iPhone 5G spam spreads Windows malware

iPhone 5Still using a crummy old iPhone 4? Fancy an iPhone 5G instead?

You know, the one with the built-in physical keyboard that slides out and is “slimmer, faster and sleeker” than ever?

What’s that? You haven’t heard of the iPhone 5G? Well, that’s perhaps not a surprise as it doesn’t exist yet.

But maybe you think you missed the news – after all, Apple is making some product announcements later today at WWDC in 2011 and it’s still possible Steve Jobs might reveal a new incarnation of the iPhone rather than the (much more likely) news around iOS 5, Mac OS X 10.7 (“Lion”) and iCloud.

Nevertheless, you might have been one of the people who has received an email claiming to come from Apple with the subject line:

Finally. The amazing iPhone 5. Now available in black edition.

Part of the email, which claims to come from [email protected], reads:

Introducing the iPhone that lets you do more than ever. And do it amazingly faster.

Launch and switch between applications quickly. Bigger display, transparent mode, better cloud integration. Shoot, edit, and share video like never before. Slimmer, faster and sleeker. Discover many more features that make iPhone 5G S the best iPhone yet.

Malicious spam message

Take care not to click on links contained inside the email, however, as they’re directing to a malicious executable file called iphone5.gif.exe.

Of course, the images of the iPhone 5 with a built-in hardware keyboard are just some fanboy’s dream.

Sophos products intercept the emails as spam, and identifies the malware that the messages point to as the Troj/Zapchast-B Trojan horse.

Ironically, this spammed-out malware attack doesn’t infect iPhone or even Apple Mac users – the Trojan only infects the Windows operating system.

Apple security fixes for SSL, Safari and iOS

You know how they say “Better late than never”? That appears to be Apple’s approach to the Comodo SSL certificate scandal. Today they released OS X Security Update 2011-002, Safari 5.0.5 and iOS 4.3.2 (4.2.7 for Verizon).

Security Update 2011-002 is simply the certificate revocation for the certificates that were fraudulently signed by Comodo over 3 weeks ago. The steps I outlined for Apple users are still good practice though, so there is no need to revert the changes.

OS X 2011-002 update

Safari 5.0.5 applies to both Windows and OS X versions of Apple’s browser. The update contains two fixes, both flaws could cause arbitrary code execution or a crash by visiting a malicious website.

To apply these updates for OS X click the Apple icon in the menu bar and choose Software Update.

Users of OS X mini (better known as iOS) have an update available as well. iOS 4.3.2 (4.2.7 for Verizon customers) was released to iTunes today and fixes the same certificate trust issue as the update for OS X.

It also patches the browser for the same two flaws as the Safari 5.0.5 update, and fixes an arbitrary code execution risk from the QuickLook application. QuickLook is used for viewing Microsoft Office files on iDevices, and this flaw appears to be the one used by Charlie Miller at this years Pwn20wn contest.

iOS update 4.3.2

One fix applies to iOS 4.3.2 only, a bug in libxslt which could disclose memory addresses on the heap if exploited. What does this mean? Attackers need to know memory addresses to attack certain parts of iOS.

The latest versions of iOS use Address Space Layout Randomization, which makes sure libraries are loaded at unpredictable locations in memory, making more difficult to exploit. This flaw could enable attackers to discover these “secret” memory addresses.

To update your iPhone/iPad/iPod touch device connect it to your computer with iTunes, select the device on the left side and press the button “Check for updates”.

For the best security on your Macintosh download Sophos Anti-Virus for Mac Home Edition, there is no reason not to as it is absolutely free.

Judge Delays Ruling on PlayStation Hack

SAN FRANCISCO — A federal judge here on Friday put off deciding whether PlayStation 3 hacker George Hotz should surrender his computer gear as part of a lawsuit from console-maker Sony.

Sony sued Hotz on Tuesday, alleging Hotz’ posting of the code to crack the PlayStation 3 was a breach of the Digital Millennium Copyright Act’s anti-circumvention provisions. Sony, which is also seeking unspecified monetary damages, also wanted Hotz to remove any code the New Jersey man had uploaded to the internet last week.

U.S. District Judge Susan Illston, without deciding any of the merits of Sony’s DMCA claim and other allegations, said she was unsure whether the lawsuit should even be tried in her courtroom. She wondered aloud whether the case should be aired in the 21-year-old’s home state of New Jersey, where the hacking took place.

“I’m really worried about the jurisdictional question,” the judge said from the bench during a 20-minute hearing.

Sony’s attorney, James Gilliland Jr., argued the case could proceed in San Francisco because Hotz posted the hack on Twitter and YouTube, which are based in California. And Gilliland said Hotz received donations for the hack through PayPal, also based in California — an allegation Hotz’ attorney denied.

But if using Twitter or Facebook is enough to bring a case to San Francisco, “the entire universe would be subject to my jurisdiction,” the judge told the Sony attorney about his argument.

Gilliland countered, arguing that the PlayStation’s terms-of-service agreement demands that legal disputes be settled in federal court here, near where Sony Computer Entertainment America is based.

In the end, Judge Illston said she would rule at an undisclosed time.

“Serious questions have been raised here,” she said.

Hotz accessed the so-called “metldr keys” and obtained root access to trick the PS3 into running software not approved by Sony. He published the code a week ago, and was greeted Tuesday with a lawsuit from Sony, which has sold 41 million PS3 units since the console’s 2006 debut. The code allows a user to play pirated and homebrew software on the console, and has spread across the net like wildfire.

In an e-mail, Hotz said the case “doesn’t have any basis.”

“I am a firm believer in digital rights. I would expect a company that prides itself on intellectual property to be well-versed in the provisions of the law, so I am disappointed in Sony’s current action. I have spoken with legal counsel and I feel comfortable that Sony’s action against me doesn’t have any basis,” he wrote.

The DMCA makes it either a civil or criminal offense to traffic in wares meant to circumvent devices protecting copyrighted works.

But hacking or jailbreaking an iPhone so it will run apps not authorized by Apple is neither a civil nor criminal offense. The U.S. Copyright Office made that activity lawful in July.

Photo: PlayStation 3 hacker George Hotz. /courtesy of George Hotz

Lawyer: PlayStation 3 Jailbreak Code Is a ‘Google Search Away’

The lawyer for embattled gadget hacker George Hotz told a federal judge Thursday that it is impossible to cleanse the internet of the code to jailbreak the PlayStation 3, despite Sony’s demands that it be done.

“The code sought to be restrained will always be a Google search away,” wrote attorney Stewart Kellar, who represents Hotz, a 21-year-old from New Jersey who goes by the handle “GeoHot.”

Hotz accessed the so-called “metldr keys” and obtained root access to trick the PS3 into running software not approved by Sony. He published the code a week ago, and was greeted Tuesday with a lawsuit from Sony, which has sold 41 million PS3 units since the console’s 2006 debut. The code allows the playing of pirated and home-brew software on the console, and has spread across the net like wildfire.

The suit claims Hotz, well known in the iPhone jailbreak community, breached the anti-circumvention provisions of the Digital Millennium Copyright Act and other laws. It seeks unspecified damages, the removal of the code from the internet, and the impounding of all of Hotz’s computer and related gear.

Kellar, in a court filing, told U.S. District Judge Susan Illston that the case lacks a legal basis. Still, he said, Sony is trying to send “a message to any would-be individual that attempting to use any hardware it manufacturers in a way it does not deem appropriate will result in harsh legal consequences.”

A hearing on the code’s removal, and the surrendering of Hotz’s equipment, is scheduled for 9 a.m. Friday in San Francisco federal court. Hotz is not expected to attend, Kellar said in a telephone interview.

Threat Level analyzed of the legal flap Wednesday.

Photo: Wikipedia

See Also: