Oh yeah, I ran again. Except this time I got to mile 1, didn't hurt. So I decided to keep going.
Got to mile 2, still didn't feel it. Got to Mile 3, still not tired, but I decided not to kill my legs, just in case, and cut it short at 3.25 miles. Felt pretty good, wasn't sore or anything, so good stuff. I'll just keep ramping it up just a little bit every time until I get back up to my comfortable distance.
Subscribe in a reader
Monday, September 29
Physical Fitness #2
Oh yeah, I ran again. Except this time I got to mile 1, didn't hurt. So I decided to keep going.
Got to mile 2, still didn't feel it. Got to Mile 3, still not tired, but I decided not to kill my legs, just in case, and cut it short at 3.25 miles. Felt pretty good, wasn't sore or anything, so good stuff. I'll just keep ramping it up just a little bit every time until I get back up to my comfortable distance.
Subscribe in a reader
Got to mile 2, still didn't feel it. Got to Mile 3, still not tired, but I decided not to kill my legs, just in case, and cut it short at 3.25 miles. Felt pretty good, wasn't sore or anything, so good stuff. I'll just keep ramping it up just a little bit every time until I get back up to my comfortable distance.
Subscribe in a reader
Sunday, September 21
A tale of Physical Fitness
Quick background -- I used to be in the Army. I joined the Army in 1997, and got out in 2003. In the Army we used to have this thing called a PFT, or Physical Fitness Test.
One of the events in the PFT was a 2 mile run. I was always pretty good at this event, as I am not a huge guy. My best time in the 2 mile run was 10 minutes 26 seconds. A pretty respectable time. But, that was about 8 years ago. I was pretty good at running and ran several 10k's, 5k's and even a marathon. (Honolulu Marathon 2000)
I recently had a friend of mine, who is NOTORIOUS for making outrageous claims, say he could beat me at a marathon. Well, seeing as how this dude weighs about 100 more lbs than me, and is almost a foot taller than me, I KNOW I can beat him. 100 bucks says I can.
So I went out yesterday, got me a new pair of running sneakers (which I haven't had in about 5 years -- not even a new pair, but a pair period) and a Nike+ module for my shoe. (You know, one of those things that goes in your shoe and connects to your iPod Nano and tracks your progress)
I have to say, that's a pretty cool little thing. Now, please keep in mind that I haven't ran AT ALL in about 5 years. Not even to the mailbox. So this morning I woke up, and ran my first two miles.
I'm happy to report that I am still alive. I am also happy to report that I can still pass the 2 mile run on the Army PT test. But I have a long way to go to build up to 26 miles again. (Seeing as how, before the Marathon I ran in 2000, I as 8 years younger and trained by running 10 miles every morning).
Subscribe in a reader
One of the events in the PFT was a 2 mile run. I was always pretty good at this event, as I am not a huge guy. My best time in the 2 mile run was 10 minutes 26 seconds. A pretty respectable time. But, that was about 8 years ago. I was pretty good at running and ran several 10k's, 5k's and even a marathon. (Honolulu Marathon 2000)
I recently had a friend of mine, who is NOTORIOUS for making outrageous claims, say he could beat me at a marathon. Well, seeing as how this dude weighs about 100 more lbs than me, and is almost a foot taller than me, I KNOW I can beat him. 100 bucks says I can.
So I went out yesterday, got me a new pair of running sneakers (which I haven't had in about 5 years -- not even a new pair, but a pair period) and a Nike+ module for my shoe. (You know, one of those things that goes in your shoe and connects to your iPod Nano and tracks your progress)
I have to say, that's a pretty cool little thing. Now, please keep in mind that I haven't ran AT ALL in about 5 years. Not even to the mailbox. So this morning I woke up, and ran my first two miles.
I'm happy to report that I am still alive. I am also happy to report that I can still pass the 2 mile run on the Army PT test. But I have a long way to go to build up to 26 miles again. (Seeing as how, before the Marathon I ran in 2000, I as 8 years younger and trained by running 10 miles every morning).
Subscribe in a reader
A tale of Physical Fitness
Quick background -- I used to be in the Army. I joined the Army in 1997, and got out in 2003. In the Army we used to have this thing called a PFT, or Physical Fitness Test.
One of the events in the PFT was a 2 mile run. I was always pretty good at this event, as I am not a huge guy. My best time in the 2 mile run was 10 minutes 26 seconds. A pretty respectable time. But, that was about 8 years ago. I was pretty good at running and ran several 10k's, 5k's and even a marathon. (Honolulu Marathon 2000)
I recently had a friend of mine, who is NOTORIOUS for making outrageous claims, say he could beat me at a marathon. Well, seeing as how this dude weighs about 100 more lbs than me, and is almost a foot taller than me, I KNOW I can beat him. 100 bucks says I can.
So I went out yesterday, got me a new pair of running sneakers (which I haven't had in about 5 years -- not even a new pair, but a pair period) and a Nike+ module for my shoe. (You know, one of those things that goes in your shoe and connects to your iPod Nano and tracks your progress)
I have to say, that's a pretty cool little thing. Now, please keep in mind that I haven't ran AT ALL in about 5 years. Not even to the mailbox. So this morning I woke up, and ran my first two miles.
I'm happy to report that I am still alive. I am also happy to report that I can still pass the 2 mile run on the Army PT test. But I have a long way to go to build up to 26 miles again. (Seeing as how, before the Marathon I ran in 2000, I as 8 years younger and trained by running 10 miles every morning).
Subscribe in a reader
One of the events in the PFT was a 2 mile run. I was always pretty good at this event, as I am not a huge guy. My best time in the 2 mile run was 10 minutes 26 seconds. A pretty respectable time. But, that was about 8 years ago. I was pretty good at running and ran several 10k's, 5k's and even a marathon. (Honolulu Marathon 2000)
I recently had a friend of mine, who is NOTORIOUS for making outrageous claims, say he could beat me at a marathon. Well, seeing as how this dude weighs about 100 more lbs than me, and is almost a foot taller than me, I KNOW I can beat him. 100 bucks says I can.
So I went out yesterday, got me a new pair of running sneakers (which I haven't had in about 5 years -- not even a new pair, but a pair period) and a Nike+ module for my shoe. (You know, one of those things that goes in your shoe and connects to your iPod Nano and tracks your progress)
I have to say, that's a pretty cool little thing. Now, please keep in mind that I haven't ran AT ALL in about 5 years. Not even to the mailbox. So this morning I woke up, and ran my first two miles.
I'm happy to report that I am still alive. I am also happy to report that I can still pass the 2 mile run on the Army PT test. But I have a long way to go to build up to 26 miles again. (Seeing as how, before the Marathon I ran in 2000, I as 8 years younger and trained by running 10 miles every morning).
Subscribe in a reader
Friday, September 19
Quicktime/iTunes DoS
I've received several emails from readers and reporters asking me if I am going to post anything about this QT/iTunes DoS vulnerability, and my opinion..etc.
I think it's a much ado about nothing. Okay, so QT or iTunes stops working. Uh. So? Really. So what. The programs stops. That's it. It's a media app.
Call me when this vulnerability is remotely exploitable. THEN i'll be interested.
Subscribe in a reader
I think it's a much ado about nothing. Okay, so QT or iTunes stops working. Uh. So? Really. So what. The programs stops. That's it. It's a media app.
Call me when this vulnerability is remotely exploitable. THEN i'll be interested.
Subscribe in a reader
Quicktime/iTunes DoS
I've received several emails from readers and reporters asking me if I am going to post anything about this QT/iTunes DoS vulnerability, and my opinion..etc.
I think it's a much ado about nothing. Okay, so QT or iTunes stops working. Uh. So? Really. So what. The programs stops. That's it. It's a media app.
Call me when this vulnerability is remotely exploitable. THEN i'll be interested.
Subscribe in a reader
I think it's a much ado about nothing. Okay, so QT or iTunes stops working. Uh. So? Really. So what. The programs stops. That's it. It's a media app.
Call me when this vulnerability is remotely exploitable. THEN i'll be interested.
Subscribe in a reader
Monday, September 15
OSX Update 10.5.5 and Security Update 2008-006
Just hitting the streets, as we speak, Apple released OSX update 10.5.5. Built into 10.5.5 is Security Update 2008-006, marking the 6th major security update of the year. So aside from the ton of updates in 10.5.5 for OSX Leopard, check out the below updates included with it.
Keep in mind that Security Update is not just for 10.5 (OSX Leopard), being that it is also available for 10.4, Desktop and Server releases.
This update releases updates to the following items:
ATS -- Apple Type Services -- CVE-2008-2305
BIND --
10.5 -- Updated to 9.4.2-P2
10.4.11 -- Updated to 9.3.5-P2
ClamAV -- Antivirus included with OSX Server
Updated to version 0.93.3.
CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215
Directory Services x2 -- (Something I found interesting -- Vulnerability reported by the "IT Department of the West Seneca Central School District". Not your usual reporter. Very nice) -- CVE-2008-2329
Finder x2 -- CVE-2008-2331, CVE-2008-3613
ImageIO x4 -- CVE-2008-2327, CVE-2008-2332, CVE-2008-3608, CVE-2008-1382
Kernel -- CVE-2008-3609
libresolv -- CVE-2008-1447
Login Windows x2 -- CVE-2008-3610, CVE-2008-3611
mDNSResolver -- CVE-2008-1447
OpenSSH -- CVE-2008-1483, CVE-2008-1657
QuickDraw Manager -- CVE-2008-3614
Ruby -- CVE-2008-2376
SearchKit -- CVE-2008-3616
System Configuration -- CVE-2008-2312 (For 10.4.11)
System Preferences x2 -- CVE-2008-3617, CVE-2008-3618
Time Machine -- CVE-2008-3619
VideoConference -- CVE-2008-3621
Wiki Server -- CVE-2008-3622
So, all in all, quite a few updates here in this one.
Subscribe in a reader
Keep in mind that Security Update is not just for 10.5 (OSX Leopard), being that it is also available for 10.4, Desktop and Server releases.
This update releases updates to the following items:
ATS -- Apple Type Services -- CVE-2008-2305
BIND --
10.5 -- Updated to 9.4.2-P2
10.4.11 -- Updated to 9.3.5-P2
ClamAV -- Antivirus included with OSX Server
Updated to version 0.93.3.
CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215
Directory Services x2 -- (Something I found interesting -- Vulnerability reported by the "IT Department of the West Seneca Central School District". Not your usual reporter. Very nice) -- CVE-2008-2329
Finder x2 -- CVE-2008-2331, CVE-2008-3613
ImageIO x4 -- CVE-2008-2327, CVE-2008-2332, CVE-2008-3608, CVE-2008-1382
Kernel -- CVE-2008-3609
libresolv -- CVE-2008-1447
Login Windows x2 -- CVE-2008-3610, CVE-2008-3611
mDNSResolver -- CVE-2008-1447
OpenSSH -- CVE-2008-1483, CVE-2008-1657
QuickDraw Manager -- CVE-2008-3614
Ruby -- CVE-2008-2376
SearchKit -- CVE-2008-3616
System Configuration -- CVE-2008-2312 (For 10.4.11)
System Preferences x2 -- CVE-2008-3617, CVE-2008-3618
Time Machine -- CVE-2008-3619
VideoConference -- CVE-2008-3621
Wiki Server -- CVE-2008-3622
So, all in all, quite a few updates here in this one.
Subscribe in a reader
OSX Update 10.5.5 and Security Update 2008-006
Just hitting the streets, as we speak, Apple released OSX update 10.5.5. Built into 10.5.5 is Security Update 2008-006, marking the 6th major security update of the year. So aside from the ton of updates in 10.5.5 for OSX Leopard, check out the below updates included with it.
Keep in mind that Security Update is not just for 10.5 (OSX Leopard), being that it is also available for 10.4, Desktop and Server releases.
This update releases updates to the following items:
ATS -- Apple Type Services -- CVE-2008-2305
BIND --
10.5 -- Updated to 9.4.2-P2
10.4.11 -- Updated to 9.3.5-P2
ClamAV -- Antivirus included with OSX Server
Updated to version 0.93.3.
CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215
Directory Services x2 -- (Something I found interesting -- Vulnerability reported by the "IT Department of the West Seneca Central School District". Not your usual reporter. Very nice) -- CVE-2008-2329
Finder x2 -- CVE-2008-2331, CVE-2008-3613
ImageIO x4 -- CVE-2008-2327, CVE-2008-2332, CVE-2008-3608, CVE-2008-1382
Kernel -- CVE-2008-3609
libresolv -- CVE-2008-1447
Login Windows x2 -- CVE-2008-3610, CVE-2008-3611
mDNSResolver -- CVE-2008-1447
OpenSSH -- CVE-2008-1483, CVE-2008-1657
QuickDraw Manager -- CVE-2008-3614
Ruby -- CVE-2008-2376
SearchKit -- CVE-2008-3616
System Configuration -- CVE-2008-2312 (For 10.4.11)
System Preferences x2 -- CVE-2008-3617, CVE-2008-3618
Time Machine -- CVE-2008-3619
VideoConference -- CVE-2008-3621
Wiki Server -- CVE-2008-3622
So, all in all, quite a few updates here in this one.
Subscribe in a reader
Keep in mind that Security Update is not just for 10.5 (OSX Leopard), being that it is also available for 10.4, Desktop and Server releases.
This update releases updates to the following items:
ATS -- Apple Type Services -- CVE-2008-2305
BIND --
10.5 -- Updated to 9.4.2-P2
10.4.11 -- Updated to 9.3.5-P2
ClamAV -- Antivirus included with OSX Server
Updated to version 0.93.3.
CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215
Directory Services x2 -- (Something I found interesting -- Vulnerability reported by the "IT Department of the West Seneca Central School District". Not your usual reporter. Very nice) -- CVE-2008-2329
Finder x2 -- CVE-2008-2331, CVE-2008-3613
ImageIO x4 -- CVE-2008-2327, CVE-2008-2332, CVE-2008-3608, CVE-2008-1382
Kernel -- CVE-2008-3609
libresolv -- CVE-2008-1447
Login Windows x2 -- CVE-2008-3610, CVE-2008-3611
mDNSResolver -- CVE-2008-1447
OpenSSH -- CVE-2008-1483, CVE-2008-1657
QuickDraw Manager -- CVE-2008-3614
Ruby -- CVE-2008-2376
SearchKit -- CVE-2008-3616
System Configuration -- CVE-2008-2312 (For 10.4.11)
System Preferences x2 -- CVE-2008-3617, CVE-2008-3618
Time Machine -- CVE-2008-3619
VideoConference -- CVE-2008-3621
Wiki Server -- CVE-2008-3622
So, all in all, quite a few updates here in this one.
Subscribe in a reader
Friday, September 12
iPhone 2.1 actually lists its updates?!
Very uncharacteristic for Apple, but the update screen for 2.1 actually lists its updates.
Wow.
- Decrease in call set-up failures and call drops
- Significantly improved battery life for most useres
- Dramatically reduced time to backup to iTunes
- Improved email reliability, notably fetching email from POP and exchange accounts.
- Faster installation of 3rd party applications.
- Fixed bugs causing hangs and crashed if you have lots of 3rd party applications
- Improved performance in text messaging
- Faster loading and searching of contacts
- Improved accuracy of the 3G signal strength display
- Repeat alert up to two additional time for incoming text messages
- Option to wipe data after ten failed passcode attempts
- Genius playlist creation.
Thanks for letting us know all these things Apple, please keep up the straightforwardness in updates!
iPhone 2.1 is out, and here it is
iPhone v2.1
Available for: iPhone v2.0 through v2.0.2
Impact: An application may be able to read another application's files
Description: The Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox, and lead to the disclosure of sensitive information. This update addresses the issue by enforcing the proper access restrictions between application sandboxes. Credit to Nicolas Seriot of Sen:te and Bryce Cogswell for reporting this issue. This issue does not affect iPhone versions prior to v2.0.
Available for: iPhone v1.0 through v2.0.2
Impact: Multiple vulnerabilities in FreeType v2.3.5
Description: Multiple vulnerabilities exist in FreeType v2.3.5, the most serious of which may lead to arbitrary code execution when accessing maliciously crafted font data. This update addresses the issue by incorporating the security fixes from version 2.3.6 of FreeType. Further information is available via the FreeType site at http://www.freetype.org/
Available for: iPhone v1.0 through v2.0.2
Impact: mDNSResponder is susceptible to DNS cache poisoning and may return forged information
Description: mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience against cache poisoning attacks. Credit to Dan Kaminsky of IOActive for reporting this issue.
Available for: iPhone v2.0 through v2.0.2
Impact: Predictable TCP initial sequence numbers generation may lead to TCP spoofing or session hijacking
Description: TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection. This update addresses the issue by generating random TCP initial sequence numbers. This issue does not affect iPhone versions prior to v2.0.
Available for: iPhone v2.0 through v2.0.2
Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications
Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode by double clicking the home button in emergency call. This update addresses the issue through improved handling of emergency calls. Credit to Matthew Yohe of The University of Iowa's Department of Electrical and Computer Engineering for reporting this issue. This issue does not affect iPhone versions prior to v2.0.
Available for: iPhone v1.0 through v2.0.2
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's handling of CSS import statements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of document references.
- Application Sandbox
Available for: iPhone v2.0 through v2.0.2
Impact: An application may be able to read another application's files
Description: The Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox, and lead to the disclosure of sensitive information. This update addresses the issue by enforcing the proper access restrictions between application sandboxes. Credit to Nicolas Seriot of Sen:te and Bryce Cogswell for reporting this issue. This issue does not affect iPhone versions prior to v2.0.
- CoreGraphics
Available for: iPhone v1.0 through v2.0.2
Impact: Multiple vulnerabilities in FreeType v2.3.5
Description: Multiple vulnerabilities exist in FreeType v2.3.5, the most serious of which may lead to arbitrary code execution when accessing maliciously crafted font data. This update addresses the issue by incorporating the security fixes from version 2.3.6 of FreeType. Further information is available via the FreeType site at http://www.freetype.org/
- mDNSResponder
Available for: iPhone v1.0 through v2.0.2
Impact: mDNSResponder is susceptible to DNS cache poisoning and may return forged information
Description: mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience against cache poisoning attacks. Credit to Dan Kaminsky of IOActive for reporting this issue.
- Networking
Available for: iPhone v2.0 through v2.0.2
Impact: Predictable TCP initial sequence numbers generation may lead to TCP spoofing or session hijacking
Description: TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection. This update addresses the issue by generating random TCP initial sequence numbers. This issue does not affect iPhone versions prior to v2.0.
- Passcode Lock
Available for: iPhone v2.0 through v2.0.2
Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications
Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode by double clicking the home button in emergency call. This update addresses the issue through improved handling of emergency calls. Credit to Matthew Yohe of The University of Iowa's Department of Electrical and Computer Engineering for reporting this issue. This issue does not affect iPhone versions prior to v2.0.
- WebKit
Available for: iPhone v1.0 through v2.0.2
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's handling of CSS import statements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of document references.
iPhone 2.1 actually lists its updates?!
Very uncharacteristic for Apple, but the update screen for 2.1 actually lists its updates.
Wow.
- Decrease in call set-up failures and call drops
- Significantly improved battery life for most useres
- Dramatically reduced time to backup to iTunes
- Improved email reliability, notably fetching email from POP and exchange accounts.
- Faster installation of 3rd party applications.
- Fixed bugs causing hangs and crashed if you have lots of 3rd party applications
- Improved performance in text messaging
- Faster loading and searching of contacts
- Improved accuracy of the 3G signal strength display
- Repeat alert up to two additional time for incoming text messages
- Option to wipe data after ten failed passcode attempts
- Genius playlist creation.
Thanks for letting us know all these things Apple, please keep up the straightforwardness in updates!
iPhone 2.1 is out, and here it is
iPhone v2.1
Available for: iPhone v2.0 through v2.0.2
Impact: An application may be able to read another application's files
Description: The Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox, and lead to the disclosure of sensitive information. This update addresses the issue by enforcing the proper access restrictions between application sandboxes. Credit to Nicolas Seriot of Sen:te and Bryce Cogswell for reporting this issue. This issue does not affect iPhone versions prior to v2.0.
Available for: iPhone v1.0 through v2.0.2
Impact: Multiple vulnerabilities in FreeType v2.3.5
Description: Multiple vulnerabilities exist in FreeType v2.3.5, the most serious of which may lead to arbitrary code execution when accessing maliciously crafted font data. This update addresses the issue by incorporating the security fixes from version 2.3.6 of FreeType. Further information is available via the FreeType site at http://www.freetype.org/
Available for: iPhone v1.0 through v2.0.2
Impact: mDNSResponder is susceptible to DNS cache poisoning and may return forged information
Description: mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience against cache poisoning attacks. Credit to Dan Kaminsky of IOActive for reporting this issue.
Available for: iPhone v2.0 through v2.0.2
Impact: Predictable TCP initial sequence numbers generation may lead to TCP spoofing or session hijacking
Description: TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection. This update addresses the issue by generating random TCP initial sequence numbers. This issue does not affect iPhone versions prior to v2.0.
Available for: iPhone v2.0 through v2.0.2
Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications
Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode by double clicking the home button in emergency call. This update addresses the issue through improved handling of emergency calls. Credit to Matthew Yohe of The University of Iowa's Department of Electrical and Computer Engineering for reporting this issue. This issue does not affect iPhone versions prior to v2.0.
Available for: iPhone v1.0 through v2.0.2
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's handling of CSS import statements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of document references.
- Application Sandbox
Available for: iPhone v2.0 through v2.0.2
Impact: An application may be able to read another application's files
Description: The Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox, and lead to the disclosure of sensitive information. This update addresses the issue by enforcing the proper access restrictions between application sandboxes. Credit to Nicolas Seriot of Sen:te and Bryce Cogswell for reporting this issue. This issue does not affect iPhone versions prior to v2.0.
- CoreGraphics
Available for: iPhone v1.0 through v2.0.2
Impact: Multiple vulnerabilities in FreeType v2.3.5
Description: Multiple vulnerabilities exist in FreeType v2.3.5, the most serious of which may lead to arbitrary code execution when accessing maliciously crafted font data. This update addresses the issue by incorporating the security fixes from version 2.3.6 of FreeType. Further information is available via the FreeType site at http://www.freetype.org/
- mDNSResponder
Available for: iPhone v1.0 through v2.0.2
Impact: mDNSResponder is susceptible to DNS cache poisoning and may return forged information
Description: mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience against cache poisoning attacks. Credit to Dan Kaminsky of IOActive for reporting this issue.
- Networking
Available for: iPhone v2.0 through v2.0.2
Impact: Predictable TCP initial sequence numbers generation may lead to TCP spoofing or session hijacking
Description: TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection. This update addresses the issue by generating random TCP initial sequence numbers. This issue does not affect iPhone versions prior to v2.0.
- Passcode Lock
Available for: iPhone v2.0 through v2.0.2
Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications
Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode by double clicking the home button in emergency call. This update addresses the issue through improved handling of emergency calls. Credit to Matthew Yohe of The University of Iowa's Department of Electrical and Computer Engineering for reporting this issue. This issue does not affect iPhone versions prior to v2.0.
- WebKit
Available for: iPhone v1.0 through v2.0.2
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's handling of CSS import statements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of document references.
Wow, Um, So hey, how you doing?
Haven't Blogged in awhile, I've been working on some other stuff as well over at dearcupertino.com.
For those of you that haven't seen, here's a bit of mac news, Apple released iTunes 8, a new set of iPod Nano's (going back to the more vertical shape), updated and dropped the price on the iPod Touch, as well as refreshing the iPod Classic line.
Basically, for the holiday shopping season. Good stuff.
They also released an update to the iPod Touch software (2.1), and it has some nifty features in it (like the Genius feature from iTunes 8.0). Reports are also, that it is faster. The iPhone update 2.1 is supposed to hit today, so I might blog again with some updates about that.
Otherwise, for those who know me, and know that i have been on a single customer site for the past year+, I have 12 days left (including weekends.)
Subscribe to:
Posts (Atom)
-
Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people so...
-
Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical. I don't want to...
-
Let's say you're like me, an avid Omnifocus user, but you've been hearing great things about Reminders on MacOS/iOS/iPadOS, and ...