35th week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 35th week in 2008. I am Jay Johnson and these are the headlines:

Apple confirms iPhone security bug and promises patch (pause)
Microsoft readies new Windows XP Pro antipiracy nag While
Mozilla praise over Firefox security feature (pause)
One-Character Patch for DNS released and finally
Spammers bypass filters with SWF file redirects.

And now for this week's newswire details.
Apple Inc. said this week that it will patch a bug in the iPhone's password-protected locking feature next month in a software update for the iconic smart phone. According to apple the minor iPhone security issue, which surfaced this week, is fixed in a software update which will be released in September. The flaw, which was first reported Tuesday by a user on a MacRumors message forum lets anyone sidestep iPhone passcode locking by simply tapping "Emergency Call" on the password-entry screen, then double-tapping the Home button. The bug also affects the iPod Touch.

(pause)
Microsoft Corp. this week said it will update the antipiracy software in Windows XP Professional to make nagging more prominent for those running bogus copies and to skip any future notification of an impending update to the tool. The update brings XP Professional's WGA experience in line with that of Windows Vista Service Pack 1. Microsoft claims that pirated copies of the operating system will display a black desktop that reverts to black after an hour if the user changes the background. Counterfeit copies will also show a permanent nag notice in the bottom-right corner of the screen, and additional notices will appear regularly in the system tray. The new version of Notifications will begin showing up on users' PCs this week, although the process will take several months to roll out to everyone.

(pause)
The debate over the self-signed certificate issue in Firefox 3.0 has fostered an add-on from Carnegie Mellon researchers and it seems a prevailing tide that Mozilla is headed down the right path. Over the past few weeks the back-and-forth debate has intensified over a new security feature in Firefox 3.0. A warning page is given to users when a Web site's SSL certificate is expired or has not been issued by a "trusted third party". Critics contend the feature is confusing to users, fosters the impression that Web sites are broken, and dictates which certificate authorities (CA) are trusted and which are not. The whole trust model depends on there being only a 'few' organizations that everyone knows (and trusts), who in turn sign other peoples' certificates. Implicit in that is that the 'few' trusted organizations can be properly trusted to vet the people whose certificates they sign.

(pause)
A domain-name system researcher proposed on Wednesday that the addition of a single character to the popular BIND name server software could severely limit cache poisoning attacks, such as those described by researcher Dan Kaminsky. By changing a “less then” sign to “less then and equal to” in a trust check in the Berkeley Internet Name Domain server software would reduce the problem to a large extent. The patch would prevent a previously unknown server from poisoning the cache. Somlo's "one-character patch" has received some attention from the technology community yet, the computer scientist had merely proposed the change on a mailing list for BIND users, asking for feedback.

(pause)
Spammers are stepping up their use of Shockwave Flash (SWF) file redirects to avoid detection, security researchers said this week. Alex Eckelberry, president of Sunbelt Software, a security software provider, said the SWF files embed a barely visible box that pushes the installment of a trojan. Eckelberry said on Thursday that because malicious URLs are now blacklisted so rapidly, the spammers needed a way to bypass the filters. They use these little SWF files to do their job. Like other spammer tricks, the purpose of the SWF redirect is to trick users into installing malicious software.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.