Cryptography


Apple Ships Huge Set of Patches for OS X

Apple has released a massive set of patches for a wide range of security vulnerabilities in a number of its products and components, including OSX Lion and QuickTime. The patches, which are rolled up in OS X 10.7.3, fix a slew of serious bugs, many of which can be used to execute remote code on vulnerable machines.


By Eric RescorlaYou’ve of course heard by now that much of the Internet community thinks that SOPA and PIPA are bad, which is why on January 16, Wikipedia shut itself down, Google had a black bar over their logo, etc. This opinion is shared by much of the Internet technical community, and in particular much has been made of the argument made by Crocker et al. that DNSSEC and PIPA are incompatible. A number of the authors of the statement linked above are friends of mine, and I agree with much of what they write in it, but I don’t find this particular line of argument that convincing.

There’s an odd bit of behavior that some Windows systems will exhibit when certain kinds of installers are launched, automatically elevating the privileges of the installer process to system-level privileges. In theory, the issue shouldn’t be exploitable because at one point in the process the system will generate an MD5 hash of a DLL that’s to be loaded, and unless the attacker can replace that DLL with a malicious one that sports the same hash, an attack is impossible. But those constraints may not hold for all attackers, a researcher says.

VIEW SLIDESHOW Ten Tips For Protecting Your Devices From Seizure By U.S. CustomsFourth amendment be damned. With U.S. Customs agents increasingly interested in the contents of digital devices like iPhones, iPads and laptops, The Electronic Frontier Foundation has issued guidance for getting your mobile device across the border safely and protecting the data on it should it get seized.

Governments in some countries have not been shy about trying to block their citizens from using the Tor network to access censored or sensitive Web content. The Chinese government has become quite proficient at this, and a recent analysis of the methods the country is using to accomplish this shows that officials are able to identify Tor connections in near real-time and shut them off basically at will.

Documents purportedly lifted from Indian government servers contain explosive allegations: that leading Western firms including Apple Corp., Research in Motion and Nokia provided the government with secret access to mobile devices their mobile operating systems- access that the Indian government then used to spy on official, high-level conversations about trade relations between the U.S. and China.

A new version of the OpenSSL package has been released, fixing six vulnerabilities, including a plaintext recovery attack on the DTLS implementation. There are two other cryptographic flaws fixed in OpenSSL 1.0.0f, and a few other less-serious problems.