The flaw was first demonstrated Thursday. “This is serious. The only thing you can do to prevent it is turn off your phone,” security researcher Charlie Miller said of it earlier this week. “Someone could pretty quickly take over every iPhone in the world with this.”

Well, not anymore, as Apple (AAPL) was quick to note. “This morning, less than 24 hours after a demonstration of this exploit, we’ve issued a free software update that eliminates the vulnerability from the iPhone,” said an Apple spokesperson. “Contrary to what’s been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit.”

Well, there’s a shocker. IE’s catalog of vulnerabilities and the security bulletins announcing them are so voluminous and overlarge at this point, it takes Security Focus 18 pages to list them all. So reports today that IE suffers from a vulnerability that affords attackers access to any sensitive data on your PC isn’t unusual. What is unusual is that the flaw–found in all Windows versions of the browser–has gone unpatched for so long that it’s being widely exploited. “Based on our stats, since the vulnerability has gone public, roughly 0.2 percent of users worldwide may have been exposed to Web sites containing exploits of this latest vulnerability,” the Microsoft Malware Protection Center said Saturday. “That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50 percent in the number of reports today compared to yesterday.”

And that was three days ago (the Microsoft Malware Protection Center has been oddly silent the past few days).

What’s an IE user to do? Microsoft has a few suggestions–“follow our Protect Your PC guidance” (… BAHAHAHAHA)–but really, at this point it’s obvious what needs to be done. Find. Yourself. Another. Browser.

Here’s looking forward to the next browser market share report….

[Image credit: Bill Navarro]

The California Secretary of State has finally released the source-code review portion of its two-month “top-to-bottom” examination of electronic voting systems certified for use in California, and it’s not pretty. “The software contains serious design flaws that have led directly to specific vulnerabilities that attackers could exploit to affect election outcomes,” the report concludes. “An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting machine. The damage could be extensive–malicious code could spread to every voting machine in polling places and to county election servers.”

And it gets worse. Princeton professor Ed Felten read through the Diebold report, as well as those of Hart InterCivic and Sequoia Voting Systems, and found that some of the problems it identifies are the same ones Diebold claimed to have fixed years ago. “Diebold claimed (p. 11) in 2003 that its use of hard-coded passwords was ‘resolved in subsequent versions of the software,’ ” Felten notes. “Yet the current version still uses at least two hard-coded passwords–one is “diebold” (report, p. 46) and another is the eight-byte sequence 1,2,3,4,5,6,7,8 (report, p. 45).”

Now, “1,2,3,4,5,6,7,8″ is an improvement over “11111,” Diebold’s last hard-coded security key, in that it employs eight numbers instead of just one. But surely it can’t be among those that inspired California Secretary of State Debra Bowen to recertify Diebold’s machines for use in the 2008 elections. Presumably, “come up with a less laughable password” was a condition of recertification.

The access panel door on a Diebold AccuVote-TS voting machine–the door that protects the memory card that stores the votes and is the main barrier to the injection of a virus–can be opened with a standard key that is widely available on the Internet. The exact same key is used widely in office furniture, electronic equipment, jukeboxes and hotel minibars.”

–Princeton professor Ed Felten

With the presidential primary approaching, Diebold Election Systems is finally developing a voter-verified paper trail–of bad press. Earlier this week, the company made headlines when a team of investigators found fundamental security vulnerabilities in its touchscreen voting machines (as well as those of rivals Sequoia Voting Systems and Hart InterCivic).

Now it’s back in the news again, thanks to another government-ordered study that found its optical-scanning machines to be flawed as well. According to a report released by Florida Secretary of State Kurt Browning, Diebold’s AccuVote OS optical-scan voting devices could compromise the upcoming presidential primary elections in which they’re to be used. The machine’s “memory card can be preprogrammed to redistribute votes cast for selected candidates on that terminal, including swapping the votes for two candidates,” the report explains. “The attack can be carried out with low probability of detection, assuming that audit with paper ballots are infrequent and that programmed cards are not detected before use.”

An unsettling revelation for anyone concerned about this whole idea of “election integrity.” But never fear, Diebold has vowed to patch the vulnerabilities identified in the report by the Aug. 17 deadline given it by the state. If it doesn’t, it risks decertification, which some would argue might not be a bad idea at this point. Remember, Diebold is the company that designed its widely criticized electronic-voting systems, to be opened with a hotel minibar key and then posted a detailed photograph of that key to its online store.

It’s the company that can’t seem to safeguard its source code. It’s the company that evaded election transparency laws in North Carolina. And it’s the company that modified its machines without notifying election officials. Twice.

The vulnerability, which can be exploited by an attacker-controlled WiFi point or Web page, hasn’t yet been reported in the wild. And Apple’s working on a fix for it. That said, we’re certain to see others in the months ahead now that the iPhone has been proved vulnerable.

“Anything as complex as a computer–which is what this phone is–is going to have vulnerabilities,” Johns Hopkins professor Avi Rubin told the New York Times. “The irony is that the more popular something is, the more insecure it becomes, because popularity paints a large target on its back.”

Added Steven M. Bellovin, a professor of computer science at Columbia University, “It’s not the end of the world; it’s not the end of the iPhone. It is a sign that you cannot let down your guard. It is a sign that we need to build software and systems better.”