But at least Apple's got an update infrastructure to match their relatively quick remedy; what's really worrying is that some other vulnerable phones—mostly Android and Windows Mobile handsets—are still vulnerable, and whatever updates Google and Microsoft have in store may have a slightly harder time blanketing users without the near-daily update checking built into the iPhone's usage style. UAnd so we will all die, by text message.

UPDATE: Google has patched the exploit in Android, where it was never as dire a concern anyway—your phone could be knocked off the network, but not hijacked.

UPDATE 2: The patch is showing up in iTunes for some folks already. —Thanks, Graham!

[BBC--Thanks, Brian!]

The technique is a form of keylogging, which is nothing new, but in an interesting twist hackers have figured out a non-traditional way to replicate the process using nothing but the electric signals created with each keystroke. Oh, and even if you aren't plugged into a socket, they they can still log keystrokes remotely using a laser.

Called the "power-line exploit," the two-part technique is outlined in a Network World article ominously headlined "How to use electrical outlets and cheap lasers to steal data," and will be but one of several nefarious data-stealing methods on display at Black Hat USA 2009 in Las Vegas later this month.

Network World explains:

In the power-line exploit, the attacker grabs the keyboard signals that are generated by hitting keys. Because the data wire within the keyboard cable is unshielded, the signals leak into the ground wire in the cable, and from there into the ground wire of the electrical system feeding the computer. Bit streams generated by the keyboards that indicate what keys have been struck create voltage fluctuations in the grounds.

[If the laptop is unplugged], attackers point a cheap laser, slightly better than what is used in laser pointers, at a shiny part of a laptop or even an object on the table with the laptop. A receiver is aligned to capture the reflected light beam and the modulations that are caused by the vibrations resulting from striking the keys.

Which is precisely why I blog and work in a Faraday cage. In my underwear with stains on my shirt, naturally, as Best Buy revealed earlier. [Network World via CrunchGear]

It's for reasons we've heard before—there's just way less stuff out there attacking Macs. He told Tom's Hardware:

"I'd say that Macs are less secure for the reasons we've discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn't much malware out there. For now, I'd still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them."

Whatever OS you're running, the best thing you can do, he says, is to just keep your system up to date (then you won't get Conficker, either). And not be stupid. Since no anti-malware software would've stopped his exploit:

"None of those protections would have probably worked, or at least there were potential workarounds. The best thing the user could have done is not click on the malicious link. Of course, in some cases such as a man-in-the-middle attack, even this wouldn't have helped."

Oh, so maybe everybody is just screwed. [Tom's Hardware via AppleInsider]

Security researcher Charlie Miller hacked Safari in just 10 seconds, then used a remote-execution exploit to take over the up-to-date MacBook and make it do his dirty bidding. Firefox and Internet Explorer 8 (which you can download at noon today) fell within a few hours to Nils, a master's student who busted all three browsers wide open. They each won $5000. Day 2 will offer more $5000 prizes for discovering new bugs in Firefox, Chrome and Safari.

Mobile phone OS's will also be part of the event, with $10,000 for cracking any of the five majors: iPhone, BlackBerry, Windows Mobile, Symbian and Android. Care to take bets on which one will go down first? [Pocket Lint]

The attack has been lamely dubbed "The Curse of Silence" and it's pretty simple. Due to a glitch in the way that the S60 messaging client handles text messaging, any message from a sender with a name length of over 32 characters, and a small identifier that flags the message as "Internet Electronic Mail." This combination of otherwise rare circumstances causes the messaging client to silently stop receiving any SMSes until the device undergoes a factory reset.

The exploit is very, very easy to carry out and can damage phones running S60 versions 2.6-3.1, which covers a huge swatch of Nokia's product line. Tobias Engel and the Chaos Computer club, who found the bug, released the details to Nokia a few weeks before passing them on to the public, but as of yet there is no official fix, though our tipster says this third-party program does the trick. Check below for a list of affected phones, and have a look over at the Register for a slightly more in-depth description of the exploit. [Tobias Engel—Thanks, Pauli]

S60 3rd Edition, Feature Pack 1 (S60 3.1):
Nokia E90 Communicator
Nokia E71
Nokia E66
Nokia E51
Nokia N95 8GB
Nokia N95
Nokia N82
Nokia N81 8GB
Nokia N81
Nokia N76
Nokia 6290
Nokia 6124 classic
Nokia 6121 classic
Nokia 6120 classic
Nokia 6110 Navigator
Nokia 5700 XpressMusic

S60 3rd Edition, initial release (S60 3.0):
Nokia E70
Nokia E65
Nokia E62
Nokia E61i
Nokia E61
Nokia E60
Nokia E50
Nokia N93i
Nokia N93
Nokia N92
Nokia N91 8GB
Nokia N91
Nokia N80
Nokia N77
Nokia N73
Nokia N71
Nokia 5500
Nokia 3250

S60 2nd Edition, Feature Pack 3 (S60 2.8):
Nokia N90
Nokia N72
Nokia N70

S60 2nd Edition, Feature Pack 2 (S60 2.6):
Nokia 6682
Nokia 6681
Nokia 6680
Nokia 6630

Microsoft programmers are apparently aware of the exploit presentation at Black Hat, and are waiting to see the findings themselves. Presented by Mark Dowd and Alexander Sotirov, of IBM and VMware, respectively, the exploit negates key security features such as Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), which make it difficult to locate and execute code and data. And apparently this exploit is so broad and game changing that it could be applied to other platforms. OS X, beware? [SearchSecurity via Electronista]

The first homebrew application to take advantage of the libTIFF buffer overflow is a simple "Hello World" application: just load up the affected image file, attempt to view it and voilà—Hello World fun and fancy free.

Right now, only this "Hello World" application takes advantage of the libTIFF exploit, but it's probably only a matter of time until more, let's say practical uses are discovered. – Nicholas Deleon

2-0-2-80-Firmware-PSP-s-Say-Hello-World-as-New-Exploit-is-Found [QJ.NET - PSP Updates]