iPhone update closes critical security holes

The eagerly awaited iPhone 2.1 software update contains not only stability fixes, but a number of security patches. Some improvements include fixing the dropped call issue, crashes related to too many installed applications, and improved battery life. Also added would be support for Apple’s new iTunes Genius playlist as well as the ability to wipe all data should there be more than 10 consecutive failed attempts to enter the set passcode.

More importantly, a number of security vulnerabilities were fixed, some of which are deemed as critical. For example, weaknesses in the old firmware could let attackers exploit vulnerabilities to get around security restrictions in the application sandbox. The result is that rogue applications could modify the DNS cache, limit the functionality of the device, and even execute arbitrary code. As you can imagine, users are at great risk from untrustworthy applications. The hole in the passcode lock has also been closed by the developers, as with flaws in the DNS, rendering, and networking subsystems.

Users are urged to install the update directly. You can read more about the full list of security issues from Apple’s page here.

Serious vulnerability found in phpMyAdmin

All versions of the popular Web-based MySQL management tool phpMyAdmin from version to 3.0.0 release candidate 1 suffers from a code execution vulnerability.

Excerpt from heise Security:

The advisory released by the phpMyAdmin developers stated the problem was that parameters of sort_by were not escaped and an attacker, if they were already logged in, could manipulate this to call the PHP exec function and run arbitrary code.

This security hole was discovered by Norman Hippert. A partial workaround is available, though it is effective only in certain circumstances. As such, all administrators using phpMyAdmin are encouraged to upgrade to patched versions immediately.

You can read more about this issue from the official security advisory of the phpMyAdmin project.

Brad Pitt, Beyonce, and Justin Timberlake most favored by malware writers

McAfee has released a list of the top 15 celebrity names abused by spammers and malware writers. Malicious downloads of spyware, adware and potential viruses turns up when searches such as “Brad Pitt screensavers,” “Beyonce ringtones,” or “Justin Timberlake downloads.”

Research analyst Shane Keats explained:

“The bad guys follow the crowds and they’re interested in making a buck off off stealing your identity,” says Keats. It’s better to stick with well-known sites that focus on celebrity news… as the safest way to follow celebrity happenings.”

Interestingly, Paris Hilton – who was last year’s most hijacked celebrity name, has all but disappeared. To that, Keats was at a loss to explain why.

Do you have any suggestion to mitigate the risk posed by users targeted by these malware writers?

Feel free to to discuss the various security events here.