Another Android Flaw Gives Apps Elevated Privileges

Close on the heels of Stagefright, another vulnerability has been found to affect Android devices. A flaw in the OpenSSL X509Certificate class allows apps to elevate privileges, allowing them to snoop on vulnerable devices, install malware, and cause other problems. More than half of Android handsets are believed to be vulnerable.

Google has provided a patch, but as with the patch for Stagefright, most people won’t receive it automatically. Ask your mobile carrier if a patch is available and if not, when you can expect it.

Read the story in the news.

“Stagefright” Security Hole in Android

The security bug Stagefright is in the MMS system on Android phones. MMS is similar to SMS (Short Message Service) but for multi-media such as videos, sounds, and pictures. While it is an aging system, most Android devices are still set up to receive MMS messages and will process them automatically by default.

On newer Android devices (4.4, aka KitKat and 5.x, aka Lollipop), the default SMS/MMS apps are “Messaging” and “Hangouts” and the default configuration for these apps is to download MMS content in the background as soon as the messages arrive.

The bug allows shell code to take control of your device when an infected MMS message arrives. This type of attack is known as a Remote Code Execution. Zimperium, the security company that found the bug, claims that 950 million devices may be at risk.

Google has responded to the bug and has prepared patches, but it’s possible that not all carriers will immediately patch or announce the patch to their customers. In the meantime:

  • Ask your mobile carrier whether a patch is available.
  • If not, find out when you can expect it.
  • If your messaging app supports it, turn off “Automatically retrieve MMS messages.” (Messaging and Hangouts allows this.)
  • Consider blocking messages from unknown senders.

We will send further information as more is released.

Read the story in the news here.

Microsoft Security Updates for July 2015

On Patch Tuesday last week, Microsoft released 14 security bulletins (MS15-058, and MS15-065 through MS15-077) to address vulnerabilities in Microsoft products. Four of these are rated critical.

Systems affected include Microsoft Windows, Office, Internet Explorer and SQL Server. Read the story in the news (This article also includes more on the Adobe Flash issues mentioned above).

One of the critical bulletins, MS15-067 included a patch to address a remote code execution vulnerability in Remote Desktop (RDP).

To exploit the vulnerability, an attacker could send a specially crafted sequence of packets to a system running the RDP server service. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RDP is heavily used throughout MIT and therefore IS&T recommends that patches are applied as soon as possible. If you have questions or need assistance, send email to the IS&T Help Desk or call 617.253.1101. You can also submit a request online.

Microsoft also released an out-of-band patch (MS15-078) this past Monday for all supported versions of Windows. It fixes a security bug in the way Windows handles custom fonts. The updates is rated as critical.

Be sure to accept the updates as they occur, or go to the Windows Update site. You may need to restart your machine after installing patches.

Recent Security Flaws and Updates

Drupal

Updates for the Drupal content management system are available. The Drupal security team’s advisory describes one critical and three “less critical” vulnerabilities that the updates address. The critical flaw lies in Drupal’s implementation of OpenID; it allows attackers to log in to websites as administrators. The issues affect Drupal versions 6 and 7.

Samsung Galaxy Smartphones

Samsung plans to release a fix for a critical security flaw that affects more than 600 million of its mobile phones. The issue affects Galaxy smartphones that come with the SwiftKey keyboard preinstalled. The flaw could be exploited to access data on the devices. Galaxy devices running Knox security software will receive a new security policy that makes the vulnerability invalid. Phones that are not running Knox will have to wait until a firmware update is ready. See Krebs on Security for this story and the Apple KeyChain story below.

Apple KeyChain

A security flaw (a zero-day bug) in Apple’s OS X and iOS could be exploited to steal information from the Apple keychain and from applications. The problem lies in the operating systems’ application sandboxes and can be exploited by specially created apps. Read the full story in the news.

Oracle Releases Patch for VENOM Vulnerability

Oracle has released a fix for a critical overflow vulnerability known as VENOM. The problem lies in QEMU’s virtual Floppy Disk Controller, which is part of some virtualization platforms and is used in certain Oracle products. Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by the Security Alert as soon as possible.

Read the Oracle Security Alert

WordPress Releases Update to Address Zero Day Flaw

This week WordPress released a critical update to fix a vulnerability in its content management system that could be exploited to hijack web admin accounts. An exploit for the vulnerability was released over the weekend.

Attackers could exploit the flaw by embedding malicious code in a comment. If the attacker has previously made an innocuous post that gets approved by a site administrator, the new comment containing the code would post automatically and the code would execute. The WordPress update brings the most current version to 4.2.1.

Read the story in the news.

Android Flaw Allows Attackers to Modify or Replace Apps

A security flaw in the Android operating system could be exploited to remotely take over vulnerable devices.

According to researchers from Palo Alto Networks, roughly half of all Android phones are vulnerable to a newly discovered hack that in some cases allows attackers to surreptitiously modify or replace seemingly benign apps with malicious ones that steal passwords and other sensitive data.

The vulnerability has been patched in Android 4.3_r0.9 and later but some Android 4.3 devices remain vulnerable.

The attack works only at third-party app stores, not the Google Play store.

Read the story in the news.