We'd like to hear from the adventurous hackers, if "bricking" has occurred. SV
iPhone v1.1.1 Update
*
Bluetooth
CVE-ID: CVE-2007-3753
Impact: An attacker within Bluetooth range may be able to cause an unexpected application termination or arbitrary code execution
Description: An input validation issue exists in the iPhone's Bluetooth server. By sending maliciously-crafted Service Discovery Protocol (SDP) packets to an iPhone with Bluetooth enabled, an attacker may trigger the issue, which may lead to unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of SDP packets. Credit to Kevin Mahaffey and John Hering of Flexilis Mobile Security for reporting this issue.
*
Mail
CVE-ID: CVE-2007-3754
Impact: Checking email over untrusted networks may lead to information disclosure via a man-in-the-middle attack
Description: When Mail is configured to use SSL for incoming and outgoing connections, it does not warn the user when the identity of the mail server has changed or cannot be trusted. An attacker capable of intercepting the connection may be able to impersonate the user's mail server and obtain the user's email credentials or other sensitive information. This update addresses the issue by properly warning when the identity of the remote mail server has changed.
*
Mail
CVE-ID: CVE-2007-3755
Impact: Following a telephone ("tel:") link in Mail will dial a phone number without confirmation
Description: Mail supports telephone ("tel:") links to dial phone numbers. By enticing a user to follow a telephone link in a mail message, an attacker can cause iPhone to place a call without user confirmation. This update addresses the issue by providing a confirmation window before dialing a phone number via a telephone link in Mail. Credit to Andi Baritchi of McAfee for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3756
Impact: Visiting a malicious website may lead to the disclosure of URL contents
Description: A design issue in Safari allows a web page to read the URL that is currently being viewed in its parent window. By enticing a user to visit a maliciously crafted web page, an attacker may be able to obtain the URL of an unrelated page. This update addresses the issue through an improved cross-domain security check. Credit to Michal Zalewski of Google Inc. and Secunia Research for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3757
Impact: Visiting a malicious website may lead to unintended dialing or dialing a different number than expected
Description: Safari supports telephone ("tel:") links to dial phone numbers. When a telephone link is selected, Safari will confirm that the number should be dialed. A maliciously crafted telephone link may cause a different number to be displayed during confirmation than the one actually dialed. Exiting Safari during the confirmation process may result in unintentional confirmation. This update addresses the issue by properly displaying the number that will be dialed, and requiring confirmation for telephone links. Credit to Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3758
Impact: Visiting a malicious website may lead to cross-site scripting
Description: A cross-site scripting vulnerability exists in Safari that allows malicious websites to set JavaScript window properties of websites served from a different domain. By enticing a user to visit a maliciously crafted website, an attacker can trigger the issue, resulting in getting or setting the window status and location of pages served from other websites. This update addresses the issue by providing improved access controls on these properties. Credit to Michal Zalewski of Google Inc. for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3759
Impact: Disabling JavaScript does not take effect until Safari is restarted
Description: Safari can be configured to enable or disable JavaScript. This preference does not take effect until the next time Safari is restarted. This usually occurs when the iPhone is restarted. This may mislead users into believing that JavaScript is disabled when it is not. This update addresses the issue by applying the new preference prior to loading new web pages.
*
Safari
CVE-ID: CVE-2007-3760
Impact: Visiting a malicious website may result in cross-site scripting
Description: A cross-site scripting issue in Safari allows a maliciously crafted website to bypass the same-origin policy using "frame" tags. By enticing a user to visit a maliciously crafted web page, an attacker can trigger the issue, which may lead to the execution of JavaScript in the context of another site. This update addresses the issue by disallowing JavaScript as an "iframe" source, and limiting JavaScript in frame tags to the same access as the site from which it was served. Credit to Michal Zalewski of Google Inc. and Secunia Research for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3761
Impact: Visiting a malicious website may result in cross-site scripting
Description: A cross-site scripting issue in Safari allows JavaScript events to be associated with the wrong frame. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of another site. This update addresses the issue by associating JavaScript events to the correct source frame.
*
Safari
CVE-ID: CVE-2007-4671
Impact: JavaScript on websites may access or manipulate the contents of documents served over HTTPS
Description: An issue in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of HTTPS web pages in that domain. This update addresses the issue by limiting access between JavaScript executing in HTTP and HTTPS frames. Credit to Keigo Yamazaki of LAC Co., Ltd. (Little eArth Corporation Co., Ltd.) for reporting this issue.
Installation note:
This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an internet connection and have installed the latest version of iTunes from www.apple.com/itunes
iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting "Don't install" will present the option the next time you connect your iPhone.
Apple
Thursday, September 27, 2007
Wednesday, September 26, 2007
Truphone to demonstrate first VoIP-over-WiFi call on Apple's iPhone
Truphone breaks new ground. SV
Key facts
iPhone demonstration
1. Many people have called for true VoIP calling on Apple's iPhone. Truphone will today prove that it is possible using the iPhone's in-built Wi-Fi capability.
2. Truphone's demonstration will comprise two iPhones connected to Wi-Fi on the DEMOfall 07 stage. A VoIP call will be initiated from one handset, routed via Wi-Fi and the Internet to Truphone's servers, and then back again to the access point and onwards to the destination handset - a 100% IP phone call.
3. Today's event will be a live demonstration only and is not a commercial launch of Truphone on the iPhone.
4. Truphone does not need to unlock the SIM in order to operate its service for the iPhone.
Facebook demonstration
1. The company will also give a demonstration today of an application that mashes up social networking site Facebook with traditional telephony. The big differentiator between Truphone's demonstration and other applications for Facebook is that Truphone is the only one to embed an actual phone into the very heart of Facebook.
2. Facebook users will be able to drop their Truphone 'Call Me' button onto their friends' Walls and also embed it into Facebook messages. People will be able to allow other people to call them, while keeping their actual number confidential.
3. The Truphone 'Call Me' button for Facebook to be demonstrated today showcases the potential for additional innovative services enabled by Truphone's all-IP internet telephony infrastructure.
4. Truphone's Facebook application is currently in development.
Truphone
Key facts
iPhone demonstration
1. Many people have called for true VoIP calling on Apple's iPhone. Truphone will today prove that it is possible using the iPhone's in-built Wi-Fi capability.
2. Truphone's demonstration will comprise two iPhones connected to Wi-Fi on the DEMOfall 07 stage. A VoIP call will be initiated from one handset, routed via Wi-Fi and the Internet to Truphone's servers, and then back again to the access point and onwards to the destination handset - a 100% IP phone call.
3. Today's event will be a live demonstration only and is not a commercial launch of Truphone on the iPhone.
4. Truphone does not need to unlock the SIM in order to operate its service for the iPhone.
Facebook demonstration
1. The company will also give a demonstration today of an application that mashes up social networking site Facebook with traditional telephony. The big differentiator between Truphone's demonstration and other applications for Facebook is that Truphone is the only one to embed an actual phone into the very heart of Facebook.
2. Facebook users will be able to drop their Truphone 'Call Me' button onto their friends' Walls and also embed it into Facebook messages. People will be able to allow other people to call them, while keeping their actual number confidential.
3. The Truphone 'Call Me' button for Facebook to be demonstrated today showcases the potential for additional innovative services enabled by Truphone's all-IP internet telephony infrastructure.
4. Truphone's Facebook application is currently in development.
Truphone
Monday, September 24, 2007
Unlocked iPhone Warranty voiding
Hacking can be a risky business. SV
Saying it had found that many of the unlocking programs "cause irreparable damage to the iPhone's software," Apple spelled out the policy. "Users who make unauthorized modifications to the software on their iPhone violate their iPhone software license agreement and void their warranty," the company said in a statement. "The permanent inability to use an iPhone due to installing software is not covered under the iPhone's warranty."
Computerworld
Saying it had found that many of the unlocking programs "cause irreparable damage to the iPhone's software," Apple spelled out the policy. "Users who make unauthorized modifications to the software on their iPhone violate their iPhone software license agreement and void their warranty," the company said in a statement. "The permanent inability to use an iPhone due to installing software is not covered under the iPhone's warranty."
Computerworld
Saturday, September 22, 2007
iPhone AutoSync
Making life a little less stressful, one product at a time. SV
iPhone AutoSync, What is it?
Out of the box, the iPhone does a great job of synchronizing with the Mac’s built in PIM applications, Address Book and iCal, and bookmarks, courtesy of Safari.
Enter iPhone AutoSync! iPhone AutoSync monitors your three synced applications, and, when changes are made, makes a note. After a few minutes, if no more changes have been made, it triggers a sync with your phone. Thus all your information in up to date in both places, pretty much all the time.
Standalone
Apple's iPhone France: Launch November 29th
Mais oui, Apple et l'Orange.
Who said you can't talk about Apples and Oranges at the same time?
Orange has 2000 WiFi hotspots in Paris! SV
InformationWeek
Flicker
Who said you can't talk about Apples and Oranges at the same time?
Orange has 2000 WiFi hotspots in Paris! SV
InformationWeek
Flicker
Monday, September 10, 2007
iPhone accessories: a watch?
Timex has a watch, iControl, which lets you have remote control capability with iPods.
It might actually work with the iPhone.
Let us know if you have tried it. SV
Timex
Watchreport
Sunday, September 9, 2007
iPhone JAVA programs:bookmarklets
Necessity is the mother of invention.
Here is the explanation by Steve Kangas.
Many can be used with Safari.
Let us know which are your favorites. SV
How do they work?
Each bookmarklet is a tiny program (a JavaScript application) contained in a bookmark (the URL is a "javascript:" URL) which can be saved and used the same way you use normal bookmarks. The idea was suggested in the Netscape JavaScript Guide.
JavaScript has been used by page authors on millions of webpages; Bookmarklets allow anybody to use JavaScript - on whatever page you choose (not just your own page).
Bookmarklets are simple tools that extend the surf and search capabilities of Netscape and Explorer web browsers.
Bookmarklets are free.
Bookmarklets allow you to:
* Modify the way you see someone else's webpage.
* Extract data from a webpage.
* Search more quickly, and in ways not possible with a search engine.
* Navigate in new ways.
...and more. Over 150 bookmarklets are available.
Bookmarklets work on all platforms (Windows, Macintosh, Unix,...)
You do not have to download or install software to use Bookmarklets.
Bookmarklets
Samrod
Here is the explanation by Steve Kangas.
Many can be used with Safari.
Let us know which are your favorites. SV
How do they work?
Each bookmarklet is a tiny program (a JavaScript application) contained in a bookmark (the URL is a "javascript:" URL) which can be saved and used the same way you use normal bookmarks. The idea was suggested in the Netscape JavaScript Guide.
JavaScript has been used by page authors on millions of webpages; Bookmarklets allow anybody to use JavaScript - on whatever page you choose (not just your own page).
Bookmarklets are simple tools that extend the surf and search capabilities of Netscape and Explorer web browsers.
Bookmarklets are free.
Bookmarklets allow you to:
* Modify the way you see someone else's webpage.
* Extract data from a webpage.
* Search more quickly, and in ways not possible with a search engine.
* Navigate in new ways.
...and more. Over 150 bookmarklets are available.
Bookmarklets work on all platforms (Windows, Macintosh, Unix,...)
You do not have to download or install software to use Bookmarklets.
Bookmarklets
Samrod
iPhone Medical Software/Reference survey results
As of September 09, 2007, we have 41 votes for an application running on the device vs 3 votes for a Web 2.0 application accessible via Edge or WiFi.
We have 40 days left to this voting cycle, so tell your peers and friends to visit and be heard. Speaking of which, feel free to add comments to explain your decision. SV
Click here to join the survey
We have 40 days left to this voting cycle, so tell your peers and friends to visit and be heard. Speaking of which, feel free to add comments to explain your decision. SV
Click here to join the survey
Share your iPhone insights with us
We can't review all the great sites out there.
If you are an iPhone user or iPhone (software/accessory) vendor, add a comment and share.
We will all benefit. SV
If you are an iPhone user or iPhone (software/accessory) vendor, add a comment and share.
We will all benefit. SV
Saturday, September 8, 2007
iPhone: Germany, T-Mobile
Here is an ad posted on the Net.
Upgraded memory and Broadband access!
Christmas is coming soon. SV
Electronista
Thursday, September 6, 2007
iPhone 100 dollars "refund"
Yep, you got to hand it to Mr Jobs.
No other major manufacturer in recent history has done this.
A $100 store credit is not the same as cash, but better than anyone else would have done.
Having purchased technology often considered bleeding edge, I too have a little "buyer's remorse" as prices dropped or the edge moved faster than I anticipated.
I did however enjoy and benefit from the use of these products and that more than offset the inevitable price drop and technology advancement.
Now both early adoptors and frugal buyers win.
Thanks Mr Jobs.
P.S. If you used a credit card with a price protection option, you may be able to get the full $200 cash, American money. SV
Apple letter
No other major manufacturer in recent history has done this.
A $100 store credit is not the same as cash, but better than anyone else would have done.
Having purchased technology often considered bleeding edge, I too have a little "buyer's remorse" as prices dropped or the edge moved faster than I anticipated.
I did however enjoy and benefit from the use of these products and that more than offset the inevitable price drop and technology advancement.
Now both early adoptors and frugal buyers win.
Thanks Mr Jobs.
P.S. If you used a credit card with a price protection option, you may be able to get the full $200 cash, American money. SV
Apple letter
iTunes Wi-Fi Music Store
We can access the iTunes store via Wi-Fi
:sample music, make purchases.
Free access at Starbucks too. SV
Apple
:sample music, make purchases.
Free access at Starbucks too. SV
Apple
Cell phones in hospitals
According to the Mayo Clinic, it may be okay to use your newly discounted iPhone at the hospital. SV
ROCHESTER, Minn. -- Calls made on cellular phones have no negative impact on hospital medical devices, dispelling the long-held notion that they are unsafe to use in health care facilities, according to Mayo Clinic researchers.
In a study published in the March 2007 issue of Mayo Clinic Proceedings, researchers say normal use of cell phones results in no noticeable interference with patient care equipment. Three hundred tests were performed over a five-month period in 2006, without a single problem incurred.
Mayo Clinic
ROCHESTER, Minn. -- Calls made on cellular phones have no negative impact on hospital medical devices, dispelling the long-held notion that they are unsafe to use in health care facilities, according to Mayo Clinic researchers.
In a study published in the March 2007 issue of Mayo Clinic Proceedings, researchers say normal use of cell phones results in no noticeable interference with patient care equipment. Three hundred tests were performed over a five-month period in 2006, without a single problem incurred.
Mayo Clinic
Wednesday, September 5, 2007
Monday, September 3, 2007
Subscribe to:
Posts (Atom)
Posts
