SecurityUpdate
Latest
Researchers say some Android phone makers hide missed updates
A number of Android phones have a tendency to skip the occasional security patch while making it appear that the device is fully up to date, Wired reports. Researchers with Security Research Labs (SRL) looked into 1,200 phones from manufacturers like Google, Samsung, Sony, Nokia, Huawei, Motorola, LG, HTC, ZTE and TCL and found that there's often a gap between what the phones say have been updated and what patches have actually been installed. "It's small for some devices and pretty significant for others," SRL founder Karsten Nohl told Wired.
Google Pixel 2 users report warming phones and shortened battery life
If you've noticed your Pixel 2 running warm lately or found its battery life to suddenly be shortened, you're not alone. As 9to5Google points out, Pixel 2 and Pixel 2 XL users are reporting on Reddit and Google's Pixel User Community that their phones are having some issues since they installed Google's February security update. 9to5Google's Ben Schoon reports that his own Pixel 2 XL has been running warm while in standby mode since the update and that its battery life is noticeably reduced.
Microsoft patches Windows XP to stop foreign hack attacks
Last month, Microsoft took what it called the "highly unusual" step of patching older Windows versions like XP against the WannaCrypt ransomware virus. It's doing the same in June to protect against attacks that are potentially even more sinister. "This month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations," security manager Adrienne Hall wrote in a blog.
Apple releases Security Update 2013-003 for Snow Leopard, Lion and Mountain Lion
Apple has released Security Update 2013-003 for Snow Leopard, Lion and Mountain Lion. No details have yet been provided by Apple as to what specific security issues the updates address, but all the updates are available through Software Update or via Apple's website. The only description provided with the updates reads: "Security Update 2013-003 is recommended for all users and improves the security of Mac OS X." Direct links to the updates are below: Security Update 2013-003 for Mountain Lion Security Update 2013-003 for Lion Security Update 2013-003 for Snow Leopard
OS X Lion hits 10.7.5 with most recent update, brings improved security with Gatekeeper
While the latest software for OS X Lion isn't nearly as exciting as a couple of other updates that Apple released today, Lion users will find a few worthwhile improvements within the new OS X 10.7.5 update. Most importantly, the latest software introduces Gatekeeper, a security feature from Mountain Lion that makes it more difficult to inadvertently install malicious software. The update also brings improved WiFi reliability for the iMac (late 2009 and newer) and squashes a bug that'd caused Launchpad icons to become rearranged. You'll find an even greater number of fixes / improvements after the break, and it's also worth a mention that even Snow Leopard users have received a bit of love today in the form of a security update. Want to prove you're a good cat owner? Go ahead and check for new updates right away.
Daily Update for May 15, 2012
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get all the top Apple stories of the day in three to five minutes for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the inline player (requires Flash) or the non-Flash link below. To subscribe to the podcast for daily listening through iTunes, click here. No Flash? Click here to listen. Subscribe via RSS
Adobe issues security update for Flash player, warns against IE exploit
Internet Explorer associated with an exploit? Color us shocked. Facetiousness aside, it's seriously about time you switched over to Chrome or Firefox (as a mitigation tool; not a foolproof solution), and if you're a desktop user relying on Flash Player, well... it's about time you updated that, too. Adobe has just released a security update for Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x. We're told that these updates "address an object confusion vulnerability (CVE-2012-0779) that could cause the application to crash and potentially allow an attacker to take control of the affected system." Adobe specifically mentions an exploit that targets Flash Player on Internet Explorer for Windows, where a user is duped into clicking on a malicious file delivered in an email message. Hit up the source link for more information on getting your system out of The Danger Zone. Which, conveniently, can be looped as you update with a click after the break. [Thanks to everyone who sent this in]
HTC acknowledges long-running WiFi security flaw, says it kept it quiet to prevent exploits
As far back as September, security researchers discovered a "critical" bug in many HTC Android handsets that exposed users' WiFi credentials to any hacker who cared to look. The flaw affected recent devices like the Thunderbolt and EVO 4G all the way back to the Desire HD. The researchers promptly notified HTC, but the manufacturer waited a full five months before acknowledging the flaw publicly a few days ago. Sounds shady, perhaps, but HTC sent us a statement clarifying that this is standard policy to protect customers. It says it waited to develop a fix before it alerted the big bad world to the vulnerability. Most newer devices have already received their fix OTA, but owners of some older phones -- we'll update this post when we know exactly which ones -- will need to check the HTC Support site for a manual update next week. Meanwhile, in the manufacturer's defense, the guys at the Open1X group who discovered the bug say that HTC was "very responsive and good to work with." Here's HTC's statement to us: "HTC takes customer data security very seriously. If there is a known breach of sensitive customer data, our priority is customer notification along with corrective actions. It is our policy, and industry standard procedure, to protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected. In those cases, premature disclosure of vulnerabilities could spur creation of malicious apps to take advantage of any vulnerability before it is fixed. For this specific WiFi bug issue, we worked closely with Google and the security researchers from the date of notification and throughout this process to ensure that the majority of affected HTC phones had already received the fix prior to the vulnerability being made public." Update: We changed our original headline to make it clearer that HTC deliberately kept quiet to protect its customers. We're certainly not accusing HTC of any wrong-doing here.
Adobe releases final Flash Player version for Android, BlackBerry PlayBook, promises future updates
When Adobe announced the death of Flash Player on mobile devices earlier this week, it did so while promising to issue a final version for Android devices and the BlackBerry PlayBook. Now, that promise has come to fruition, with the release of version 11.1. Like pretty much every Adobe update, this latest refresh promises to patch up a host of security flaws -- 12 "critical" ones, to be exact. More intriguing, however, are Adobe's plans for future security support. In a blog post published Wednesday, company exec Danny Winokur confirmed that Adobe will "continue to provide critical bug fixes and security updates for existing device configurations." This sentiment was echoed in a Twitter post yesterday from Brad Arkin, senior director of product security and privacy: "Adobe will continue to ship security updates for Flash Player mobile after the final feature release." But neither Winokur nor Arkin have specified how long this patch distribution will continue, and the company has yet to offer any sort of timeline for future tablet and smartphone updates. For more information on the latest release, check out the source link below, or hit up the coverage link to grab the Android version for yourself.
Apple security update addresses DigiNotar certificates
Apple has rolled out security update 2011-005 (Lion) and security update 2011-005 (Snow Leopard), which addresses the certificate trust policy regarding DigiNotar certificates. The update removes DigiNotar from the list of trusted root certificates, the list of Extended Validation certificate authorities and configuring the default system trust settings so DigitNotar certificates -- those issued by DigitNotar itself and other authorities -- are not trusted. These downloads are available through Apple's support site and via Software Update.
Mac Security Update 2011-003 now hunting MacDefender
Mac Security Update 2011-003 has appeared in Software Update and is available for immediate download and installation. According to KB article HT4657, the update provides a File Quarantine definition for the OSX.MacDefender.A malware and Mac OS X 10.6.7 will now automatically update the definitions on a daily basis. The update will also search for and remove MacDefender and its known variants. If you prefer to defuse your malware manually, be sure to refer to our guide. The update will be available later directly from Apple Downloads, and we'll update this post with a direct link at that time.
iOS 4.3.2 / 4.2.7 now available to download, fixes iPad 3G and FaceTime woes (update: jailbroken!)
If you're hankering to be riding the very latest mobile software from Apple, hit up your iTunes, for version 4.3.2 of iOS is now available for downloadin' and updatin'. Fixes for occasional "blank or frozen" FaceTime video and iPad 3G issues get top billing, while the obligatory security updates fill out the rest. The size of this mighty software drop? A hefty 666.2MB. Update: Well, someone's skipping class today. A tethered jailbreak is already in the wilds, if you dare. Thanks, Jeff! Update 2: Looks like Verizon customers are getting a slightly different update of their own: iOS 4.2.7. It promises only "bug fixes and security updates." [Thanks to everyone who sent this in]
Sony about to issue PS3 update with 'minor,' mysterious security patch (update)
Sony just mentioned on its official PlayStation blog that the PS3 is about to get a "minor" update, v3.56. With Sony about to host a press event in Tokyo, it would be nice if we were getting some new functionality for our update timeout, but apparently all it adds is a security patch (just like 3.55), and for some reason we get the impression that this "security patch" is less about defense against baddies and more about trying to shore up the PS3 jailbreak that's currently running rampant. Of course, there are some serious security concerns when it comes to jailbroken PS3s, like the fact that they allow some serious cheating in select multiplayer games, so a truly competent, non-user-hostile security patch wouldn't be all bad. We guess we'll see what we get when the update lands, presumably later today. Update: That didn't take long. It's out -- and members of the PS3 hack community already allege that it breaks custom firmware. [Thanks to everyone who sent this in]
Apple fixes FaceTime for Mac security flaw, not your Wolverine complex
That was quick. The FaceTime for Mac beta security flaw has been shutdown by Apple on the backend -- a flaw that allowed anyone with physical access to your machine to reset and grab your iTunes Store account password and security answers. So now, if some nefarious type were to click "View Account" within your FaceTime desktop app while you were chillin' in the Starbucks toilet or chatting away the day by the office water cooler, the would-be identify thief would simply be redirected back to the FaceTime Account Preferences pane. At which point he'd probably just slip your laptop into his backpack earning two thumbs up from that guy.
Office 2008 users: 12.2.7 update is available
With about two weeks to go until Office 2011 ships, Microsoft is making sure that Office 2008 is safe and sound with a security and stability update. The 12.2.7 update can be downloaded and installed by running Check for Updates from the Help menu in any of the Office 2008 apps, or letting Microsoft AutoUpdate do its job. What's in the update? For Microsoft Excel, it's a bug fix. According to Microsoft, the update "fixes issues that cause Excel to crash or close unexpectedly sometimes when you try to start an Excel application." And for those of you who use Entourage (Anyone? Anyone? Bueller?), it's about reliability. The update details there say that it fixes issues with Kerberos authentication with Microsoft Exchange Server 2003 and 2007 as well as an issue where Entourage would create duplicate items in the Exchange 2007 mailbox. You can read all of the details here. The installed update takes up 503.4 MB of your precious hard disk space.
Apple releases Security Update 2010-006
Yes, as you can see above (and in a Software Update near you), Apple has released Security Update 2010-006, the latest OS X issue-fixer of the year. It's recommended for all users, so run your SU, let it download and install, and you'll be good to go. This one apparently fixes an issue where a remote attacker could have snuck into AFP shared folders without having a password. Apple releases OS Security Updates a few times a year, and given how simple it is to update and install them, you should go ahead and update as soon as possible.
Apple releases slew of updates, fixes Zero Day bug
Apple has released a slew of updates in the last few days, including a security update that fixes the Zero Day bugs discovered by Charlie Miller and revealed at CanSecWest. In addition to the MacBook Pro and MobileMe Backup updates, Apple has also released: 27-inch iMac SMC Firmware Update 1.0 This update fixes Target Display Mode compatibility issues on 27-inch iMac computers. Weighs in at 397 KB. 27-inch iMac EFI FW Update 1.0 The update is recommended for all quad-core Intel Core i5 and Core i7 processor 27-inch iMacs. This update addresses the following: Resolves an issue that sometimes caused high processor utilization while playing audio through the headphone output mini-jack. Resolves an issue that prevented the display backlight from turning on after powering on the iMac. Weighs in at 2.1 MB. Security Update 2010-003 (Snow Leopard) Security Update 2010-003 is recommended for all users and improves the security of Mac OS X. Weighs in at 6.50 MB. Server Admin Tools 10.6.3 This update includes the latest releases of: iCal Server Utility, Podcast Composer, Server Admin, Server Monitor, Server Preferences, System Image Utility, Workgroup Manager, and Xgrid Admin. The update weighs in at 236MB. Security Update 2010-003 (Leopard-Client) This update improves the security of Mac OS X. Weighs in at 218.6 MB. Security Update 2010-003 (Leopard-Server) This update improves the security of Mac OS X. Weighs in at 379.5 MB. Mac OS X v10.6.3 v1.1 Update (Combo) The 10.6.3 v1.1 Update is recommended for all users running Mac OS X Snow Leopard and includes general operating system fixes that enhance the stability, compatibility, and security of your Mac. The update weighs in at 785.29 MB. Mac OS X Server 10.6.3 v1.1 Update (Combo) The 10.6.3 v1.1 update is recommended for all servers currently running Snow Leopard Server version 10.6 and includes general operating system fixes that enhance the stability, compatibility and security of your server. The update weighs in at 897.32 MB.
Patch for ancient DOS bug in latest Windows XP update causing blue screen errors
Looks like Patch Tuesday turned into BSOD Tuesday for some Windows XP users -- Microsoft's latest security updates for the venerable OS are causing blue screens and endless reboots for people. That's the word according to a growing support thread on Microsoft's site -- and making matters just slightly worse / funnier, it's apparently the patch for that 17-year-old DOS vulnerability that's causing all the trouble. You win some, you lose some, right? Microsoft's identified a fix for those with access to an XP install disc and an optical drive, but that leaves most netbook users out in the cold -- and considering netbooks are where most of the recent XP action's been going down lately, we're hoping a better solution comes down the pike soon. P.S.- That's the BSOD tattoo guy in the photo -- remember him? [Thanks, HyperSl4ck3r]
Microsoft patches IE security hole, human rights activities fully resume
Ready for an update? Good. If you're still using Microsoft's Internet Explorer (versions 5.01 to 8) for some inexplicable reason, there's a patch that you should probably install on the double -- that is, if you're a hardcore human rights activist that just might end up on a Chinese hit list. All kidding aside, the devs in Redmond have broken free from their usual monthly update cycle in order to push out a patch to fix the hole that was exploited by a group of sophisticated hackers last week. Refresh that Windows Update if you're scared, or -- you know -- just download one of the many other free web browsers that are far, far superior to IE.
Windows 7 Black Screen of Death? (It's not as bad as it sounds)
Well, maybe it's not as bad as it sounds, but it's still not so good. As you're probably aware, over the last week or so Windows users of all stripes (not just Windows 7 users, as it turns out) have been complaining of a plain black screen that appears upon login -- at which point the systems lock up, and... that's it. Aside from some users getting an additional My Computer window (lucky devils) the system grinds to a halt. According to a Microsoft email that's making the rounds, the company is "investigating reports that its latest release of security updates is resulting in system issues for some customers." Until that time, what's a poor PC user to do? Prevx, a UK developer of anti-malware software, has surmised that a recent Windows security patch changed Access Control List (ACL) entries in the registry, preventing some software from running properly and prompting Engadget to whip up a Bergman-inspired graphic. If your machine should find itself afflicted, Prevx has put together a fix that it claims will do the trick. Keep in mind that we don't know these guys, so don't blame us if it blows up your computer -- or gives you the Bubonic plague. We'll let you know when we hear back from Microsoft on this one. Good luck! Update: Microsoft says this isn't its fault, and that it's likely some nasty malware to blame.
