Here's the link.
Get copy and paste, stereo bluetooth, landscape keyboard, peer to peer gaming and more. SV
Video presentation
Apple
Showing posts with label update. Show all posts
Showing posts with label update. Show all posts
Wednesday, June 17, 2009
iPod Touch 3.0 OS upgrade video
Here's the link.
Get copy and paste, stereo bluetooth, landscape keyboard, peer to peer gaming and more. SV
Video presentation
Apple
Get copy and paste, stereo bluetooth, landscape keyboard, peer to peer gaming and more. SV
Video presentation
Apple
Thursday, September 27, 2007
iPhone update 1.1.1. now available
We'd like to hear from the adventurous hackers, if "bricking" has occurred. SV
iPhone v1.1.1 Update
*
Bluetooth
CVE-ID: CVE-2007-3753
Impact: An attacker within Bluetooth range may be able to cause an unexpected application termination or arbitrary code execution
Description: An input validation issue exists in the iPhone's Bluetooth server. By sending maliciously-crafted Service Discovery Protocol (SDP) packets to an iPhone with Bluetooth enabled, an attacker may trigger the issue, which may lead to unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of SDP packets. Credit to Kevin Mahaffey and John Hering of Flexilis Mobile Security for reporting this issue.
*
Mail
CVE-ID: CVE-2007-3754
Impact: Checking email over untrusted networks may lead to information disclosure via a man-in-the-middle attack
Description: When Mail is configured to use SSL for incoming and outgoing connections, it does not warn the user when the identity of the mail server has changed or cannot be trusted. An attacker capable of intercepting the connection may be able to impersonate the user's mail server and obtain the user's email credentials or other sensitive information. This update addresses the issue by properly warning when the identity of the remote mail server has changed.
*
Mail
CVE-ID: CVE-2007-3755
Impact: Following a telephone ("tel:") link in Mail will dial a phone number without confirmation
Description: Mail supports telephone ("tel:") links to dial phone numbers. By enticing a user to follow a telephone link in a mail message, an attacker can cause iPhone to place a call without user confirmation. This update addresses the issue by providing a confirmation window before dialing a phone number via a telephone link in Mail. Credit to Andi Baritchi of McAfee for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3756
Impact: Visiting a malicious website may lead to the disclosure of URL contents
Description: A design issue in Safari allows a web page to read the URL that is currently being viewed in its parent window. By enticing a user to visit a maliciously crafted web page, an attacker may be able to obtain the URL of an unrelated page. This update addresses the issue through an improved cross-domain security check. Credit to Michal Zalewski of Google Inc. and Secunia Research for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3757
Impact: Visiting a malicious website may lead to unintended dialing or dialing a different number than expected
Description: Safari supports telephone ("tel:") links to dial phone numbers. When a telephone link is selected, Safari will confirm that the number should be dialed. A maliciously crafted telephone link may cause a different number to be displayed during confirmation than the one actually dialed. Exiting Safari during the confirmation process may result in unintentional confirmation. This update addresses the issue by properly displaying the number that will be dialed, and requiring confirmation for telephone links. Credit to Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3758
Impact: Visiting a malicious website may lead to cross-site scripting
Description: A cross-site scripting vulnerability exists in Safari that allows malicious websites to set JavaScript window properties of websites served from a different domain. By enticing a user to visit a maliciously crafted website, an attacker can trigger the issue, resulting in getting or setting the window status and location of pages served from other websites. This update addresses the issue by providing improved access controls on these properties. Credit to Michal Zalewski of Google Inc. for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3759
Impact: Disabling JavaScript does not take effect until Safari is restarted
Description: Safari can be configured to enable or disable JavaScript. This preference does not take effect until the next time Safari is restarted. This usually occurs when the iPhone is restarted. This may mislead users into believing that JavaScript is disabled when it is not. This update addresses the issue by applying the new preference prior to loading new web pages.
*
Safari
CVE-ID: CVE-2007-3760
Impact: Visiting a malicious website may result in cross-site scripting
Description: A cross-site scripting issue in Safari allows a maliciously crafted website to bypass the same-origin policy using "frame" tags. By enticing a user to visit a maliciously crafted web page, an attacker can trigger the issue, which may lead to the execution of JavaScript in the context of another site. This update addresses the issue by disallowing JavaScript as an "iframe" source, and limiting JavaScript in frame tags to the same access as the site from which it was served. Credit to Michal Zalewski of Google Inc. and Secunia Research for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3761
Impact: Visiting a malicious website may result in cross-site scripting
Description: A cross-site scripting issue in Safari allows JavaScript events to be associated with the wrong frame. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of another site. This update addresses the issue by associating JavaScript events to the correct source frame.
*
Safari
CVE-ID: CVE-2007-4671
Impact: JavaScript on websites may access or manipulate the contents of documents served over HTTPS
Description: An issue in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of HTTPS web pages in that domain. This update addresses the issue by limiting access between JavaScript executing in HTTP and HTTPS frames. Credit to Keigo Yamazaki of LAC Co., Ltd. (Little eArth Corporation Co., Ltd.) for reporting this issue.
Installation note:
This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an internet connection and have installed the latest version of iTunes from www.apple.com/itunes
iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting "Don't install" will present the option the next time you connect your iPhone.
Apple
iPhone v1.1.1 Update
*
Bluetooth
CVE-ID: CVE-2007-3753
Impact: An attacker within Bluetooth range may be able to cause an unexpected application termination or arbitrary code execution
Description: An input validation issue exists in the iPhone's Bluetooth server. By sending maliciously-crafted Service Discovery Protocol (SDP) packets to an iPhone with Bluetooth enabled, an attacker may trigger the issue, which may lead to unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of SDP packets. Credit to Kevin Mahaffey and John Hering of Flexilis Mobile Security for reporting this issue.
*
CVE-ID: CVE-2007-3754
Impact: Checking email over untrusted networks may lead to information disclosure via a man-in-the-middle attack
Description: When Mail is configured to use SSL for incoming and outgoing connections, it does not warn the user when the identity of the mail server has changed or cannot be trusted. An attacker capable of intercepting the connection may be able to impersonate the user's mail server and obtain the user's email credentials or other sensitive information. This update addresses the issue by properly warning when the identity of the remote mail server has changed.
*
CVE-ID: CVE-2007-3755
Impact: Following a telephone ("tel:") link in Mail will dial a phone number without confirmation
Description: Mail supports telephone ("tel:") links to dial phone numbers. By enticing a user to follow a telephone link in a mail message, an attacker can cause iPhone to place a call without user confirmation. This update addresses the issue by providing a confirmation window before dialing a phone number via a telephone link in Mail. Credit to Andi Baritchi of McAfee for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3756
Impact: Visiting a malicious website may lead to the disclosure of URL contents
Description: A design issue in Safari allows a web page to read the URL that is currently being viewed in its parent window. By enticing a user to visit a maliciously crafted web page, an attacker may be able to obtain the URL of an unrelated page. This update addresses the issue through an improved cross-domain security check. Credit to Michal Zalewski of Google Inc. and Secunia Research for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3757
Impact: Visiting a malicious website may lead to unintended dialing or dialing a different number than expected
Description: Safari supports telephone ("tel:") links to dial phone numbers. When a telephone link is selected, Safari will confirm that the number should be dialed. A maliciously crafted telephone link may cause a different number to be displayed during confirmation than the one actually dialed. Exiting Safari during the confirmation process may result in unintentional confirmation. This update addresses the issue by properly displaying the number that will be dialed, and requiring confirmation for telephone links. Credit to Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3758
Impact: Visiting a malicious website may lead to cross-site scripting
Description: A cross-site scripting vulnerability exists in Safari that allows malicious websites to set JavaScript window properties of websites served from a different domain. By enticing a user to visit a maliciously crafted website, an attacker can trigger the issue, resulting in getting or setting the window status and location of pages served from other websites. This update addresses the issue by providing improved access controls on these properties. Credit to Michal Zalewski of Google Inc. for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3759
Impact: Disabling JavaScript does not take effect until Safari is restarted
Description: Safari can be configured to enable or disable JavaScript. This preference does not take effect until the next time Safari is restarted. This usually occurs when the iPhone is restarted. This may mislead users into believing that JavaScript is disabled when it is not. This update addresses the issue by applying the new preference prior to loading new web pages.
*
Safari
CVE-ID: CVE-2007-3760
Impact: Visiting a malicious website may result in cross-site scripting
Description: A cross-site scripting issue in Safari allows a maliciously crafted website to bypass the same-origin policy using "frame" tags. By enticing a user to visit a maliciously crafted web page, an attacker can trigger the issue, which may lead to the execution of JavaScript in the context of another site. This update addresses the issue by disallowing JavaScript as an "iframe" source, and limiting JavaScript in frame tags to the same access as the site from which it was served. Credit to Michal Zalewski of Google Inc. and Secunia Research for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3761
Impact: Visiting a malicious website may result in cross-site scripting
Description: A cross-site scripting issue in Safari allows JavaScript events to be associated with the wrong frame. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of another site. This update addresses the issue by associating JavaScript events to the correct source frame.
*
Safari
CVE-ID: CVE-2007-4671
Impact: JavaScript on websites may access or manipulate the contents of documents served over HTTPS
Description: An issue in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of HTTPS web pages in that domain. This update addresses the issue by limiting access between JavaScript executing in HTTP and HTTPS frames. Credit to Keigo Yamazaki of LAC Co., Ltd. (Little eArth Corporation Co., Ltd.) for reporting this issue.
Installation note:
This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an internet connection and have installed the latest version of iTunes from www.apple.com/itunes
iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting "Don't install" will present the option the next time you connect your iPhone.
Apple
Tuesday, July 31, 2007
iPhone security update version 1.01 now available!
"Click on Get iPhone Software Version 1.0.1" SV
Apple support
iPhone v1.0.1 Update
*
Safari
CVE-ID: CVE-2007-2400
Available for: iPhone v1.0
Impact: Visiting a malicious website may allow cross-site scripting
Description: Safari's security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This update addresses the issue by correcting access control to window properties. Credit to Lawrence Lai, Stan Switzer, and Ed Rowe of Adobe Systems, Inc. for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3944
Available for: iPhone v1.0
Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution
Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.
*
WebCore
CVE-ID: CVE-2007-2401
Available for: iPhone v1.0
Impact: Visiting a malicious website may allow cross-site requests
Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could trigger a cross-site scripting issue. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.
*
WebKit
CVE-ID: CVE-2007-3742
Available for: iPhone v1.0
Impact: Look-alike characters in a URL could be used to masquerade a website
Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check.
*
WebKit
CVE-ID: CVE-2007-2399
Available for: iPhone v1.0
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.
Apple support
iPhone v1.0.1 Update
*
Safari
CVE-ID: CVE-2007-2400
Available for: iPhone v1.0
Impact: Visiting a malicious website may allow cross-site scripting
Description: Safari's security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This update addresses the issue by correcting access control to window properties. Credit to Lawrence Lai, Stan Switzer, and Ed Rowe of Adobe Systems, Inc. for reporting this issue.
*
Safari
CVE-ID: CVE-2007-3944
Available for: iPhone v1.0
Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution
Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.
*
WebCore
CVE-ID: CVE-2007-2401
Available for: iPhone v1.0
Impact: Visiting a malicious website may allow cross-site requests
Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could trigger a cross-site scripting issue. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.
*
WebKit
CVE-ID: CVE-2007-3742
Available for: iPhone v1.0
Impact: Look-alike characters in a URL could be used to masquerade a website
Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check.
*
WebKit
CVE-ID: CVE-2007-2399
Available for: iPhone v1.0
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.
iPhone software update is coming soon
Let's hope their heard our requests.
Let us (and them know what would be on your wishlist. SV
Speaking to analysts for RBC Capital Markets this week, Apple's Vice President of iPod Product Marketing, Greg Joswiak, said the first software update for his company's iPhone handset is due to arrive shortly.
Appleinsider
Let us (and them know what would be on your wishlist. SV
Speaking to analysts for RBC Capital Markets this week, Apple's Vice President of iPod Product Marketing, Greg Joswiak, said the first software update for his company's iPhone handset is due to arrive shortly.
Appleinsider
Subscribe to:
Comments (Atom)
Posts
