Add Apple’s iOS and Research In Motion’s BlackBerry OS to the list of victims at this year’s Pwn2Own challenge. Conference veteran Charlie Miller, along with Dion Blazakis, deployed an exploit to iOS 4.2.1 through a vulnerability in Safari. By navigating to a custom-made webpage, the duo were able to execute remote code and gain access to the iOS address book. Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann also utilized a WebKit-based vulnerability to take down a BlackBerry Torch running BlackBerry OS 184.108.40.206. The three researchers noted that the exploit used on the BlackBerry’s mobile OS was difficult to craft due to the lack of documentation, software tools, and resources available. They also noted that most of the operating systems security was achieved via obscurity, and stated that the company was “way behind the iPhone at the moment, from a security perspective.” No conference participants have yet to challenge Google’s Android or Microsoft’s Windows Phone 7 operating systems. More →
Safari just got served. At this year’s Pwn2Own conference, security firms and enthusiasts are doing their very best to discover and deploy exploits to some of the world’s most popular browsers. Chrome, Firefox, Internet Explorer, and Safari, they’re all on the menu for conference attendees and some have definitely faired better than others. Google issued a challenge, promising $20,000 to any person or team that could crack Chrome on the conferences opening day, but the two teams scheduled to take a swing backed down. Firefox is, for the time being, still standing, and, per usual, Microsoft’s Internet Explorer was taken down without much fuss. But which browser faired the worst? That would be Apple’s Safari. A French security research firm named Vulpen managed to break into Safari running on a MacBook Air in a cool five seconds. The company noted that the Safari update issued by Apple yesterday — version 5.0.4 — fixes some of the vulnerabilities, but not all. The takedown of Safari 5.0.3 used exploits that are still available in the updated code base. Go ahead Apple detractors, have a little fun in the comments section. More →
It seems that an AR-like capability within Mobile Safari has gone pretty much unnoticed (or at least unimplemented by a third party) until now. Occipital, a company that has developed a panoramic photo iPhone app, has come across the new feature in Safari for iOS 4.2 devices, and it’s related to the gyroscope. If you have an iOS device with a gyropscope (iPhone 4, latest iPod touch) you can try a live demo for yourself. It’s ridiculously impressive, and by using the gryoscope and a panorama image, you can deliver an augmented reality type of experience right in the Web browser itself. Hit up http://occip.it/pt3dmqna from your iOS browser directly to check out the demo.
Sorry, Stevie… it looks like your plan to keep Flash off iOS devices just hit another speed bump. We know Apple claims performance issues are the reason Flash is nowhere to be found on iOS devices — and we can’t say we disagree with the company’s assessment, in some cases — but we also know tons of Web video content still uses Adobe’s Flash platform and, well, we want the option to view it on our iPhones, iPads and iPods. There are several options for viewing Flash videos on your iDevice, but most methods involve a jailbreaking. Skyfire is a good non-jailbreak option of course, but it has a tendency to be a bit slow at times. Luckily, a group of developers has a new free method that doesn’t involve a jailbreak — in fact, you don’t even have to install an app. A simple bookmarklet is all you need to stream Flash videos right to your iPhone, iPad or iPod touch. Hit the jump for a quick guide that will bring a plethora of embedded Flash video content to your iOS device of choice. More →
Nothing sets diehard Apple fans’ hearts aflutter quite like an alleged email from Apple CEO Steve Jobs — and if you’re a diehard Apple fan, today is your lucky day. Mac Rumors reports that one of its forum members recently received a reply from Jobs in response to an AirPlay inquiry sent last week. In his email, the Apple fan asked Jobs if his company’s “seriously amazing” new AirPlay feature would ever become available for video in Safari and third-party apps. Jobs’ response, according to the report, was an affirmative: “Yep, hope to add these features to Airplay in 2011.” The authenticity of the email is anything but confirmed, but Jobs is known to reply to the odd email here and there so it’s entirely feasible that this is the real deal. More →
Last month, we reported on the demise of cross-browser, bookmark-syncing service Xmarks. This month, we are happy to inform you that is looks like Xmarks will live on. According to a recent blog post by the company, an outpouring of support from users has drastically changed the company’s plans. As Xmarks explains:
The past ten days have been an amazing lesson in the power of community. Not in the “web 2.0 social graph” sense – I’m talking about old school community with users speaking up, speaking out and banding together. Thank you Xmarks users. You told the world it was simply unacceptable for our service to shut down and it worked. Thanks to your passion, Xmarks now has multiple offers from companies ready and willing to take over the service and keep making browser sync better and better!
The company does note that no deal has been finalized, but they are confident with multiple offers on the table Xmarks will be able to stay open for business. At time of publishing, over 35,000 users had pledged to pay between $10 and $20 per year for the service. Hit the read link to read the full post. More →
It looks like both Vimeo and Yahoo! have jumped on the HTML5 bandwagon. Yesterday, the USA Today reported that internet streaming-video service Vimeo added HTML5 support for embedded video in order to be more compliant with the iPhone and iPad. Until now, the site had displayed embedded video using Adobe’s Flash technology.
Yahoo! Mail announced that it has released an HTML5 mobile webmail client specifically designed for the iPad. The company boasts that the new app is “optimized for the gorgeous large screen of the iPad.” The new Yahoo! Mail HTML5 interface is available now (mail.yahoo.com), and the company closes with, “this is just the first version, and we’ll be constantly iterating to add new features, improve performance, and make Yahoo! Mail for iPad the best it can possibly be.” More →
This morning, Apple released an update to its Safari web browser. The biggest new feature that the update packs is the ability to customize Safari with third-party extensions which can be found at extensions.apple.com (welcome to 2010 Apple). Aside from being able to install AdBlock, the update also fixes that little address book bug that was discovered last week. We’ve got the full release notes for you after the break. More →
If you are a Mac user, and fancy Safari as your default internet browser, you are going to want to pay attention to this one. A bug found in Safari’s AutoFill feature can allow a malicious website to gather personal information from a users address book card — more specifically: first name, last name, work place, city, state, and email address. There is a published proof of concept exploit for the bug that can be found here. We suggest Safari users navigate to: Preferences > Auto-fill, and uncheck “Use info from my Address Book card” until Apple sorts this one out. Hit up the read link for more details. More →
For the first time since the browser’s inception, Google’s Chrome has overtaken Apple’s Safari in percentage of U.S. market share. Web analytics company StatCounter reports Chrome grabbed 8.97% of U.S. market share while Safari had 8.88% for the week beginning on June 21st. For some time now, Chrome (~ 9% globally) has bested Safari (~ 4% globally); however, as we’re sure Google will tell you, it is nice to win on your home turf. We’ve got the full press release queued up for you after the break. More →
Goatse Security, the firm who blew the lid off of an exploit that allowed the names and email addresses of over 114,000 iPad owners to be farmed, is speaking out. In a blog post, Goastse team member Escher Auernheimer writes:
I released a semantic integer overflow exploit for Safari through Goatse Security in March– it was patched on Apple’s desktop Safari but has yet to be patched on the iPad. This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system. We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad! I know through personal experience that the patch time for an iPad vulnerability is over two months and counting. Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment.
And it doesn’t stop there. Addressing some of the verbiage in AT&T’s apology letter, Auernheimer goes onto say:
AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable. […] AT&T says the person responsible for this went “to great efforts”. I’ll tell you this, the finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails. If you see this as “great efforts”, so be it.
Auernheimer closes with: “We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. […] We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost.” Amen, Escher, Amen. Your move Apple/AT&T. More →
Hot on the heels of 2010’s WWDC keynote, Apple has announced an update to its Safari web browser. The code update, simply titled Safari 5, boasts, “a 30 percent performance increase over Safari 4,” according to the company’s press release. At time of publishing, Apple had yet to update their official Safari page (www.apple.com/safari) with the updated download information, but we’ve got the full PR Newswire release for you after the bounce. More →
[Via TUAW] More →