CENTRAL IT SALES SERVICES NEWS PRODUCTS HOSTING SUPPORT CONTACT
item6

Click here to receive our newsletter and special offers delivered direct to your inbox.

item6a1
item3a
item3a

Report a Problem

Check on a Request

Knowledge Books

System Status

Latest News

Repair Extension Programmes

Download Remote Software

item3a
item3a
item6a1b

Blog Archive

Sunday 27 April 2014

Apple users put at risk by 3-week delay between OS X and iOS patches, researchers say

Mac OS X
Apple exposed iOS users to security threats by taking three weeks longer to patch the same vulnerabilities in the mobile OS that it previously fixed in Safari on OS X, a former Apple security engineer said.
Security researcher Kristin Paget, who left Apple at the end of January for a position at Tesla Motors, strongly criticized her former employer’s software patching practices in a blog post Wednesday.
The researcher pointed out that many of the vulnerabilities fixed in iOS 7.1.1, which was released by Apple Tuesday, were the same ones the company had patched in Safari 6.1.3 and 7.0.3 for OS X on April 1. Many of those vulnerabilities were located in WebKit, the Web rendering engine used by iOS, the Safari browser and other OS X applications, and most of them had been found by members of the Google Chrome security team.
According to Apple’s security advisory for iOS 7.1.1, some of the WebKit flaws could allow attackers to execute arbitrary code when users visit maliciously crafted websites.

"In what world is this acceptable?"

“Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms [iOS and OS X]—but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time,” Paget said. “In what world is this acceptable?”
“Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines: ‘I will not use iOS to drop 0day on OSX, nor use OSX to drop 0day on iOS.’,” she said.
Zero-day (0day) refers to vulnerabilities that are publicly known but have no official fix from the affected product’s vendor.
It is certainly possible for attackers to analyze the fixes for one product and create exploits that work against other products and platforms that are not fixed yet, said Carsten Eiram, the chief research officer at vulnerability intelligence firm Risk Based Security, Thursday via email.
According to Eiram, these sorts of patch delays between Apple products are a regular occurrence, especially when it comes to fixing WebKit vulnerabilities.
“We’ve seen for a very long time that Google usually addresses WebKit-related vulnerabilities in Chrome long before Apple does the same in their products,” Eiram said. “My rough impression from looking at WebKit security fixes is that the delay is around two-three months on average—though I’ve seen some much longer. After Google forked WebKit into Blink it seems to be getting worse.”

Apple's issues affect Chrome as well

Google Chrome used WebKit as its rendering engine until version 27 and has since switched to an engine called Blink that’s still based on WebKit. Because of that, many of the issues found and fixed in Chrome also affect WebKit.
However, Apple is not only slow at patching the WebKit engine itself, but also at integrating those fixes into all of its WebKit-dependent software.
Eiram pointed to the patching timeline for a WebKit vulnerability identified as CVE-2013-2909 as an example. That vulnerability was originally fixed in Chrome on Oct. 1, 2013, then Apple patched it in Safari 6.1.1 and 7.0.1 on Dec. 16, 2013 (two-and-a-half months later); in iOS 7.1 on March 10 (five months later), and finally in Apple TV 6.1 on April 22 (six-and-a-half months later).
“The lack of coordination between Google and Apple is one thing,” Eiram said. “However, Apple releasing fixes for vulnerabilities in some of their products while leaving other of their products vulnerable for a long time is a very curious practice that I strongly disagree with. It’s unacceptable that they’re putting their own users at risk like that.”
Apple did not immediately respond to a request for comment.
Other vendors have faced criticism in the past for similar patching practices. For example, vulnerabilities patched in Flash Player used to remain unfixed for weeks in Adobe Reader, which bundled Flash Player as a library called authplay.dll. Adobe eventually removed the authplay.dll component from Adobe Reader starting with version 9.5.1.
One of the few cases when it can be acceptable to push out a security patch for one product while leaving others vulnerable is if a 0-day vulnerability was being actively exploited to target users of that product, but not users of the other products, Eiram said. However, even in such a case of immediate threat, the vendor shouldn’t wait too long before patching the rest of its products as well, he said.

Saturday 26 April 2014

Google, Apple, Adobe and Intel agree to settle Silicon Valley hiring case

The four remaining defendants in Silicon Valley’s closely watched employee hiring case—Google, Apple, Adobe and Intel—have agreed to a settlement, according to a new court filing.

Friday 25 April 2014

Apple, Samsung bicker over jury verdict form

As the second jury trial between Apple and Samsung approaches its conclusion, the companies are sparring over the precise questions the jury will be asked to consider.

Thursday 24 April 2014

Apple launches Beta Seed for OS X program for end users

Ever dreamed of an opportunity to try out new versions of OS X before they’re released, but without having to pony up the £60 to become a registered developer?

Wednesday 23 April 2014

Google had secret pact with Samsung over some Apple patent claims

Google agreed to take over some of Samsung’s defense against patent claims brought by Apple under a secret agreement reached in 2012, a federal court jury heard Tuesday.

Thursday 17 April 2014

Manage Your Media More Effectively with NAS

Quick: Where's that video you shot while on vacation last summer?

Wednesday 16 April 2014

MacBook Pro vs. MacBook Air: how I made the choice

Lately, I’ve been struggling with what’s clearly a first-world problem: I have too many computers.

Tuesday 15 April 2014

How to search smarter in Mail

OS X’s Spotlight search feature automatically indexes all the messages in Apple Mail for super-fast searching, and you can search for those messages either within Mail or using the system-wide Spotlight menu.But Mail isn’t limited to simple text searches.

Monday 14 April 2014

Judge humiliates Apple staffer for using cell phone during Apple-Samsung trial

There’s a new sign on the door to Courtroom 1 at the federal courthouse in San Jose, the home to the Apple v. Samsung battle that’s playing out this month: “Please turn off all cell phones.”

Sunday 13 April 2014

Logitech's TV-controlling keyboard can light up a room

When you’ve dimmed the living room lights to approximate that movie theater experience, you don’t want to kill the mood by fumbling for a way to control your TV.

Saturday 12 April 2014

Dropbox looks beyond the cloud with email, photo apps, better business features

Dropbox shook up its service on Wednesday, announcing a slew of updates and new services designed for work and play alike.

Friday 11 April 2014

Wearables sales tripled in a year—and will grow 500 percent by 2018, study says

Anyone who follows consumer tech news already knows that wearables are all the rage. They’re hot.

Wednesday 9 April 2014

Apple details £1.3 billion damages claim against Samsung

Apple began to lay out its £1.3 billion damages claim against Samsung Electronics for the first time on Tuesday, arguing to an eight-person jury in California that Samsung’s alleged patent infringement was large and significantly damaged Apple.

Tuesday 8 April 2014

In praise of Apple's horrible mice

Over the last twenty years, Apple’s hardware has steadily conquered every aspect of my computing life. As I type this, my laptop, keyboard, monitor, phone, and tablet all sport the company’s iconic logo—a reminder of how successful the folks from Cupertino are at designing electronics that I, and many others, want to use.

Monday 7 April 2014

Office for iPad apps top 12 million downloads in one week

It looks like Apple's free iWork suite for iOS just wasn't enough for many iPad users. One week after landing in Apple's App Store, Microsoft's Office for iPad has already seen more than twelve million downloads, the company tweeted from its Office account on Thursday.

Saturday 5 April 2014

XPocalypse Now: Security experts size up the cyberthreats

There are no more lifelines. In a few days, Microsoft will pull the plug on Windows XP support for consumers.

Friday 4 April 2014

Apple updates iWork for Mac, iOS, and iCloud

Apple updated its iWork suite on all three platforms (iOS, Mac, and iCloud) yesterday, with improvements to almost every aspect of every app, from editing in Pages to creating charts in Numbers and delivering presentations in Keynote.

Wednesday 2 April 2014

Apple demands over £1.2 Billion from Samsung for patent infringement

Samsung should pay more than £1.2 billion for repeated infringement of Apple patents in more than 37 million smartphones sold in the U.S., a Silicon Valley jury was told Tuesday as a trial between the two companies got underway after more than two years of preparation.

Tuesday 1 April 2014

Microsoft says printing functions will come to Office for iPad soon

The first iteration of Microsoft’s Office for iPad lacks the ability to print, an unfortunate omission that Microsoft representatives intimated will be fixed in a forthcoming release.

DON'T-MISS STORIES

item6a2a2

Copyright © Central IT Services Ltd

bannernews
CENTRAL IT SERVICES NEWS PRODUCTS HOSTING SUPPORT item6a2a2