Another Android Flaw Gives Apps Elevated Privileges

Close on the heels of Stagefright, another vulnerability has been found to affect Android devices. A flaw in the OpenSSL X509Certificate class allows apps to elevate privileges, allowing them to snoop on vulnerable devices, install malware, and cause other problems. More than half of Android handsets are believed to be vulnerable.

Google has provided a patch, but as with the patch for Stagefright, most people won’t receive it automatically. Ask your mobile carrier if a patch is available and if not, when you can expect it.

Read the story in the news.

“Stagefright” Security Hole in Android

The security bug Stagefright is in the MMS system on Android phones. MMS is similar to SMS (Short Message Service) but for multi-media such as videos, sounds, and pictures. While it is an aging system, most Android devices are still set up to receive MMS messages and will process them automatically by default.

On newer Android devices (4.4, aka KitKat and 5.x, aka Lollipop), the default SMS/MMS apps are “Messaging” and “Hangouts” and the default configuration for these apps is to download MMS content in the background as soon as the messages arrive.

The bug allows shell code to take control of your device when an infected MMS message arrives. This type of attack is known as a Remote Code Execution. Zimperium, the security company that found the bug, claims that 950 million devices may be at risk.

Google has responded to the bug and has prepared patches, but it’s possible that not all carriers will immediately patch or announce the patch to their customers. In the meantime:

  • Ask your mobile carrier whether a patch is available.
  • If not, find out when you can expect it.
  • If your messaging app supports it, turn off “Automatically retrieve MMS messages.” (Messaging and Hangouts allows this.)
  • Consider blocking messages from unknown senders.

We will send further information as more is released.

Read the story in the news here.

MIT Technology Review: Cyber Espionage Nightmare

An article featured on MIT Technology Review covers the disturbing state of corporate cyber espionage. According to the article, agents from China are wanted for allegedly hacking into networks at American companies, stealing emails about business strategy, documents and other information, all to benefit Chinese companies.

Although it seems unlikely that any arrests will be made in the case the US has made against these perpetrators, it does provide American companies with some valuable lessons. They are less likely to keep valuable information online, even if that information is “secured.” The most clear response is also the most drastic: unplug.

Read the full story at MIT Technology Review.

Phishing Attack List: Windows Live ID Scam

Kaspersky Lab experts are warning of a new scam that uses Windows Live ID as bait to catch personal information stored in user profiles on services like Xbox LIVE, Zune, Hotmail, Outlook, MSN, Messenger and OneDrive.

What appears to be a typical phishing email contains a link that goes to the actual Windows Live website, with no apparent attempt to get the victims’ logins and passwords. So what’s the trick?

  • After following the link and authorizing the account, users receive a prompt: an application requests permission to automatically log into the account, view the profile information and contact list, and access a list of the users’ email addresses.
  • Users who click “Yes” don’t give away their login and password credentials, but they do provide their personal information, the email addresses of their contacts and the nicknames and real names of their friends.

Scammers gained access to this technique through security flaws in the open protocol for authorization, OAuth. The collected information can be used for fraudulent purposes, such as sending spam to the contacts in the victim’s address book or launching spear phishing attacks.

Read the full story.

Oracle Releases Patch for VENOM Vulnerability

Oracle has released a fix for a critical overflow vulnerability known as VENOM. The problem lies in QEMU’s virtual Floppy Disk Controller, which is part of some virtualization platforms and is used in certain Oracle products. Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by the Security Alert as soon as possible.

Read the Oracle Security Alert

The Simda Botnet

The Simda botnet (a botnet is a network of computers infected with self-propagating malware) has compromised more than 770,000 computers worldwide in the past six months. The botnet has recently been taken down by law enforcement groups and private security companies by seizing 14 command-and-control servers located in various countries, including the US.

Simda malware takes advantage of Windows computers with unpatched software to re-route a user’s Internet traffic to websites under control by the criminals. The infected computers can also be used to install additional malware, give criminals access to harvest user credentials, or cause other malware attacks.

Read a full report on this threat in the alert released by the DHS and FBI: TA15-105A, which includes the recommended actions users can take:

  • Use and maintaining anti-virus software
  • Change your passwords
  • Keep your operating system and software up to date
  • Do a manual check of your system (or ask for assistance to do so) to see if it is infected. Microsoft has developed a free cleaning agent for Simda. If you have been infected by Simda.AT, run a comprehensive scan of your environment using Microsoft Safety Scanner, Microsoft Security Essentials or Windows Defender.

Read the story in the news here and here.

Superfish Removed from 250,000 Windows Machines

Microsoft, along with Lenovo and other software manufacturers, has managed to scrub Superfish adware from 250,000 Windows-based PCs. According to Microsoft’s security team, the daily number of Lenovo machines infected has dropped below 1,000; at its peak, Superfish had been found daily on 60,000 PCs.

Read the full story in the news.