Sign up for our Technology Newsletter 
Apple Removes Data Spying Apps From Store
October 21, 2015 by admin
Filed under Consumer Electronics
Comments Off on Apple Removes Data Spying Apps From Store
Apple has removed several apps from its store that it said could pose a security risk by exposing a person’s Web traffic to untrusted sources.
The company recommended deleting the apps but did not name them, which may make it hard for people to know which apps put their data at risk.
The apps in question installed their own digital certificates on a person’s Apple mobile device. It would enable the apps to terminate an encrypted connection between a device and a service and view the traffic, which is a potential security risk.
Most websites and many apps use SSL/TLS (Secure Socket Layer/Transport Security Layer), a protocol that encrypts data traffic exchanged with a user. SSL/TLS is a cornerstone of Web security, ensuring data traffic that is intercepted is unreadable.
It is possible in some cases to interfere with an encrypted connection. Many enterprises that want to analyze encrypted traffic for security reasons will use SSL proxies to terminate a session at the edge of their network and initiate a new one with their own digital certificate, allowing them to inspect traffic for malicious behavior.
In that scenario, employees would likely be more aware or expect that kind of monitoring. But people downloading something from the App Store probably would have no idea of the access granted to their sensitive data traffic.
Apple checks applications to ensure that malicious ones are not offered in its store. Those checks are in large part the reason why Apple has had fewer problems with malicious mobile applications in its store.
Installing digital certificates isn’t itself a malicious action per se, but Apple may be concerned that users are not fully aware of the consequences of allowing an app to do so.
Source-http://www.thegurureview.net/aroundnet-category/apple-removes-data-spying-apps-from-store.html
Patches Released For Firefox and Thunderbird
Comments Off on Patches Released For Firefox and Thunderbird
The release of Firefox 7 is important because the new version features better memory management and is the first step in Mozilla’s long term plan to make the browser more resource friendly.
Nevertheless, users who upgrade to it will also benefit from improved security as this release fixes six critical and two moderate severity security vulnerabilities.
Four of the critical patches are shared with Thunderbird 7 and address a use-after-free condition with OGG headers, an exploitable crash in the YARR regular expression library, a code installation quirk involving the Enter key and multiple memory hazards.
A moderate severity patch that provides defence against multiple Location headers caused by CRLF injection attacks is also common to both products.
In addition to these patches Firefox 7 also contains fixes for two critical and one moderate severity vulnerabilities, with one of them resulting in a potentially exploitable WebGL crash.
It’s worth pointing out that Microsoft previously motivated its decision to not include support for WebGL in Internet Explorer by saying that the 3D graphics library opens a large attack surface.
So far several serious vulnerabilities have been identified and patched in WebGL, which partially supports Microsoft’s assessment, but the library’s supporters claim this is no different than with other technologies.
Firefox 7 also updates Websocket, a protocol disabled in the past because of security issues, to version 8, which is no longer vulnerable to known attacks.