Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling Take Control ebooks.

 

 

TidBITS Watchlist
 
Set Password Activation Time in Snow Leopard

In Snow Leopard, you can now set an amount of time after your Mac goes to sleep or engages the screen saver before it requires a password to log back on. In Leopard, the option was simply to require the password or not. Choose among several increments, between 5 seconds and 4 hours, from System Preferences > Security.


Link to this tip

Submitted by
Doug McLean

Share your own tip! | Search TipBITS

 

 

Recent TidBITS Talk Discussions
 

 

Published in TidBITS 1040.
Subscribe to our weekly email edition.

 

 
iPhone iPad iPod | 11 Aug 2010 | Listen   | Print Printer-Friendly Version of This Article | Comment (5)

iOS Security Fixes Released for Serious Vulnerabilities

by Glenn Fleishman Send Email to Author

Fixes for two serious holes in iOS are now available in the form of iOS 3.2.2 for iPad and iOS 4.0.2 for 2008 and later models of iPhone and iPod touch. Attach your iOS device (or devices) to the computer with which you sync using iTunes, and use iTunes to download and install the upgrade.

One flaw lies in TrueType handling within Apple's iOS PDF display software. A PDF with fonts crafted in a particular way could allow a malicious party to run any code on an iOS device simply by getting you to view the PDF file. That flaw is paired with a second in IOSurface, a framework for buffering or holding images in memory. The IOSurface flaw allows the code to be executed in a way that gives the attack full system privileges.

At that point, an attacker could enable remote access, copy or delete all your data, or install background monitoring or call-interception software.

The flaws were revealed as part of the first successful iPhone 4 jailbreak in iOS 4, which required only that you visited a particular Web page. The escalation of privileges enabled the jailbreak software to crack Apple's protection against installing software other than that which the company allows.

Apple apparently no longer provides security upgrades for the iPhone 3.1 software branch, which is unfortunate as some iPhone 3G users were forced to revert from iOS 4 to 3.1.3 due to significant performance problems that Apple has said it is investigating.

Even with iOS 4 being a free upgrade, Apple should provide security fixes for known, significant problems in the previous widely used OS release. Further, original iPhone and iPod touch users will likely also be subject to these flaws, and cannot upgrade to iOS 4.

 

With ChronoSync you can sync, back up, or make bootable backups.
Sync or back up your Mac to internal or external hard drives, other
Macs, PCs, or remote network volumes you can mount on your Mac.
Learn more at <http://www.econtechnologies.com/tb.html>!
 

Comments about iOS Security Fixes Released for Serious Vulnerabilities

To leave a comment, click Add a Comment and then enter the text, your name, and your email address (which won't be displayed). Your comment will appear after you follow a link in the one-time confirmation message we send to verify that you're a real person.
Add a comment
Ian Stavert2010-08-11 13:58
Yeah I want an security fix for my 3G phone as I am not going to install iOS4 due to the performance crippling issues on the 3 series phones.
Reply
Dave2010-08-11 16:57
A lot more than "some" 3G users are having problems with iOSlow. There have been over 200,000 views of the thread titled "Iphone 3G OS4 problems" on Apple's web site. And another 200,000 views of another thread about the slowdowns caused by iOSlow. Not to mention the hundreds of irate postings on the WSJ article.

Hundreds of thousands of 3G owners are still locked into their multi-year service contracts. By signing the contracts, customers expected their 3G phones to function acceptably for the duration of the plans. Simply buying a new shiny iPhone 4 is not an option.

To rebuild their tarnished iPhone (antennagate) reputation, Apple needs to support all 3G owners by releasing this bug fix for the still-widely-used 3.1.3 release.
Reply
Adam Engst2010-08-11 19:49
Yep, we really need to write something about this, but I just haven't had the time to run it down with our older iPhone 3G. We said "some" users have reverted because that's accurate - whether or not a lot of had the problem, reverting isn't easy enough to do that most people would be doing that.
Reply
David S.2010-08-12 15:43
Apple's failure to state whether the issues affect iOS 3.1, and if they do whether they intend to patch that version as well, is inexcusable. Lots of people are stuck on that version - 1G iPhone and iPod touch users, and they deserve to know if they are exposed to this very serious security issue or not.
Reply
Betty2010-08-18 17:56
My son called me just past 5 pm tonight, upset that his 3G iPhone had just locked up, then crashed, as he tried to answer a phone call for a job interview. When he "upgraded" [downgraded] to iOS4, it lost his address book which took a few weeks to reconstruct, since it also trashed the backup. His iPhone is slower, less reliable. However, Apple didn't provide a simple remedy to go back to the previous OS.

Apple really should address these problems since Apple broke his iPhone, not him. 3G and 2G phones aren't that ancient. Serious security flaws must also be addressed, back to the earliest iPhone models, iPod Touch too.

Adam, please look into this issue with older iPhones/iPods and let us know what you find and how to fix the iPhones that Apple broke. Thanks!
Reply