“Stagefright” Security Hole in Android

The security bug Stagefright is in the MMS system on Android phones. MMS is similar to SMS (Short Message Service) but for multi-media such as videos, sounds, and pictures. While it is an aging system, most Android devices are still set up to receive MMS messages and will process them automatically by default.

On newer Android devices (4.4, aka KitKat and 5.x, aka Lollipop), the default SMS/MMS apps are “Messaging” and “Hangouts” and the default configuration for these apps is to download MMS content in the background as soon as the messages arrive.

The bug allows shell code to take control of your device when an infected MMS message arrives. This type of attack is known as a Remote Code Execution. Zimperium, the security company that found the bug, claims that 950 million devices may be at risk.

Google has responded to the bug and has prepared patches, but it’s possible that not all carriers will immediately patch or announce the patch to their customers. In the meantime:

  • Ask your mobile carrier whether a patch is available.
  • If not, find out when you can expect it.
  • If your messaging app supports it, turn off “Automatically retrieve MMS messages.” (Messaging and Hangouts allows this.)
  • Consider blocking messages from unknown senders.

We will send further information as more is released.

Read the story in the news here.

Recent Security Flaws and Updates

Drupal

Updates for the Drupal content management system are available. The Drupal security team’s advisory describes one critical and three “less critical” vulnerabilities that the updates address. The critical flaw lies in Drupal’s implementation of OpenID; it allows attackers to log in to websites as administrators. The issues affect Drupal versions 6 and 7.

Samsung Galaxy Smartphones

Samsung plans to release a fix for a critical security flaw that affects more than 600 million of its mobile phones. The issue affects Galaxy smartphones that come with the SwiftKey keyboard preinstalled. The flaw could be exploited to access data on the devices. Galaxy devices running Knox security software will receive a new security policy that makes the vulnerability invalid. Phones that are not running Knox will have to wait until a firmware update is ready. See Krebs on Security for this story and the Apple KeyChain story below.

Apple KeyChain

A security flaw (a zero-day bug) in Apple’s OS X and iOS could be exploited to steal information from the Apple keychain and from applications. The problem lies in the operating systems’ application sandboxes and can be exploited by specially created apps. Read the full story in the news.

Android Phone Factory Reset Feature is Flawed

An estimated 500 million Android phones don’t completely wipe data when their factory reset option is run, a weakness that may allow the recovery of login credentials, text messages, e-mails, and contacts.

In the first comprehensive study of the effectiveness of the Android feature, Cambridge University researchers found that they were able to recover data on a wide range of devices that had run factory reset. The function, which is built into Google’s Android mobile operating system, is considered a crucial means for wiping confidential data off of devices before they’re sold, recycled, or otherwise retired. The study found that data could be recovered even when users turned on full-disk encryption.

The findings, published in a research paper titled Security Analysis of Android Factory Resets (.pdf), are sure to be a wake-up call for individual users and large enterprises alike. Based on the devices studied, the researchers estimated that 500 million devices may not fully wipe disk partitions where sensitive data is stored and 630 million phones may not wipe internal SD cards where pictures and video are often kept.

Read the story in the news.

Vulnerabilities in Lenovo System Update

(Thanks to Rich Pieri for sharing this news.)

Months after Lenovo was found to have installed dangerous software onto its computers, major vulnerabilities were found in Lenovo’s update system, that could allow hackers to bypass validation checks, replace legitimate Lenovo programs with malicious software and run commands from afar.

What are the vulnerabilities?

1. Lenovo’s System Update software runs a service as SYSTEM and allows unprivileged processes to send it arbitrary commands to execute.

2. Lenovo’s System Update software does not correctly validate CAs of signed updates allowing for the installation of “updates” signed with fake certificates.

3. Lenovo’s System Update software downloads updates to a world writable directory creating a race condition between signature verification and running the saved executable.

The company issued a patch last month that fixes the bugs but owners will need to download the update themselves.

Learn more in the news.

Android Flaw Allows Attackers to Modify or Replace Apps

A security flaw in the Android operating system could be exploited to remotely take over vulnerable devices.

According to researchers from Palo Alto Networks, roughly half of all Android phones are vulnerable to a newly discovered hack that in some cases allows attackers to surreptitiously modify or replace seemingly benign apps with malicious ones that steal passwords and other sensitive data.

The vulnerability has been patched in Android 4.3_r0.9 and later but some Android 4.3 devices remain vulnerable.

The attack works only at third-party app stores, not the Google Play store.

Read the story in the news.

Superfish Adware Put Lenovo Users at Risk

Per an article by ArsTechnica last week, Lenovo is selling computers with adware preinstalled that hijacks encrypted web sessions, making users vulnerable to HTTPS man-in-the-middle attacks.

The adware comes from a company called Superfish, designed to inject ads into web pages. But it is more nefarious than that. The software literally acts as a middle man, standing between you and the sites you visit. It does this by installing a self-signed root certificate authority (CA) into your browser that can intercept traffic for every HTTPS website you visit, allowing an attacker to spoof websites you log into.

According to a statement by Lenovo, the software was only installed on machines that shipped between September and December of last year and was removed in January. The statement also mentions that Superfish has disabled server side interaction since January, so that the product is no longer active.

This issue with Superfish was overlooked until last week. This week, Microsoft updated Windows to remove the Superfish software (learn more in the article below: “Microsoft Security Updates for February”). Lenovo has also issued a tool that removes the software.

This test will tell you if you have a problem with Superfish.

Read the Superfish story in the news.

Read the US-CERT alert.

Updates on Disabling SSL 3.0

Due to the recent POODLE flaw, Apple will stop supporting SSL 3.0 for push notifications and switch to the TLS encryption standard. Apple announced on its developer site that it will make the switch on October 29.

The push notification service from Apple forwards notifications of third-party applications to iOS devices; it may include badges, sounds or custom text alerts. Apple notes that providers that only support SSL 3.0 will need to transfer to TLS as soon as possible to ensure the service continues to perform as expected.

Other vendors are also updating their services. Twitter already notified users that is has disabled SSL 3.0 support.

Mozilla advised Firefox users to install a Mozilla security add-on that disables SSL 3.0. It will be disabling the old protocol in Firefox 34, the next version of its browser, by the end of November.

University of Michigan researchers have detailed how to disable SSL 3.0 for Internet Explorer and other sites.

Read the story online.