Archive for Exploits

Another iPhone Upgrade. Privacy at Risk

Courtesy of Apple

Courtesy of Apple

Gizmodo released a video today illustrating a security flaw in the iPhone 2.0.2 upgrade which was released on August 15. The video demonstrates how to bypass the passcode needed to unlock a locked iPhone.

To bypass the code anyone can move the locking slider, and when asked for the passcode they need only tap the “Emergency Call” button once, and then double tap “Home”. The video below demonstrates the technique.

Once unlocked they have full access to the phone and can make calls, send and read emails, make online purchases and more.

Apple had addressed the issue in an email released today, but no date for a patch to this security risk has been mentioned. Instead Apple suggests users modify their settings so that the Home button goes to their music collection instead of their Favorites.

Back on August 5, I reported on Apple’s release of a firmware upgrade (v2.0.1) which was designed to remedy widespread problems experienced by iPhone users who upgraded to the iPhone 2.0 operating system after July 11. Problems addressed were instability issues, application crashes, responsiveness, and speed.

13 days later, August 15, v2.0.2 was released to address connectivity issues with the faster 3G wireless networks and a few other minor problems with the App Store and the Safari Internet browser.

It’s been yet another 13 days and now Apple has yet another hole to fill in their popular devices operating system. A date for release is pending.

Apple projects sales of the iPhone are to reach 10 million by year’s end.

Update Aug. 29: Still no exact date for the update, but word from Apple has it that it will be some time in September.  My guess is they’re all off for Labor Day weekend, so they’ll tackle late next week.

Post Comments or Questions with the link below. Keep up-to-date with Skylarking: By Email or RSS Newsfeed or on Twitter. You can also send questions with my email form. I’m looking forward to hearing from you.



Apple’s MobileMe: A New Spammer Resource

Users of, that is, subscribers to, Apple’s MobileMe service have found themselves getting more spam than usual, as well as some “phishing” scams aimed directly at them.  And spammers are getting fewer bouncebacks.

The problem lies in the iDisk online file storage service every subscriber is provided with. The service comes with a “public” folder which cannot be hidden or deleted. Every public folder starts with the address http://idisk.mac.com/ and then it’s followed by their username and “-Public”. A programmer can write code to automatically generate random user names using words and names straight out of a digital dictionary.

“Why do this with iDisk’s public folder space?”, you ask.

iDisk: A Sample Public Folder

iDisk: A Sample Public Folder

The username associated with a public iDisk folder is also the first half of their email address assigned to them with the MobileMe service.  The second half of their address is either @me.com or @mac.com.  This hack allows a spammer to determine the validity of email address. Any http://idisk.mac.com/username-Public address that doesn’t result in a “Account Error: Inactive” message — as the link above probably will — means that they’ve found a legitimate account. A legitimate account would come up with a page as shown in the picture at right.

Furthermore, if the public folder shows that there are files stored in that location, as the sample picture shows, a spammer could tailor a message referring to that file in an effort to get the user to reply and reveal personal information.

Imagine if you used this service: You upload some of your files or photos to it, and then, a few days or weeks later you get an email mentioning one or more of your files by name. If you hadn’t thought about your “public folder” being “public”, you might take the message very seriously. Even more so if the sender claimed to represent Apple. (Of course that spammer would be breaking the law by falsely identifying themselves. See my article “Spammers Get CANned”.)

Anyone Can See The Files?

Anyone can see or read the names of your public files, assuming they find your public folder, but they won’t be able to access, open, or download them unless they take a guess at your login information, too; so make sure you use a good password and not your birthday or pet’s name.  They can’t upload anything to your folder either, unless they figure out your login info.

Simply said, Apple’s MobileMe iDisk service gives spammers a handy way to determine valid email addresses, so they get fewer, if any, bouncebacks and undeliverable messages. The names of files stored on iDisk could be used to make the spammer or phishers message appear legitimate.

Phishing. For those unfamiliar with this term, simply stated, it is an email message designed to get the recipient to reveal personal information such as account numbers or login information. The sender poses as well-known service or someone offering an enticement to respond. Popular targets have been eBay, PayPal, and online banking users.

In the iDisk problem discussed here, the phisher can determine if a username and email address exists. Furthermore, If the account owner stores files publicly on the service, the names of files can be referred to in a phishers email message to shore up their credibility.

Post Comments or Questions with the link below. Keep up-to-date with Skylarking: By Email or RSS Newsfeed or on Twitter. You can also send questions with my email form. I’m looking forward to hearing from you.


Microsoft Word 2002 Flaw Under Investigation

Tuesday, July 8, 2008, Redmond, WA — Microsoft released a Security Advisory regarding a “possible vulnerability” in Microsoft Word 2002 SP3 (also known as Word XP, but do not confuse it with Windows XP).

What’s Known About This Attack?
Symantec (Norton) and Microsoft are working together on this one.  Symantec is developing an update to detect the document, and Microsoft is working to fix the flawed programming in Word 2002 SP3. Small numbers of people have been tricked into accessing this document delivered by email or by luring them to a hacked web site.

But Aren’t You Curious …
… to know if you have the affected version of Microsoft Word 2002 SP3? By “affected” I mean: If you were to receive and open one of these documents, would you have to worry? Here’s how to find out. (Don’t worry, knowing you have Word 2002 SP3 doesn’t do any harm).

To check if you have Word 2002 SP3, do the following:

  1. Start “Microsoft Word”.
  2. Click “Help” (top right), then “About Microsoft Word” (bottom of menu). A dialog box will appear.
    • Near the top: If it reads “Word 2002” and further along it says “SP3”, then your version of Word is affected. You must see both phrases; if you see 1 out of 2, don’t worry, you’re not a candidate.

What Happens As A Result Of This Flaw?
If, and only if, you have Word 2002 SP3, and if you receive and open one of these mysterious Word 2002 documents from an unknown source … Microsoft Word exits.  Strange, you might say to yourself. And then you reopen the document, and life goes on.

I was unable to find any further information from Symantec or Microsoft on what happens next.

Some reports I found on other web sites say that at the time that Word exits a Trojan (remember the Trojan horse?) program has been activated that records keystrokes. Presumably watching out for passwords, and sending them to the hacker’s remote location.

Another report claims the hackers are able to control your PC remotely. They can search and open files, erase files, and even shut down the computer, but neither Microsoft or Symantec confirm either this or the former scenario. (I suspect many blog reporters found an old report regarding a similar attack that occured back in 2006. At that time, hackers gained remote control over PCs using a similar attack form.)

What To Do?
Microsoft recommends that you “do not open or save Microsoft (Word documents) that you receive from untrusted or unexpected sources.”

Let Me Assure You
Receiving a document by email will not affect you. Opening an email with the document attached will not affect you. Opening your own files will not affect you. Saving your work or working with Word will not affect you.

And, please, if you get an email warning you of “this virus,” please don’t forward the message.

Finally
I suspect that Norton, McAfee and the other anti-virus manufacturers will have found a way to detect and block this before Saturday morning (July 12).

Microsoft will, I suspect, issue a patch within the next 5 to 12 days, to be issued and installed automatically via the Microsoft Update and Office Update web sites, but like I said, I think the antivirus folks will find a way first. (While I write this, BitDefender antivirus has reported they have an update to detect and block it.)

Keep Informed
I’ll also keep you up-to-date on this matter on these pages. Email me at news @ skylarknetworks.com if you have questions or concerns. If you include your phone number and best times to call, I will call you directly. You can also subscribe to Skylarking by once daily email to receive a copy in your Inbox. Or join the Skylark NetWorks Newsletter mailing list and specify interest in “Microsoft Office” products.

Most important: Don’t Panic.  Stay tuned.

Update: No new news on this item as of Monday, July 14.

Update: Patched on August 12, 2008