Security-Protocols

** Begin Rant **

So Apple announced at Macworld the release of Time Capsule. Below is a description from Apple:

Time Capsule includes a wireless 500GB or 1TB hard drive1 designed to work with Time Machine in Mac OS X Leopard. Just set Time Capsule as the designated backup drive for Time Machine, and that’s it. Depending on how much data you have, your initial backup with Time Capsule could take overnight or longer. After it completes, only changed files are backed up — automatically, wirelessly, and in the background. So you never have to worry about backing up again. Time Capsule is your one place for backing up everything. Its massive 500GB or 1TB server-grade hard drive gives you all the capacity and safety you need. So whether you have 250 songs or 250,000 songs to back up, room is the last thing you’ll run out of. And considering all that storage and protection come packaged in a high-speed Wi-Fi base station starting at $299, data isn’t the only thing you’re saving.

So about two months ago I bought the AirPort Extreme (802.11n) thinking it would be cool to plug my 500 gig drive into it to act as a mini file server. Well, with the latest firmware update the USB disc feature does not work with large drives like Apple advertised nor does Time Machine work over the network. So what pisses me off is that, Apple has now released Time Capsule which you can configure Time Machine to do backups over the network.

So did Apple fix the AirPort Extreme (802.11n) drive issue, and not release the update but only left us out in the cold once again to upgrade to Time Capsule? There has been numerous discussions on the Apple support forums about this exact issue as well. Apple has even gone as far as deleting posts because they just dont want to fix this USB disc issue.

I really hope Apple enables Time Machine support for hdd’s connected via the AirPort Extreme (802.11n) USB port. I really don’t see what the issue would be, it’s no different then the new Time Capsule devices. Apple, why leave your customers out in the cold like this? Guess ill just have to wait till Time Capsule comes out so I can get my hands on the firmware, and possibly just apply it to my Extreme N.

** End Rant **

APPLE-SA-2007-11-15 Mac OS X v10.5.1 Update

Mac OS X v10.5.1 Update is now available and addresses the following
issues:

Application Firewall
CVE-ID: CVE-2007-4702
Available for: Mac OS X v10.5, Mac OS X Server v10.5
Impact: The “Block all incoming connections” setting for the
firewall is misleading
Description: The “Block all incoming connections” setting for the
Application Firewall allows any process running as user “root” (UID
0) to receive incoming connections, and also allows mDNSResponder to
receive connections. This could result in the unexpected exposure of
network services. This update addresses the issue by more accurately
describing the option as “Allow only essential services”, and by
limiting the processes permitted to receive incoming connections
under this setting to a small fixed set of system services: configd
(for DHCP and other network configuration protocols), mDNSResponder
(for Bonjour), and racoon (for IPSec). The “Help” content for the
Application Firewall is also updated to provide further information.
This issue does not affect systems prior to Mac OS X v10.5.

Application Firewall
CVE-ID: CVE-2007-4703
Available for: Mac OS X v10.5, Mac OS X Server v10.5
Impact: Processes running as user “root” (UID 0) cannot be blocked
when the firewall is set to “Set access for specific services and
applications”
Description: The “Set access for specific services and applications”
setting for the Application Firewall allows any process running as
user “root” (UID 0) to receive incoming connections, even if its
executable is specifically added to the list of programs and its
entry in the list is marked as “Block incoming connections”. This
could result in the unexpected exposure of network services. This
update corrects the issue so that any executable so marked is
blocked. This issue does not affect systems prior to Mac OS X v10.5.

Application Firewall
CVE-ID: CVE-2007-4704
Available for: Mac OS X v10.5, Mac OS X Server v10.5
Impact: Changes to Application Firewall settings do not affect
processes started by launchd until they are restarted
Description: When the Application Firewall settings are changed, a
running process started by launchd will not be affected until it is
restarted. A user might expect changes to take effect immediately and
so leave their system exposed to network access. This update corrects
the issue so that changes take effect immediately. This issue does
not affect systems prior to Mac OS X v10.5.

http://docs.info.apple.com/article.html?artnum=61798

So he finally gave into the fact that third party apps are good, and that an SDK will help Apple sell more iPhones.. sighh..

Let me just say it: We want native third party applications on the iPhone, and we plan to have an SDK in developers’ hands in February. We are excited about creating a vibrant third party developer community around the iPhone and enabling hundreds of new applications for our users. With our revolutionary multi-touch interface, powerful hardware and advanced software architecture, we believe we have created the best mobile platform ever for developers.

You can read the rest of Steve’s message at the link below:

Third Party Applications on the iPhone

So ive been fuzzing Safari on the iPhone a bit lately and have found some interesting flaws. Anyway, below is a link to a text file of the proof-of-concept which will trigger the crash.

http://www.security-protocols.com/poc/iphun.txt

If you have an iPhone and or iPod touch with v1.1.1, click here:

http://www.security-protocols.com/poc/iphun.html

This will only reproduce the issue causing Safari to crash. For some reason, this crash does not create a crashreporter log on the iPhone.

Thanks for your $upport

Seen on the MUNI stop at Powell St and Market St in San Francisco, California.

Photo Credit: edrabbit

Ambrosia Software has released iToner, which is a Mac OS X application that allows you to put custom ringtones on your iPhone.

iToner features a drag and drop interface which makes it simple to drage and drop your ringtones into the “virtual” iPhone and press the home button. iToner will automatically put the ringtones on your iPhone. According to Ambrosia, the ringtones will continue to work with future iPhone OS updates, as it does not modify the iPhone operating system.

iPhoneRingtoneMaker offers a similar application for PC users, that includes a feature to create custom ringtones from your iTunes music collection. It has been speculated that Apple will use their scheduled September 5th event to introduce ringtone functionality within iTunes.

iToner retails for $15 and is available as a free trial.