For the last few days, some jailbroken iPhone users have found their home screen background a little different than they remembered. A hacker, going by the name "ikee," created a worm that changes the home screen background on jailbroken iPhones whose owners failed to change the default password after installing SSH. Simply jailbreaking your iPhone will not make you vulnerable to this sort of hack. The iPhone OS, in general, is also immune to this hack. Still confused? Let's back up a bit.

On jailbroken iPhones, SSH is installable with a package from Cydia that allows you to connect to your phone and make changes to the filesystem. It does this by logging into the root user with the password "alpine." After installing SSH, it is always recommended that you change "alpine" to the password of your choosing. This hack can only affect people who chose not to change that password -- no one else.

This hack originated in Australia, the home country of ikee, and has possibly spread to other iPhones in other countries, but we've been unable to verify that. A gentleman by the name of JD held an interview with the hacker over IRC and posted it to his blog. In ikee's own words, here's how the worm has spread:

...The code itself is set to firstly scan the 3G IP range the phone is on, then Optus/Vodafone/Telstra's IP Ranges (I think the reason Optus got hit so hard is because the other 2 are NAT'd) then a random 20 IP ranges. I'm guessing a few phones hit a range that another vulnerable phone was on.

Basically, once your phone is infected, the worm starts looking for other iPhones on the cellular network that use the root:alpine combination. Once it finds another vulnerable iPhone, it installs itself and begins the process again... and again... and again.

Luckily for the jailbreakers in the audience who may have been affected, there's really no harm done -- at least not with this version of the worm. According to the hacker, this was more of an experiment than anything else. The worm changes your background and then disables inbound SSH, which is a good thing. If SSH was left turned on, a similar worm could follow along but conceivably do much more damage. For instructions on how to delete this worm, read JD's interview with ikee. I would recommend reading the interview just for the information it presents; I found it pretty interesting. If you've got a jailbroken iPhone or iPod touch and you've never changed the default device password, now's the time. Here's how, if you are using terminal:

Type: ssh root@(iPhone IP address)
When prompted for the password type: alpine
Now you're connected the phone...
type: passwd
It should then prompt your for a new password -- type one that you'll remember. There's no easy way to reset it if you forget it.

That's it. Please remember to be responsibly secure with your devices. Hackers like ikee are troublesome, but this could have been much worse. While I don't personally condone his actions, he's prevented a lot of people from being vulnerable to more malicious attacks later down the road.

Thanks, James!

Running a jailbroken iPhone has its risks, as a Dutch hacker has demonstrated. Specifically, he used a bit of port scanning to find jailbroken phones with SSH running in his native Netherlands. From there, he sent unsuspecting users a message that reads, "Your iPhone's been hacked because it's really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files."

The URL directs the users to Paypal and requests €5 in exchange for instructions that explain how to remove the hack. But how did he get in? By relying on users' forgetfulness. All iPhones have a default root password. Those who forget to change it are vulnerable to this very kind of attack.

Asking for money is kind of a bummer but much less obnoxious that other things he could have done. The moral of the story is pay attention and be thorough when jailbreaking your iPhone.

[Via Ars Technica]

It's not that we have anything against the Flash plugin for Mac browsers. Well, other than the fact that it's crashy, and slow, and makes our laptop fans spin up like we're doing wind tunnel testing for the Air Force. But other than that, we have nothing against it -- and it's lovely that the new 64-bit version of Safari in Snow Leopard can isolate Flash-related stalls and hiccups from the main browser process for enhanced crash protection. Very nice.

Unfortunately, as pointed out initially by Graham Cluley over at the security and anti-virus vendor Sophos, the version of the Flash plugin that Apple bundles with Snow Leopard is old. It's the 10.0.23.1 version, old enough that it has some notable vulnerabilities versus the currently shipping 10.0.32.18 version. You can check which version of the plugin you have by visiting this Adobe check page. Even if you had the current build on your machine before upgrading to Snow Leopard, the upgrade process replaces your Flash with the vintage Flash instead -- poor form! Cluley recommends, and Adobe concurs, that the best thing to do is head over to Adobe's download site and get the most up-to-date version instead.

It's understandable that Apple had to lock down a version of the Flash plugin for inclusion in the OS golden master, but if you're gonna do that then you've got to provide an integrated method for users to update to the current build when the time comes (like, say, via an OS-wide Software Update utility). Downgrading user security while upgrading OS versions is a rotten way to run a railroad.

[Side note, does Cluley's narration in the video above make you wonder if, just maybe, he's moonlighting as Ben 'Yahtzee' Croshaw over at The Escapist? NSFW!]

Thanks to everyone who sent this in.

Yesterday's news from the Black Hat Technical Security Conference in Las Vegas about the SMS security flaw affecting iPhone, Android, and Windows Mobile smartphones was a bit unnerving. Through skillful manipulation of SMS messages, an attacker could gain control of a smartphone.

BBC News reports that UK mobile provider O2 has received word from Apple about a patch for the security flaw on the iPhone. The patch, in the form of a software update, will be available Saturday, August 1, 2009. As with all updates to the iPhone, the security patch will appear in iTunes.

Considering the potential for mischief on the part of hackers, it is entirely possible that AT&T, O2, and other carriers will notify their customers of the availability of the update. Whether or not that message will come through SMS remains to be seen.

Be sure to keep an eye on TUAW or our Twitter feed (http://twitter.com/tuaw) tomorrow and we'll notify you as soon as the patch makes an appearance.

UPDATE: iPhone OS 3.0.1 is now available for download from iTunes. 297.9MB in size.

Two security researchers, Charlie Miller and Collin Mulliner, have discovered a serious security vulnerability affecting SMS messaging on the iPhone that will be unveiled later today at the Black Hat security conference in Las Vegas. This flaw affects all iPhones and can allow an attacker to gain complete control of an iPhone, including the ability to make calls, browse the web and access the camera. This exploit is caused by corruption in the iPhone's memory handling and is executed by sending a burst of text messages by using a uncommon text character or by sending a hidden message.

So far, Apple has been rumored to have a fix in the works, but there's been no confirmation yet when it will be available. The researchers also say that there's nothing you can do to protect your iPhone from this vulnerability, other than to turn off the phone. More details on this issue will be discussed later today at Black Hat, hopefully outlining a path to fix this issue.

Meanwhile, the two developers have already demonstrated this flaw in action to CNET's Elinor Mills, proving its existence and extent of the threat.

We'll be providing more coverage on this issue once it's unveiled, so stay tuned to TUAW.

Update: Thanks as well to everyone who pointed out that we got our sources mixed up! The article linked is the 2007 CanSecWest, and we apologize for the confusion. The winner of the 2009 competition was Charlie Miller (sorry Charlie), and you can read more about this year's competition here -- IE8 and Firefox have also been compromised in the competition. If you're curious about the state of Mac security and exploitation, be sure to check out Dino Dai Zovi's presentation here.
Special thanks to Chris von Eitzen at The H, and to everyone else who let us know!

---

Another year, another Pwn2Own at CanSecWest and Safari falls... in a short time. Well, to be fair, Safari fell after 24 hours and "... a couple of seconds" give or take a few. On day two of the event the "attack surface" widens -- that is, hackers are given more ways to hijack the machine. In this case, it wound up being a hole in Safari. As the barrier was lowered, an email was sent to the judges, who clicked on it, and that link took them to a special page that exploited the vulnerability. The exploit was discovered by Dino Dai Zovi who, "wrote the exploit overnight in about 9 hours" as MacDailyNews reports. Dino was assisted on the ground by Shane Macaulay. As yet, we haven't seen this in the wild and the hole has been properly disclosed to Apple.

As Download Squad notes, Firefox and Internet Explorer 8 were taken down some time later. Before declaring Safari "less secure" then those browsers, it is important to note that the hole has been reported to Apple, who need only issue a patch to fix it. Further, the exploit that took Dino 9 hours to write isn't publicly available. That said, it stresses the importance of installing browser patches and security updates for your machine. The best part about finding these exploits at events like CanSecWest is that they help make Safari, and every other browser, more secure.

Thanks to everyone who sent this in!

As if the baked-in security issues weren't enough to deal with, Adobe has announced today that all versions since v7 of Acrobat and Acrobat Reader on all platforms -- including Mac OS X -- are vulnerable to an Javascript exploit that can crash Acrobat. [Correction, per The Register and Shadowserver the vulnerability is not in Javascript per se but the circulating exploits use Javascript to leverage the actual flaw. Thanks to Adam Engst for the heads-up.] The same approach could possibly give an attacker unrestricted access to the target system. More from Download Squad on the scope of the problem; Adobe and others are reporting that there are already exploits in the wild for this problem.

Mac users have, of course, a very solid option for handling PDF files other than Acrobat: Preview, installed on every Mac OS X machine. You can also turn off Javascript support in the Acrobat preferences to lock out exploits from proceeding beyond crashing the app to actually doing widespread damage.

To change the default handler for PDF files, select any PDF file in the Finder and then select Get Info from the File menu. Under the Open With section, select Preview.app and then click Change All.

This vulnerability is patched in the 2009-001 security updates.

When reports of security issues in Apple's Safari browser come over the transom, they get our attention. When they're exploitable in both the Mac and Windows versions of Safari, they get our full and undivided attention. When the person reporting them is Brian Mastenbrook (credited with discovering multiple previous vulnerabilities in Mac OS X)... well, someone shut off that damn klaxon and let us get back to work. In this case, the issue is that a hole in Safari's handling of RSS feeds could allow an attacker (via a malicious web page) to capture a user's personal information, cookies or even passwords.

While Brian has not posted more details of the vulnerability publicly, he has acknowledgment from Apple that the issue exists; hopefully we will see an update soon that closes this hole. In the meantime, although Windows Safari users are advised to use a different browser to avoid the vulnerability, Mac users can simply set an alternative RSS feed handler to work around the issue.

Update 1/14: Per Brian's further research, the workaround below is not adequate to protect against the vulnerability, as Safari also handles URL types of 'feeds' and 'feedsearch,' which cannot be set to alternative handlers within Safari itself. The revised workaround calls for the RCDefaultApp preference pane, which does let you redirect the other URL types.

To change your feed handler, go to Safari's Preferences and click the RSS button. If you have any other capable feed reader on your machine, you can select it from the list (if your menu looks like mine does in the screenshot, you have a serious problem with RSS reader addiction and you need immediate help). Don't have another feed reader available? NetNewsWire and NewsFire (and the open-source Vienna, cited repeatedly by our commenters) are free for the downloading, as is the Reader Notifier helper app that interacts with Google Reader -- for the purposes of getting around the vulnerability, it doesn't matter which application you choose as long as you don't leave it set to the default of having Safari do its own RSS chores. Note that the vulnerability apparently does not require you to open a feed in Safari to be affected -- a specially-constructed webpage is capable of triggering it.


RCDefaultApp settings for "feeds" and "feedsearch" also need to be modified.

Thanks to Brian for the heads up & everyone who sent this in.

It's not all new features and delight behind the scenes with the now-shipping iPod touch 2.1 firmware -- among the updates and changes are five patches to address security issues with the device. Frameworks that have been tweaked include the Application Sandbox, CoreGraphics, the mDNSResponder, Networking, and WebKit.

The mDNS fix tackles the Dan Kaminsky DNS vulnerability that sparked controversy over the pace of Apple's patch releases... yet more proof that the iPod touch is a teensy little computer, with all the risks and challenges thereto. You can review the security notes for the update at Apple's security site, and of course you can download the update through iTunes.

Also updated for security purposes today was the Bonjour for Windows package, now at version 1.0.5. This utility, which gives XP and Vista machines access to zero-configuration network resources such as printers or Mac OS X web sharing, now includes a couple of DNS-related patches including one for the vulnerability noted above. See here for the full details; Bonjour for Windows is downloadable from Apple as well.

Danger, Will Robinson! Adobe is warning that "critical vulnerabilities" have been found in Adobe Reader and Acrobat 8.1.1 and earlier. They are recommending that Acrobat 8 and Adobe Reader users install the 8.1.2 update as soon as possible. Those who are using Acrobat 7 are advised to install the 7.1.0 update quickly as well.

A full summary of the security concerns and links to the update files can be yours by visiting the Adobe security update site. Note that while Acrobat & Reader 8.1.2 have been out for some time, the 7.1 update is fresh this week and the security issue is newly disclosed.

[via Macintouch]

I'm not sure if you've been following the story of "Infosec Sellout" (it's a tough one to follow), but apparently the anonymous Mac hacker has given up blogging about OS X security-- his blog has been deleted and renamed on Blogspot. Just recently, he made headlines by claiming that he'd developed a worm for OS X called "Rape.osx," that hit a known vulnerability in the OS X mDNSResponder, an open source Internet protocol used by Apple. But apparently Infosec Sellout didn't think Apple responded appropriately to his warning (and/or his site was hacked itself), and he's gone quiet.

Robert McMillian of the IDG news service has has contact with Infosec Sellout in the past, and heard from the hacker in an email that "it was a great experiment to see how the industry could handle some honesty, which they can't. They are quick to attack the credibility of others in order to hide their own flaws." From that comment, it sounds like Infosec thinks Apple is somehow claiming to be impenetrable, but as other security analysts say, that's far from true. Still another story is that Infosec's identity was close to being found out, and he quit because of that. Apparently Infosec says that the identity discovery was a factor, but not because he didn't want to be found out, just because he didn't want his employer to be approached by "crybabies."

Strange story indeed. Unfortunately Infosec still hasn't revealed the hack, and says he won't reveal it to Apple until testing is completed.

The whole QuickTime/MySpace security hole that was discussed this week on TUAW has given rise to a general concern about QuickTime's vulnerabilities. The QuickTime bug apparently allowed a worm to infect MySpace user profiles and redirected traffic to a phishing site, where passwords were harvested.

An Information Week article suggests the security flaw could extend well beyond Myspace to both Mac and Windows users. The problem seems to stem from QuickTime's JavaScript support and a bug that allows malicious JavaScript code to affect browsers. The article states that although Apple has provided an Internet Explorer patch, it has yet to issue a general QuickTime fix across all platforms.

Calling all Skype users - if you haven't updated to the latest version, you really should. Version 1.5.0.80 (Mac OS X), released on Tuesday, "solves a 'highly critical' vulnerability that could lead to the remote execution of arbitrary code." So says Secunia, an IT Security news company. The flaw was caused by a malformed URL and could potentially lead to your system being compromised. Oops! No need to panic, though. Just update now and you'll be covered. If you're using Skype for Mac Beta 2.x I don't believe this affects you, so don't go downgrading just yet! UPDATE: Mac Beta 2.x was updated to 2.0.0.3 yesterday. and has the same fix. Thanks Sejuru!