt and EVO 4G all the way back to the Desire HD. The researchers promptly notified HTC, but the manufacturer waited a full five months before acknowledging the flaw publicly a few days ago. Sounds shady, perhaps, but HTC sent us a statement clarifying that this is standard policy to protect customers. It says it waited to develop a fix before it alerted the big bad world to the vulnerability. Most newer devices have already received their fix OTA, but owners of some older phones -- we'll update this post when we know exactly which ones -- will need to check the HTC Support site for a manual update next week. Meanwhile, in the manufacturer's defense, the guys at the Open1X group who discovered the bug say that HTC was "very responsive and good to work with." Here's HTC's statement to us: "HTC takes customer data security very seriously. If there is a known breach of sensitive customer data, our priority is customer notification along with corrective actions. It is our policy, and industry standard procedure, to protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected. In those cases, premature disclosure of vulnerabilities could spur creation of malicious apps to take advantage of any vulnerability before it is fixed. For this specific WiFi bug issue, we worked closely with Google and the security researchers from the date of notification and throughout this process to ensure that the majority of affected HTC phones had already received the fix prior to the vulnerability being made public." Update: We changed our original headline to make it clearer that HTC deliberately kept quiet to protect its customers. We're certainly not accusing HTC of any wrong-doing here.
Adobe releases final Flash Player version for Android, BlackBerry PlayBook, promises future updates
When Adobe announced the death of Flash Player on mobile devices earlier this week, it did so while promising to issue a final version for Android devices and the BlackBerry PlayBook. Now, that promise has come to fruition, with the release of version 11.1. Like pretty much every Adobe update, this latest refresh promises to patch up a host of security flaws -- 12 "critical" ones, to be exact. More intriguing, however, are Adobe's plans for future security support. In a blog post published Wednesday, company exec Danny Winokur confirmed that Adobe will "continue to provide critical bug fixes and security updates for existing device configurations." This sentiment was echoed in a Twitter post yesterday from Brad Arkin, senior director of product security and privacy: "Adobe will continue to ship security updates for Flash Player mobile after the final feature release." But neither Winokur nor Arkin have specified how long this patch distribution will continue, and the company has yet to offer any sort of timeline for future tablet and smartphone updates. For more information on the latest release, check out the source link below, or hit up the coverage link to grab the Android version for yourself.
Apple security update addresses DigiNotar certificates
Apple has rolled out security update 2011-005 (Lion) and security update 2011-005 (Snow Leopard), which addresses the certificate trust policy regarding DigiNotar certificates. The update removes DigiNotar from the list of trusted root certificates, the list of Extended Validation certificate authorities and configuring the default system trust settings so DigitNotar certificates -- those issued by DigitNotar itself and other authorities -- are not trusted. These downloads are available through Apple's support site and via Software Update.
Mac Security Update 2011-003 now hunting MacDefender
Mac Security Update 2011-003 has appeared in Software Update and is available for immediate download and installation. According to KB article HT4657, the update provides a File Quarantine definition for the OSX.MacDefender.A malware and Mac OS X 10.6.7 will now automatically update the definitions on a daily basis. The update will also search for and remove MacDefender and its known variants. If you prefer to defuse your malware manually, be sure to refer to our guide. The update will be available later directly from Apple Downloads, and we'll update this post with a direct link at that time.
iOS 4.3.2 / 4.2.7 now available to download, fixes iPad 3G and FaceTime woes (update: jailbroken!)
If you're hankering to be riding the very latest mobile software from Apple, hit up your iTunes, for version 4.3.2 of iOS is now available for downloadin' and updatin'. Fixes for occasional "blank or frozen" FaceTime video and iPad 3G issues get top billing, while the obligatory security updates fill out the rest. The size of this mighty software drop? A hefty 666.2MB. Update: Well, someone's skipping class today. A tethered jailbreak is already in the wilds, if you dare. Thanks, Jeff! Update 2: Looks like Verizon customers are getting a slightly different update of their own: iOS 4.2.7. It promises only "bug fixes and security updates." [Thanks to everyone who sent this in]
Modern Warfare 2 patch arrives March 8, 'to address hacking'
It appears that whatever Sony did to mitigate security issues in its most recent PlayStation 3 patch has enabled Infinity Ward to address its "unplayable" version of Modern Warfare 2. Creative strategist Robert Bowling announced on Twitter that a patch "will release on PlayStation 3 worldwide on March 8," with an Xbox 360 and PC release following at some point. The patch, Bowling said, is specifically intended "to address hacking." Bowling detailed the process on the Infinty Ward forums, having updated his original post about the PS3 situation as new information was available from IW while staying intentionally light on details, "as we don't want to give out any information that could potentially hinder the security any further." He additionally noted that the patch "will also address a small geo exploit on the map Fuel, which players exploited in order to get inside a rock on the outskirts of the map." Apparently some players were ... rocking that exploit real hard. [Thanks Tom M.]
Sony about to issue PS3 update with 'minor,' mysterious security patch (update)
Sony just mentioned on its official PlayStation blog that the PS3 is about to get a "minor" update, v3.56. With Sony about to host a press event in Tokyo, it would be nice if we were getting some new functionality for our update timeout, but apparently all it adds is a security patch (just like 3.55), and for some reason we get the impression that this "security patch" is less about defense against baddies and more about trying to shore up the PS3 jailbreak that's currently running rampant. Of course, there are some serious security concerns when it comes to jailbroken PS3s, like the fact that they allow some serious cheating in select multiplayer games, so a truly competent, non-user-hostile security patch wouldn't be all bad. We guess we'll see what we get when the update lands, presumably later today. Update: That didn't take long. It's out -- and members of the PS3 hack community already allege that it breaks custom firmware. [Thanks to everyone who sent this in]
Office 2008 users: 12.2.7 update is available
With about two weeks to go until Office 2011 ships, Microsoft is making sure that Office 2008 is safe and sound with a security and stability update. The 12.2.7 update can be downloaded and installed by running Check for Updates from the Help menu in any of the Office 2008 apps, or letting Microsoft AutoUpdate do its job. What's in the update? For Microsoft Excel, it's a bug fix. According to Microsoft, the update "fixes issues that cause Excel to crash or close unexpectedly sometimes when you try to start an Excel application." And for those of you who use Entourage (Anyone? Anyone? Bueller?), it's about reliability. The update details there say that it fixes issues with Kerberos authentication with Microsoft Exchange Server 2003 and 2007 as well as an issue where Entourage would create duplicate items in the Exchange 2007 mailbox. You can read all of the details here. The installed update takes up 503.4 MB of your precious hard disk space.
Apple releases Security Update 2010-006
Yes, as you can see above (and in a Software Update near you), Apple has released Security Update 2010-006, the latest OS X issue-fixer of the year. It's recommended for all users, so run your SU, let it download and install, and you'll be good to go. This one apparently fixes an issue where a remote attacker could have snuck into AFP shared folders without having a password. Apple releases OS Security Updates a few times a year, and given how simple it is to update and install them, you should go ahead and update as soon as possible.
Citibank says iPhone app has security flaw
The wire services and the Wall Street Journal are reporting that the Citi Mobile app that Citibank offered to customers has a security flaw, and that it saved personal account information in a hidden file on users' iPhones. Our own Mike Rose reports that he got one of Citi's letters to customers warning them about the security issue. The information saved on the iPhones included account numbers, bill payment information, and even security access codes. If customers synced their phones to a Mac or PC that information would also be on those computers and could theoretically be accessible by hackers. "We have no reason to believe that our customers' personal information has been accessed or used inappropriately by anyone," Citi said. The newest version of the Citi app is online and is listed as a 'mandatory' update for customers.
