Friday, August 22, 2014

What Life's Like On The Other Side:
Fragmandroid Illustrated

--

I've never been one to start computer warz, only to satirize them and righteously defend Apple when they deserve it. But I saw this graphic today and have to share it. Warning: It's nauseating.

This isn't the latest in boring modern art demonstration of how to paint a rectangle. This is a graphic showing the fragmentation of Google's Android operating system, per device. Click to to view the graphic in its full incredible gory. 

Google let this happen. Damn them.

And there's lots MORE. You'll find further interactive graphics and explanation over at OpenSignal's brilliant article:


As I posted over at MacDailyNews' summary article on the subject, pointedly in Google's direction:

OMF: How did you allow this to happen Google? HOW?

Smugness your way out of this catastrophe of technology. Nausea provoking. A rat’s nest of insecurity.

Thank you OpenSignal for so elegantly and blatantly pointing out what life's like on the other side. There's not much green over that hill! Good gawd.

Meanwhile, here's iOS situation in comparison to versions of Android in the wild:


What is there to say?
Except, hurray for iOS.
--


Wednesday, August 13, 2014

CRITICAL New Adobe and Apple Updates:
Adobe Flash, Adobe AIR and Apple Safari

--

Both Apple and Adobe have provided critical updates this week:

I. ADOBE UPDATES

Adobe Flash v14.0.0.176
Adobe AIR v14.0.0.178

Adobe released 'second Tuesday of the month' updates for Adobe Reader, Adobe Flash and Adobe AIR. Both Flash and AIR include CRITICAL security updates for OS X users.

Adobe's security bulletin for Flash and AIR can be found HERE.

These updates resolve memory leakage vulnerabilities that could be used to bypass memory address randomization (CVE-2014-0540, CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, CVE-2014-0545). These updates resolve a security bypass vulnerability (CVE-2014-0541). These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2014-0538).
Keep in mind that every security update of Flash means there is also a security update of AIR.


II. APPLE UPDATES

Apple Safari v6.1.6
Apple Safari v7.0.6

Both updates are available using "Software Update" in the Apple menu of OS X. Quoting from Apple's security content documentation for the updates: 
WebKit

Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.4

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
IOW: The usual bad memory management security holes, the curse of contemporary coding. I'm hoping that Apple's new Swift programming language will end this trend.

The CVEs patched are: 

CVE-2014-1384
CVE-2014-1385
CVE-2014-1386
CVE-2014-1387
CVE-2014-1388
CVE-2014-1389
CVE-2014-1390




* You can check out CVEs (Common Vulnerabilities and Exposures) using the "CVE Search" link on the right of this page.

--

Wednesday, August 6, 2014

Upcoming Changes In Apple's Gatekeeper Security

--

Apple started providing 'Gatekeeper' with OS X 10.7.x. You can see its settings in the Security & Privacy preference pane, under the General tab.


It's a bad idea to have it set to allow applications from 'Anywhere'. Don't do that! But I find it too restrictive to only download from the Mac App Store. I continue to use many wonderful apps that are never going to be available directly from Apple. Therefore, I personally prefer to leave Gatekeeper set to allow apps from the "Mac App Store and identified developers."

What's changing in the OS X Mavericks 10.9.5 update as well as 10.10 Yosemite is further scrutiny of the "identified developers." The GUI for Gatekeeper will remain the same. But developers are going to have to take an extra step with their applications in order to allow their security certificates to get past the 'Gatekeeper'. Users may well find that many previously 'identified' application security certificates won't pass muster and will cause OS X to reject them.

You can read the gory details in Apple's Technical Note TN2206: OS X Code Signing In Depth. Skip ahead through the document to the section heading Changes in OS X 10.9.5 and Yosemite Developer Preview 5.
If your team is using an older version of OS X to build your code, re-sign your app using OS X version 10.9 or later using the codesign tool to create version 2 signatures. Apps signed with version 2 signatures will work on older versions of OS X….  
Important: To ensure your current and upcoming releases work properly with Gatekeeper, test on OS X version 10.10 (Seed 5 or later) and OS X version 10.9.5.
There are several articles discussing this change. Here is one, cited over at MacDailyNews, from Richard Mallion at the AmSys blog in the UK:

Gatekeeper changes coming

:-Derek