Posts Tagged ‘AppStore’


The latest update to OS X Mountain Lion Developer Preview 3 seems to have partially enabled iOS-style automatic app downloads in the App Store. Like on the iPhone and iPad, when you buy and install an app on one of your Macs, all of your other Macs logged into the same App Store account will automatically install the app too.

Unfortunately, the feature does not seem to be working completely. While the App Store will still offer to enable automatic downloads (as seen above), it does not actually install anything when you purchase apps from another computer. However, it does apparently show the app as being installed when you view it in the App Store. There is a good chance we will see at least one more developer preview, or at least a GM, in the coming weeks that should fully enable the feature.

Advertisements

Security researcher Phil discover a Cross-Site Scripting vulnerability exists in the “Chat Message” window in Skype 3.0.1 and earlier versions for iPhone and iPod Touch devices.

Skype uses a locally stored HTML file to display chat messages from other Skype users, but it fails to properly encode the incoming users “Full Name”, allowing an attacker to craft malicious JavaScript code that runs when the victim views the message.

XSS in Skype

To demonstrate the vulnerability, He captured a photo of a simple javascript alert() running within Skype.

Executing arbitrary Javascript code is one thing, but he found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype. Usually you will see the scheme set to something like, “about:blank” or “skype-randomtoken”, but in this case it is actually set to “file://”. This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access.

File system access is partially mitigated by the iOS Application sandbox that Apple has implemented, preventing an attacker from accessing certain sensitive files. However, every iOS application has access to the users AddressBook, and Skype is no exception.

He also created a proof of concept injection and attack that shows that a users AddressBook can indeed be stolen from an iPhone or iPod touch with this vulnerability.

To further demonstrate the issue, he had recorded a video of this scenario.

Please see the video & use the comments section on his blog for your questions.

Skype Attack Message

Skype Attack Loading

Update
In case anyone is wondering, Phill disclosed the vulnerability to Skype on 8/24 & been told an update would be released early this August but no update yet.


Consider this a general tip: The Mac App Store won’t update third-party applications that you’ve bought elsewhere, despite recognizing that they are installed.

It will tell you if software you acquire through the store is updated, but existing installs from outside the store won’t be noted in this way.

“The Mac App Store may show software bought from us previously as ‘Installed’ even though they’re two different licenses,” said Pixelmator developer Cable Sasser as reported by Mac User. “You will not get Mac App Store auto-updates unless you purchase from the Mac App Store.”

The solution? Pixelmator will give the next version of its software out for free, in order to bring all customers in line with the Mac App Store system and future easy upgrades, as there isn’t a way to transition Mac Apps to the App Store for free yet.

BareBones Software had to remove features from BBEdit and TextWranger in order to comply with App Store rules — meaning apps sold via the store are different builds than those sold externally — this likely explains the update problem.

For the present the answer to the question: “If I bought your App already can I update it through the Mac App Store?” is encapsulated in the graphic above and also from this website.