Hopefully many heeded that warning, since now a new virus has surfaced that uses the same M.O. as ikee, but that has a much more malicious intent and effect. Specifically, the new malware mines personal data from your device, using the very same exploit ikee revealed earlier in the week.

The new worm, dubbed “iPhone/Privacy.A” by digital security firm Intego, affects only jailbroken iPhones, and grabs things from your device like address book contacts, text messages, photos, music, video, calendar entries and email messages. Basically, almost anywhere it can look for sensitive data, it will. The virus doesn’t seem to be able to access information stored by other applications on your iPhone, like password managers, but if you’re affected, the only safe course of action is a full wipe and restore.

Theoretically, according to iPhone security researcher Charlie Miller speaking to Computerworld, attacks based on the same exploit could do more than just mine data. Running up your phone bill, sending out bulk text messages and spamming your contacts are all well within the realm of possibility. Miller goes on to describe how easy it would be for a hacker to infect a device:

This could easily be installed on a computer on display in a retail store, which could then scan all iPhones that pass within the reach of its network. Or a hacker could sit in an Internet café and let his computer scan all iPhones that come within the range of the Wi-Fi network in search of data.

In order to secure your device against this kind of attack, there are a few options. First, change the default SSH password if you haven’t already. So far, that appears to be the easiest way to foil attempts to infiltrate your jailbroken device. The best way to prevent this and any kind of future attack along the same lines, however, is to not jailbreak your device in the first place, or to restore it to factory settings if you’ve already jailbroken. Of course, for many who use their devices with carriers who don’t officially offer the iPhone, that isn’t an option.

Miller suggested that Apple may want to consider re-engineering its security measures to account for jailbroken devices, but as that would mean tacitly acknowledging and even accepting a practice it stridently disapproves of, I think the best bet for jailbreakers is just to shut down all SSH access, if possible.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Mobile Q4: All Eyes Were on Android, 4G and the Rising Tablet Tide
• Report: A Mobile Video Market Overview
• In Q3, the Tablet and 4G Were the Big Stories

iTunes 8.2 became available for anyone and everyone with a Mac, not just developers, late yesterday. A pre-release version of the update has been available to registered iPhone developers since the release of iPhone OS 3.0 beta 4 a few weeks ago, and is required for those hoping to run the 3.0 software on their Apple handheld devices. The release at this time strongly suggests that iPhone OS 3.0 will go live very soon, possibly immediately following the WWDC keynote speech taking place next week.

Aside from adding support for the upcoming firmware revision, the iTunes 8.2 update also brings the usual stability enhancements and bug fixes, including a security patch involving “itms:” links used to open iTunes locations from the web. Parsing the URLs could lead to a stack overflow or arbitrary code execution, which would allow an attacker to completely take over the iTunes process.

QuickTime 7.6.2, which became available alongside the iTunes update, also patches security flaws…10, in fact, all of which involve crashes or arbitrary code execution resulting from viewing malicious content.

A third update, GarageBand 5.0.2, improves the artist lesson purchasing experience, and allows access to installed jam packs in the loop browser. As with most Apple updates, it also includes various security fixes and bug squashes.

The iTunes update has arrived a little early, considering Apple has yet to release or announce the official release date of iPhone OS 3.0, but it’s probably just being smart about a major software update and spacing things out so that its servers can better handle the load when the millions of iPhone users rush to download the firmware revision at the same time. Hopefully, by staging releases, it will avoid the kind of frustrating experiences that accompanied the release of iPhone firmware 2.0 last year.

Some users are already reporting issues with the new updates, including odd behavior from iPhones running the latest firmware beta and iTunes 8.2 final, and a bug wherein a considerable number of songs went missing from one person’s library.

I actually have yet to install the iTunes 8.2 update. While the other updates show up for me without issue, I can’t get Software Update to find the iTunes update. I thought maybe this was because I had the latest pre-release version already installed, but others with the beta seem to have been able to install. My MacBook, which hasn’t been updated with the latest test build, detected and installed the new version without problem. Let us know if you’re having any issues with any of these updates.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Report: The Live-Stream Video Market
• Report: Monetizing Digital Content
• Why iPad 2 Will Lead Consumers Into the Post-PC Era

According to Intego’s numbers, more than 20,000 people have downloaded the affected file, a number which also says something about Apple’s ability (or desire?) to curb piracy of its proprietary software. Instructions on how to rid your computer of the virus in case you are among that unlucky 20,000 can be found here, but they can’t take away your shame.

This week, another round of infections has appeared, this time targeting a different, but similar group of pirates. The victims are users who downloaded a pirated copy of Adobe’s popular photo editing program, Photoshop CS4. Again, the people responsible for finding and broadcasting the existence of the trojan are Intego. This one is aptly dubbed “OSX.Trojan.iServices.B”, and actually comes from the serial generator that packages with the Photoshop installer, and not the installer itself. The CS4 trojan presents the same risks as the iWork ’09 version. Intego reports 5,000 downloads to date.

With two such high-profile virus detections coming so closely on each other’s heels, the question inevitably arises: Is Mac’s status as a highly secure option to Windows in danger? Clearly, Mac users are beginning to present a more attractive target to hackers, because the platform itself is becoming more popular. Not only that, but Mac users may be even more susceptible than others, since they traditionally haven’t had to worry much about malicious attacks.

No doubt the conspiracy theories that security companies cause and cure viruses will also crop up, especially with two such similar detections from the same source in such a short period of time. The reaction might be especially strong, considering how secure most Mac users believe their computers to be.

Really, as it stands, the only people at risk are those trying to pirate software, so it’s not really a case of “Is the OS less secure?”, so much as it is one of “Are Mac users security savvy?”. Pirated software distributed via Torrents has always been a high-risk area, but those running a Mac OS have had the luxury of being less guarded about those types of threats because the malicious code they contained was generally written to attack Windows machines.

The time may have come to star learning more smart surfing practices, but I think the general Mac-using populace can hold off on putting their computers on lock-down. Unless, that is, they plan on pirating like crazy, in which case, shields up.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A 2011 Green IT Forecast
• Report: A Mobile Video Market Overview
• Report: The Live-Stream Video Market

Ryan Naraine reported over at ZDNet Zero Day on a new iPhone vulnerability which lets anyone have full access to the majority of iPhone functionality despite your clever 4-digit passcode lock.

As mentioned by “greenmymac” and covered by The Register, full access to contacts (and, hence, browser, e-mail, SMS…) is as simple as a press of the “Emergency Call” key from the passcode entry screen, followed by a double-tap on the home button, which – as The Register puts it – “takes the miscreant into favourites…” (why we in the States leave out the “u” is a sad mystery).

As Alex Hutton points out, you can mitigate the threat by disabling the “home button double-tap” feature of your device.

Ryan gave the CVE database a scan and noticed that this is not Apple’s first encounter with this error. CVE-2008-0034, which was identified back in January and fixed in the 1.x series firmware, noted this issue and is yet-another sign of Apple’s lack of commitment to security on the iPhone (guess they should have fixed more than just bugs in 2.0.2).

It would be greatly appreciated if any readers in an enterprise configuration (i.e. with a stronger passcode and a centralized provisioning environment) would drop a note in the comments letting me (and other TAB readers) know if you are impacted by this vulnerability as well. All TAB readers are invited to post your your thoughts in the comments on Apple’s latest security faux-pax.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Mobile Q4: All Eyes Were on Android, 4G and the Rising Tablet Tide
• Report: A Mobile Video Market Overview
• In Q3, the Tablet and 4G Were the Big Stories

Microsoft has been busy today, releasing security updates, announcing a new service pack and committing to restoring functionality to their Mac office suite.

Yep, It’s Patch Tuesday Again

Microsoft released security bulletin MS08-014 today that contains a patch to a remote code execution vulnerability effecting Microsoft Office 2004 & 2008 for Macintosh. Office 2004 is bumped up to version 11.4.1 and primarily contains security & stability fixes. Office 2008 bumps up to version 12.1.0 and includes security fixes along with a plethora of other improvements. Both updates are available via Office software update or via direct download from the aforementioned links.

Get Your Red Hot Office 2008 SP1!

Microsoft MacBU announced the availability of Office 2008 SP1 today in conjunction with the security patch. The 180MB download contains over 1,000 fixes including – what apparently was a major annoyance – the return of custom error bars and axis tick manipulation in Excel charts.

The full release notes are available for your perusal. Here are some other SP1 highlights:

Microsoft Office Excel

• Compatibility. Improved compatibility with files exchanged between Excel 2008 for Mac and Excel 2003 and Excel 2007 for Windows
• Custom Error Bars. Restored formatting option on the Error Bars panel for data series
• Printing. More reliable printing for elements on Excel 2008 workbooks

Microsoft Entourage

• Calendar. Significant enhancements to improve calendar view and all-day reminders with reoccurrence
• Exchange Server support. Overall improvement to synchronization support, including removing attachments from Exchange Server messages and synchronizing to the server, as well as support for editing the contents of Exchange Server messages via AppleScript and synchronizing the changes to the server
• E-mail images. Ability to send and view images in Entourage from third-party tools

Microsoft Office Word

• Printing. Improved accuracy when orienting tables with cell shading
• Document map. Improved reliability and responsiveness to select items
• Notebook layout. Updated formatting, recording status and a variety of display options

Microsoft Office PowerPoint

• Printing. Improvements to eliminate crashing when printing documents to high-dpi printers and increased overall printing speed by 10 times on some large presentations
• Mobile viewing. Ability to view Mac .PPTX files on Windows Mobile phones
• AppleScript. Ability to use the PowerPoint selection object in AppleScript to implement custom scripts that operate on the current selection in PowerPoint

Restoring Functionality (& Vulnerabilities)

Microsoft’s MacBU also announced (official press release) the return of Visual Basic for Applications (VBA) support to the next major release of Office for Mac. This is a mixed bag since VBA macros are a juicy vector for vulnerabilities but that same functionality is critical to many business processes that have been developed using the suite.

From the announcement:

Sharing information with customers as early as possible continues to be a priority for the Mac BU to allow customers to plan for their software needs.2 Although the Mac BU increased support in Office 2008 with alternate scripting tools such as Automator and AppleScript — and also worked with MacTech Magazine to create a reference guide, available at http://www.mactech.com/vba-transition-guide — the team recognizes that VBA-language support is important to a select group of customers who rely on sharing macros across platforms. The Mac BU is always working to meet customers’ needs and already is hard at work on the next version of Office for Mac.

When you install the security update or try out SP1, drop a note in the comments with your experiences and definitely let us and the MacBU know if they didn’t fix any of the issues you were having pre-SP1. Also, if you have any thoughts on the revival of VBA for Mac Office make sure to let us know in the comments as well.

(post updated to fix version errors & links)

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Content Farms: The Players, The Benefits, The Risks
• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce

The “researcher”, Luigi Auriemma, describes the exploit as being based on a flaw in QuickTime’s parsing of HTTP error messages and has not provided Apple with advance notice before publishing the proof-of-concept code. Symantec has confirmed that the flaw can produce a Denial of Service, but has not confirmed the remote code execution claim.

As of this post, Apple has not posted a fix to this issue, but here are some steps you can take to protect yourself (via US-CERT):

• Uninstall QuickTime (OK, kinda extreme)
• Block the rtsp:// protocol (given how much we love streaming media, not likely either)
• Disable the RTSP protocol handler (reasonable, depending on your risk tolerance) Mac OS X users can disable the RTSP protocol handler by editing the ~/Library/Preferences/com.apple.LaunchServices.plist file with Property List Editor. Change the LSHandlerRoleAll value associated with the rtsp LSHanlderURLScheme to something other than com.apple.quicktimeplayer. This process can be simplified by using an application such as RCDefaultApp.
• Disable QuickTime as the RTSP protocol handler on OS X (reasonable…you can pick RealPlayer as an alternative). To disable the RTSP registered protocol handler in OS X open ~/Library/Preferences/com.apple.LaunchServices.plist and look through ahundred or more entries to find RTSP and change it to something else.
• Do not access QuickTime files from untrusted sources (duh). Attackers may host malicious QuickTime files on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

 

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Report: The Live-Stream Video Market
• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce