Having said that, there are some things that one would expect to be, at least not vulnerable. One such thing is the browser address bar. We all know about phishing and other stuff, but address bar spoofing is something that is very dangerous.

The latest version of the safari browser running on iOS – (5.1), has this issue. Users of iPhones, iPads, and iPod touch devices running Safari on iOS 5.1 should beware of this security issue that involves address bar spoofing.

The issue was discovered by David Vieira-Kurz of MajorSecurity.net, and involves “an error within the handling of URLs when using javascript’s window.open() method.”

In other words, when you click something on a page and if the page opens a new window, what you see in the address bar may not be the actual site. We are not even talking about tricky URLs designed to fool naive users (something like www.wellsfargobank.com.loanapplication.mortgage.1.com.au), we are talking about plain url www.apple.com or www.yourbank.com being spoofed. Your address bar can read this, but the actual site can be loaded from another location in an iFrame, looking exactly similar to this.

MajorSecurity.net has this demo page. If you test this on a SAFARI browser running on an iOS 5.1 device you will be able to see the security threat.

MajorSecurity.net Demo Page

But we went ahead and decided to test this on other environments. The same issue can be replicated on the following

Safari running on any version of iOS.
Safari on iPhone 3GS and iOS 4.
Safari on iPod 2G running iOS 4
Safari on iPhone 4S running iOS 5.0
Safari 4.0.4 running on Mac Snow Leopard 10.6.2
Safari 4 running on 24 inch iMac on snow leopard 10.5.x
Safari 5.0.6 running on a iMac on Snow Leopard 10.5.8

and so on..

This is quite dangerous and at this point we conclude that this seems to be a problem with Safari browser itself, not the iOS operating system. We will be testing Safari 5 on macs and update this post if there is an issue.

NO ISSUES WITH FIREFOX
On the other hand this demo page does not cause the issue in Firefox 3.6 browser and upwards. Makes you wonder if Firefox is a more secure browser! We are not even considering any version of IE because it is not worth it!

MajorSecurity.net has the following

Solution
=============
Users should upgrade to a newer version as far as the vendor has supplied a patch.

Timeline
================
2012-03-01, vulnerability identified in iOS 5.0
2012-03-01, vulnerability reproduced with iOS 5.1
2012-03-02, vendor has been informed
2012-03-03, vendor response
2012-03-20, advisory published

Update:

Safari 5.0.6 also has this issue. This demo page is loading an iFrame scaled for iOS device, but you can easily change that to fill the entire screen without borders and scrolling, making it appear to be the actual page.

Imagine the nightmare Paypal and Banks have to go through, if a rogue element were to attempt this exploit.

The current update from Apple is 5.1.4 for Safari, which relates to Mac OSX Lion. Not sure if this update fixes this issue for users running the Lion operating system, but there are millions of users who bought a Mac in the last few years, who are likely to be on Safari 5.0.6 and below on Snow Leopard. It is highly likely that most of them did not do a paid upgrade to OSX Lion. In that case there are still potential millions of users who are vulnerable using “their latest” available version of Safari. Apple should not leave them behind (assuming Safari 5.1.4 fixes this issue for Lion users). Hopefully we will get a security update from Apple soon!

Many of us have never heard of this little company before. Now it is time. Last week the big announcement came. No, it has nothing to do with T-Mobile. Check out the magic number 11.11.11. The date they are getting iPhone 4S and they will be the fourth carrier to have the iphone in the US.

T-Mobile is left out and we don’t know how long they will survive. They are really having their fingers crossed to get gobbled up by AT&T.

The apple website has the following:

Apple has lost a visionary and creative genius, and the world has lost an amazing human being. Those of us who have been fortunate enough to know and work with Steve have lost a dear friend and an inspiring mentor. Steve leaves behind a company that only he could have built, and his spirit will forever be the foundation of Apple.

If you would like to share your thoughts, memories, and condolences, please email rememberingsteve@apple.com

Enough said.

The following Steve Jobs speech at the Stanford graduation is one of the greatest speeches ever given by any leader.

Thank you

According to the report, from a J.P. Morgan analyst, “In recent months, there has been rising investor speculation that a new iPad 3 would be launched for the holiday season.”

However, he added: “Our latest research continues to indicate that there is no such device slated for production this year. … There are prototypes in the supply chain related to the next-generation device, but our conversations with industry participants suggest that a new device will not be available until sometime in calendar 2012.”

So, looks like there will be an iPhone 5 before an iPad 3.