May 21 - 4:05pm EDT   A new vulnerability in iCal has been discovered that allows un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeateadly execute a denial of service attack to crash the iCal application. Core Security writes that "the most serious of the three vulnerabilities is due to potential memory corruption resulting from an resource liberation bug that can be triggered with a malformed .ics calendar file specially crafted by a would-be attacker". [full story]

April 24 - 9:00pm EDT   A little over a week after Apple offered a security update to Safari 3.1.1, security research site Secunia warned users about another, but "less critical," vulnerability that could allows malicious sites to "spoof" other websites. Reported by Juan Pablo Lopez Yacubian, the security advisory notes that Safari 3.11 has a flaw that can be exploited by malicious people to display a fake URL in the address bar. "The problem is that it is possible to hide the actual location of a page in the address bar via a specially crafted URL containing a number of certain special characters in the 'user' field before the '@' character," the report noted. It affects both Mac OS X and ... [full story]

March 19 - 12:30am EDT   A new exploit has surfaced for the iPhone's Safari browser that, while drawing parallels to an earlier issue, requires no user input to function. According to iPhone World, the vulnerability is triggered by previously conceived code that has been refined in the above manner. The issue affects firmware version 1.1.4 iPhones, and presumably previous versions. Safari on the Mac and PC were also affected by this vulnerability, but it was recently fixed in Safari 3.1, released today. [full story]

January 26 - 1:25pm EST   iPhone owners should be on guard against a new threat, which fortunately doesn't harm the device, but still induces a freeze by taking all available system memory. According to security firm SecurityFocus, the vulnerability is exposed by a Denial of Service attack, when a maliciously crafted webpage is viewed. The page will insert code into the iPhone, which continually eats up available system memory before causing a kernel panic. [full story]

January 9 - 12:10am EST   The iPhone recently fell victim to its first Trojan attack, which came in the form of a malicious file named “113 prep”. While installation of the phony application is relatively benign – the app merely says “shoes” when activated – uninstalling the file causes damage to or deletes system-critical files in the /bin directory on the iPhone. In addition to harming the devices own software, third party utilities are also being rendered useless through the same means. This attack was orchestrated by an 11-year-old, and has some modmyifone.com forum members laughing to ease the pressure using references to the 1995 film Hackers, due to the similarity of circumstances. [full story]

December 17 - 11:20pm EST   WatchGuard Technologies recently updated its Firebox X network protection hardware to neutralize the latest Java threats against Mac OS X 10.4 Tiger users. Malicious web pages are reportedly the most common methods of implementation for viruses or attacks, but WatchGuard says that its equipment prevents against these kind of incursions by running network traffic through its Application Proxy technology – a proxy that separates user traffic from web-source to neutralize these exploits. Application Proxy is currently available in all of WatchGuard's products, including the Firebox X line of protective hardware. [full story]

December 11 - 5:25pm EST   The iPhone will be a major target for hackers in 2008, with attacks centered around the included Safari web browser, according to a prediction by Arbor Networks Security. The attacks will most likely be bits of malicious code that, when intertwined with benign digital material such as image files, could be capable of executing various harmful commands on the device. Arbor believes that the prospect of attacking Apple users and being among the first to hack a new platform are both big draws for malevolent hackers. [full story]

December 11 - 3:25pm EST   Viruses have been of little concern to most Mac users since OS X made its first appearance in 2001. Apple's switch to Intel processors, and the various virtualization processes that exist for running Windows, have eroded that confidence for some users. Although Apple is usually on the ball with fixing system vulnerabilities, some larger problems can go for several days or weeks before a proper fix is available. Symantec's Norton AntiVirus 11 aims to compliment the Mac OS' natural sturdiness by providing anti-viral services and fixes for security holes while Apple works on a true solution for the problem. [full story]

December 10 - 5:25pm EST   A new denial of service (DoS) vulnerability has surfaced in Apple's Mac OS X Leopard operating system that can result in crashes, according to Heise Security. The flaw, which is an integer overflow in the load_threadstack function in mach_loader.c, occurs when processing Mach-O binaries and can lead to a kernel panic. Single user systems should not be at risk, according to the company, but multi-user setups are vulnerable because attackers do not require any special privileges to provoke the error. [full story]

November 30 - 1:20am EST   Symantec has notified DeepSight customers that a bug in QuickTime's Real Time Streaming protocol can lead towards the execution of malicious code on any computer running QuickTime 7.2 or later, and that a working proof-of-concept set of code being circulated on the internet. Computerworld reports that the bug was originally posted on milw0rm.com, and that the exploit code had worked when tested against Windows XP and later in Vista. Mac OS X 10.4 Tiger and 10.5 Leopard are said to be vulnerable as well, but took considerably more time for researches to craft a reliable, working exploit. [full story]

November 29 - 4:45pm EST   Networking security hardware manufacturer SonicWALL recently announced that it has distributed defensive measures to users of it's Unified Threat Management technology, against zero-day vulnerability exploits found in QuickTime. Malicious websites are able to create a stack-based buffer overflow in Apple's media player, by providing a phony movie file that, when activated, executes a series of code that allows a users machine to be taken over. SonicWALL says that the problem lies within the "Content-Type" header field that is sent from the server, which is not properly verified by the client's QuickTime. Once the "Content-Type" field reaches a certain length, a Buffer ... [full story]