Safari 4.0.4 was released yesterday for download, affecting both OS X and Windows versions.

Multiple security issues are addressed in this version, including remote code execution, process termination and disclosure of information issues.  Also one fix for a specific coss-site request forgery (CSRF)

http://support.apple.com/kb/HT3949

Apple iPhone owners in Australia have reported that their smart phones have been infected by a worm that has changed their wallpaper to an image of 1980s pop crooner Rick Astley.

The worm, which could have spread to other countries although there are no confirmed reports outside Australia, is capable of breaking into jail broken iPhones if their owners have not changed the default password after installing SSH. Once in place, the worm appears to attempt to find other iPhones on the mobile phone network that are similarly vulnerable, and installs itself again

On each installation, the worm - written by a hacker calling themselves "ikex" - changes the lock background wallpaper to an image of Rick Astley with the message:

ikee is never going to give you up

What's clear is that if you have jail broken your iPhone or iPod Touch, and installed SSH, then you must always change your root user password to something different than the default, "alpine". In fact, it would be a good idea if you didn't use a dictionary word at all.

The worm will not affect users who have not jail broken their iPhones or who have not installed SSH.

SophosLabs is analyzing the worm's code, which suggests that at least four variants have been written so far. One of the attributes of the latest variant (labeled the "D" version) is that it tries to hide its presence by using a file path suggestive of the Cydia application.

Presently it appears that the worm does nothing more malicious than spread and change the infected user's lock screen wallpaper. However, that doesn't mean that attacks like this can be considered harmless.

TLS 1.0+ and SSL 3.0+ (known from among others "https") is vulnerable to a protocol weakness where a man in the middle attack could be worked in during the renegotiation phase in modern versions of the protocol.

While the details had been offered in a meeting with the IETF, vendors and the open source implementers of SSL privately, it appears an IETF mailing list came to finding it again. That seems to have prompted the original finders to offer up their finding publicly.

• The original description
• The summary by the IETF TLS workgroup, and promisses for an amended protocol
• Marsh Ray's paper
• March Ray's protocol diagrams

There does not seem to be much you can do till the protocol is fixed. The main problem seems to be with clients using certificate authentication.

Exploiting this requires the attacker to be able to intercept the traffic.

Affected: BlackBerry Desktop Software version 5.0 and earlier (on all platforms) - IBM Lotus Notes Intellisync

Fixed in version 5.01

CVSS score: 9.3

CVE-2009-0306

More info: KB19701

The KB contains a workaround for those not needing the Lotus Notes Intellisync functionality.

from their version history notes:

• Full support for Windows 7.
• Full support for Mac OS X 10.6 Snow Leopard.
• The ability to configure selected volumes as 'system favorite volumes'.

TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device).

More information here: http://www.truecrypt.org/docs/?s=version-history