A new vulnerability has been discovered in iOS 6.1 that can be exploited to bypass passcode locks on iOS devices. The hack to do so is somewhat involved, but once it’s performed, it grants access to a device’s contacts, voicemails and photos. We’ve verified the hack here at AllThingsD, and as best I can tell, there isn’t any immediate way to safeguard against it.

Reached for comment, Apple said it is hard at work on a fix. “Apple takes user security very seriously” spokeswoman Trudy Muller told AllThingsD. “We are aware of this issue, and will deliver a fix in a future software update.”

Revelation of this vulnerability follows the discovery of two other bugs in iOS 6.1, one that’s been fixed and another that Apple is working with Microsoft to resolve.

That’s the gist of the U.S. Department of Homeland Security’s latest vulnerability advisory on Java, which has been in the headlines for the past week because of yet another critical vulnerability that could be exploited to install and execute malicious code on unguarded systems.

“Unless it is absolutely necessary to run Java in Web browsers, disable it,” Department of Homeland Security’s Computer Emergency Readiness Team (CERT) advised. “This will help mitigate other Java vulnerabilities that may be discovered in the future.”

CERT’s recommendation, while blunt, echoes that of security researchers who have long said the best solution for the perennially vulnerable Java is to dump it entirely. As Twitter engineer and security expert Charlie Miller told Reuters, “It’s not like Java got insecure all of a sudden. It’s been insecure for years.”

On Sunday afternoon, Oracle released a patch for the critical vulnerability, which could be exploited to install and execute malicious code on unguarded systems. And not a moment too soon. By the end of last week, security researchers had already spotted malware designed to exploit it in the wild. Some theorized the flaw potentially put more than 850 million PCs at risk.

In a bulletin, Oracle said that the patch not only repairs the vulnerability, but switches Java’s security setting to “high” by default. “The default security level for Java applets and web start applications has been increased from ‘medium’ to ‘high,’” Oracle said in an advisory today. “… With the ‘high’ setting the user is always warned before any unsigned application is run to prevent silent exploitation.”

A thoughtful additional precaution — though one you’d think it would have occurred to Oracle to add earlier on. But are these measures sufficient to protect consumers who use Java? Java security expert Adam Gowdiak isn’t so sure. “We don’t dare to tell users that it’s safe to enable Java again,” Gowdiak told Reuters. H.D. Moore, chief security officer at the security firm Rapid7, took an even dimmer view of the patch and the software itself. “Users should simply disable it,” he told Forbes. “The amount of utility it offers is so much smaller than the risk it creates for users. It’s much safer to leave it off.”

Livescribe said the update adds a secure key to protect notes, making it once again safe to share notes with others.

“All of your Livescribe content is fully protected by this enhanced security, which was deployed to resolve a vulnerability that could have allowed unauthorized access to Livescribe notes through a shared link to the Livescribe Player,” Livescribe said in an email to customers. “For your protection, the links to your notes or notebooks that you have previously shared with someone through Evernote have also been disabled.”

Those who want to re-share notes will have to resend them with new, secure links.

Livescribe launched the Sky at the end of October as its first digital pen to incorporate wireless function. The Sky also switched from using the company’s own desktop software to a process that works with Evernote.

A report from Android Police (that’s a Web site, not an actual Google police force) says that any app that is given basic Internet access permission can also get access to everything from a user’s GPS location to his or her phone calls, system logs and other information.

“HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible,” the company said in a statement to AllThingsD. “We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken.”

According to Android Police, the issue affects devices running HTC’s Sense overlay, potentially including the EVO 4G, EVO 3D, Thunderbolt, MyTouch 4G Slide and possibly other devices.

Update, 3:15 p.m.: Asked what they make of the matter, Lookout Mobile Security, which specializes in Android-related security software, said that “it would appear that a few HTC phones contain a logging mechanism that exposes sensitive user data to an app that requests only permission to access the Internet.”

“HTC is aware of the issue but has not announced how or when they intend to address it,” Lookout told AllThingsD. “While software and hardware developers strive to create products that are proven to be resilient—vulnerabilities can still exist. This is another reminder that our phones are computers too, and as we build apps, create custom firmware or make changes to the OS – everyone in the mobile ecosystem needs to take the proper precautions to confirm information accessed on these devices is used and stored securely.”

Lookout’s analysis of data collected from more than 700,000 apps and 10 million devices worldwide reveals a significant increase in mobile malware since January, and while some of it was geared toward devices running Apple’s iOS, much was intended for Android. There were 80 Android apps infected with malware in January. By June, there were 400.

“Currently, malware and spyware have primarily targeted Android devices, though there are commercial spyware applications available for jailbroken iOS devices,” Lookout explains in its report. “According to our data, in June of 2011 Android users were two and a half times more likely to encounter malware than just six months ago.”

The reasons for this are well known. iOS apps are curated by Apple via a manual review process that hews closely to some very strict security guidelines. Apps in Google’s Android Market do not undergo the same rigorous review process. And while that might allow Android developers to update their apps more quickly, it also makes it easier for miscreants to distribute malware, or to update or repackage legitimate apps with malicious successors. Earlier this year, for example, a piece of malware dubbed DroidDreamLight infiltrated some 34 apps in the Android Market.

But if iPhone users are largely unaffected by malware, they’re not entirely immune to it — particularly if they’ve jailbroken their devices to run apps not sanctioned by Apple. Lookout charted a troubling spike in Web-based threats in the first half of 2011. These are cross-platform and thus of concern to Android and iOS users alike.

“In the past year, iOS has seen multiple web-based exploits in the wild that allow an attacker to run code as root if a user simply visits a web page,” Lookout said in its report. “These exploits first take advantage of a browser vulnerability to run code as the browser process, then take advantage of a local privilege escalation vulnerability to run code as root. Thankfully, we haven’t seen evidence of these exploits being used maliciously: they were primarily used to allow users to jailbreak their devices.”

A report last week from researchers at Germany’s Ulm University found that Google authentication tokens are susceptible to interception in all but the Gingerbread and Honeycomb releases of Android. As a result, an attacker could easily gain access to a user’s private Google account information, such as calendar and contact information, if that phone is used on an open Wi-Fi network.

The issue here–and it is not unique to Google–is that when unencrypted information is sent over open networks, it is easily intercepted, says Lookout Mobile Security CTO Kevin Mahaffey.

“If you are mailing sensitive data in transparent envelopes, you should not be surprised people can look at (it),” Mahaffey said. Google is not the only one transmitting either such tokens or other important information “in the clear,” Mahaffey said. Much of the data transmitted from PCs and phones is still sent over unencrypted connections. However, Mahaffey said the time has come where services should be moving any potentially sensitive information over a secured connection.

Although such an approach might have been cost prohibitive back in the early days of the Internet, Mahaffey said it is now economically feasible for most services.

In Google’s case, sending the authentication tokens means that an attacker, even without one’s password, can access the account information for the life of the token–in this case around two weeks. Google changed its processes in the latest releases of Android, but the vast majority of users are running Froyo or older versions of the operating system.

Plus, unlike with a computer vulnerability, users don’t have a way to quickly update their phone’s software as new issues are discovered. Instead, updates to the operating system typically take months to get approved by the phone makers and carriers before becoming available to phone owners, if they are made available at all.

At Google’s I/O conference last week, the company outlined a new industry effort aimed at both speeding up software updates and ensuring that they are made available to users for at least 18 months after a device is introduced.

In the meantime, Mahaffey recommends that users try to avoid unsecured Wi-Fi connections altogether, or, if they are using such connections, that they turn off synchronization and be careful what other types of data they send.

For its part, Google says it is aware of the issue, has made some changes and is working on others.

“We’re aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we’re working on fixing it in Picasa,” Google said.

According to a post on Microsoft’s corporate security blog, the vulnerability resides in something called MIME HTML or MHTML, which allows certain Web content to be rendered in a browser or other applications, such as an email program. As with so many other vulnerabilities that have come before it, an attacker sends you an HTML link to trigger a script in Internet Explorer that could do bad things, like collect user information.

The easiest fix? Use Firefox or Google’s Chrome browser, which are unaffected. But for those devoted to IE, Redmond is suggesting that people turn off the ability to handle MHTML until a fix is ready. How to do that? There’s a helpful FixIt button, in yet another blog post on the subject, that downloads the software needed to enable the temporary measure.

The vulnerability was first disclosed on a Chinese Web site last week. So far, there’s no evidence that anyone has gone to the trouble of carrying out an attack using this method, but hey, with zero-day vulnerabilities, you never know.

The hole stems from the app’s failure to confirm the authenticity of PayPal’s website when communicating over the Internet–a basic lapse that the security researcher who found the flaw said would allow someone to intercept passwords from unsuspecting users.

PayPal spokeswoman Amanda Pires said the eBay Inc. unit verified the vulnerability Tuesday night and has fixed the problem after being notified by The Wall Street Journal. PayPal sent the fixed version of the app to Apple Inc.’s App Store. “To my knowledge it has not affected anybody,” Ms. Pires said. “We’ve never had an issue with our app until now.”

A hacker would need skill and luck to make use of the vulnerability, which only affects users of the iPhone app connecting over unsecured Wi-Fi networks. It doesn’t affect the company’s Android app or users of the PayPal.com website.

Read the rest of this post on the original site

Evidently that’s a new record.

“For those who keep track of such things, this will be the most bulletins we have ever released in a month; we have released 13 bulletins on a couple of occasions,” Microsoft’s Security Response Center team explained. “However, in total CVE [Common Vulnerability and Exposure] count, this release ties with June 2010, so there’s no new record there.”

Anyway…if you’re a PC, be sure to set aside some time next Tuesday for installation. Microsoft (MSFT) plans to release the updates at approximately 10 am PT.

“We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way,” Jerry Bryant, Microsoft’s Security Program Manager said in a statement.

I see. Perhaps, IE’s security record inspired budget concerns given the number of potential payouts.

In any event, here’s Bryant’s statement in full.

“We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update. We also work to make sure we can support and strengthen the community’s development, by sponsoring nearly 50 security conferences in over 20 countries each year. We even host our own researcher conference at Redmond each year, called ‘BlueHat Security Briefings’ to promote the sharing of ideas, social networking and provide direct access between researchers and the specific owners of the technology they’re researching. While we do not provide a monetary reward on a per-bug basis, like any other industry, we do recognize and honor talent. We’ve had several influential folks from the researcher community join our security teams as Microsoft employees. We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC.”

When does Apple expect to issue that fix? The company won’t say.

[Image credit: Engadget]

The flaw was first demonstrated Thursday. “This is serious. The only thing you can do to prevent it is turn off your phone,” security researcher Charlie Miller said of it earlier this week. “Someone could pretty quickly take over every iPhone in the world with this.”

Well, not anymore, as Apple (AAPL) was quick to note. “This morning, less than 24 hours after a demonstration of this exploit, we’ve issued a free software update that eliminates the vulnerability from the iPhone,” said an Apple spokesperson. “Contrary to what’s been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit.”

The flaw was first demonstrated Thursday. “This is serious. The only thing you can do to prevent it is turn off your phone,” security researcher Charlie Miller said of it earlier this week. “Someone could pretty quickly take over every iPhone in the world with this.”

Well, not anymore, as Apple (AAPL) was quick to note. “This morning, less than 24 hours after a demonstration of this exploit, we’ve issued a free software update that eliminates the vulnerability from the iPhone,” said an Apple spokesperson. “Contrary to what’s been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit.”

Well, there’s a shocker. IE’s catalog of vulnerabilities and the security bulletins announcing them are so voluminous and overlarge at this point, it takes Security Focus 18 pages to list them all. So reports today that IE suffers from a vulnerability that affords attackers access to any sensitive data on your PC isn’t unusual. What is unusual is that the flaw–found in all Windows versions of the browser–has gone unpatched for so long that it’s being widely exploited. “Based on our stats, since the vulnerability has gone public, roughly 0.2 percent of users worldwide may have been exposed to Web sites containing exploits of this latest vulnerability,” the Microsoft Malware Protection Center said Saturday. “That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50 percent in the number of reports today compared to yesterday.”

And that was three days ago (the Microsoft Malware Protection Center has been oddly silent the past few days).

What’s an IE user to do? Microsoft has a few suggestions–“follow our Protect Your PC guidance” (… BAHAHAHAHA)–but really, at this point it’s obvious what needs to be done. Find. Yourself. Another. Browser.

Here’s looking forward to the next browser market share report….

[Image credit: Bill Navarro]

The California Secretary of State has finally released the source-code review portion of its two-month “top-to-bottom” examination of electronic voting systems certified for use in California, and it’s not pretty. “The software contains serious design flaws that have led directly to specific vulnerabilities that attackers could exploit to affect election outcomes,” the report concludes. “An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting machine. The damage could be extensive–malicious code could spread to every voting machine in polling places and to county election servers.”

And it gets worse. Princeton professor Ed Felten read through the Diebold report, as well as those of Hart InterCivic and Sequoia Voting Systems, and found that some of the problems it identifies are the same ones Diebold claimed to have fixed years ago. “Diebold claimed (p. 11) in 2003 that its use of hard-coded passwords was ‘resolved in subsequent versions of the software,’ ” Felten notes. “Yet the current version still uses at least two hard-coded passwords–one is “diebold” (report, p. 46) and another is the eight-byte sequence 1,2,3,4,5,6,7,8 (report, p. 45).”

Now, “1,2,3,4,5,6,7,8″ is an improvement over “11111,” Diebold’s last hard-coded security key, in that it employs eight numbers instead of just one. But surely it can’t be among those that inspired California Secretary of State Debra Bowen to recertify Diebold’s machines for use in the 2008 elections. Presumably, “come up with a less laughable password” was a condition of recertification.

The California Secretary of State has finally released the source-code review portion of its two-month “top-to-bottom” examination of electronic voting systems certified for use in California, and it’s not pretty. “The software contains serious design flaws that have led directly to specific vulnerabilities that attackers could exploit to affect election outcomes,” the report concludes. “An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting machine. The damage could be extensive–malicious code could spread to every voting machine in polling places and to county election servers.”

And it gets worse. Princeton professor Ed Felten read through the Diebold report, as well as those of Hart InterCivic and Sequoia Voting Systems, and found that some of the problems it identifies are the same ones Diebold claimed to have fixed years ago. “Diebold claimed (p. 11) in 2003 that its use of hard-coded passwords was ‘resolved in subsequent versions of the software,’ ” Felten notes. “Yet the current version still uses at least two hard-coded passwords–one is “diebold” (report, p. 46) and another is the eight-byte sequence 1,2,3,4,5,6,7,8 (report, p. 45).”

Now, “1,2,3,4,5,6,7,8″ is an improvement over “11111,” Diebold’s last hard-coded security key, in that it employs eight numbers instead of just one. But surely it can’t be among those that inspired California Secretary of State Debra Bowen to recertify Diebold’s machines for use in the 2008 elections. Presumably, “come up with a less laughable password” was a condition of recertification.