SecurityFlaw
Latest
Sprint issues OTA fix for HTC Android handset vulnerability
Earlier this month, we found out that after a software update HTC's Android handsets had a serious security flaw -- any app could gain access to user data, including recent GPS locations, SMS data, phone numbers, and system logs. To its credit, HTC responded quickly to the security issue, and now an OTA update with the fix is going out to those on the Now Network. Sprint users with an EVO 4G, 3D, Shift 4G, Design 4G or View 4G can get the download, as can Wildfire S owners. The patch available now for a manual download, and more info on the fix can be found at the source below. [Thanks, Korey]
HTC confirms security hole, says patch is incoming
HTC held true to its promise to look into the security vulnerability that surfaced over the weekend, an apparent glitch that allows any app requesting internet access to take a peek at a user account information, GPS location, system logs, and other potentially private data. While HTC assured us that user data isn't at risk of being harmed by its own software, a third party malware app could exploit the security flaw and cause some trouble. The outfit is already building a patch, and will ship it out in an over the air update after a short testing period with its carrier partners. Until then? HTC recommends steering clear of apps from publishers you don't trust. Hit the break to see the official statement.
HTC security vulnerability said to leak phone numbers, GPS data, and more, HTC responds (video)
The folks at Android Police seem to have stumbled across a rather jarring security vulnerability in HTC handsets running Android, giving common apps with internet access a peek at the device's vital statistics, user information and more. Demonstrated in the above video, developer Trevor Eckheart found that a recent HTC update packed in a suite of logging tools that collects data on user accounts (including email addresses), recent GPS locations, SMS data and encoded text, phone numbers, system logs, running processes and more -- all of which can be accessed by common apps requesting access to android.permission.INTERNET. HTC is already looking into the issue, stating, "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken." If you're too antsy to wait for HTC's update, head on over to the source link below -- Eckheart says the issue can be resolved by removing HTCloggers from a rooted device.
Researchers use children's toy to exploit security hole in feds' radios, eavesdrop on conversations
Researchers from the University of Pennsylvania have discovered a potentially major security flaw in the radios used by federal agents, as part of a new study that's sure to raise some eyebrows within the intelligence community. Computer science professor Matt Blaze and his team uncovered the vulnerability after examining a set of handheld and in-car radios used by law enforcement officials in two, undisclosed metropolitan areas. The devices, which operate on a wireless standard known as Project 25 (P25), suffer from a relatively simple design flaw, with indicators and switches that don't always make it clear whether transmissions are encrypted. And, because these missives are sent in segments, a hacker could jam an entire message by blocking just one of its pieces, without expending too much power. What's really shocking, however, is that the researchers were able to jam messages and track the location of agents using only a $30 IM Me texting device, designed for kids (pictured above). After listening in on sensitive conversations from officials at the Department of Justice and the Department of Homeland Security, Barnes and his team have called for a "substantial top-to-bottom redesign" of the P25 system and have notified the agencies in question. The FBI has yet to comment on the study, but you can read the whole thing for yourself, at the link below.
Apple to patch PDF vulnerability in iOS
Apple said it will issue a patch that will close a PDF hole in iOS. Though this security hole is well known by iOS owners, it made headlines recently when the German government issued a malware warning about this "critical weakness" in Apple's iOS operating system. As it has done in the past with other security issues, Apple will release an update in the coming weeks to close this hole. Those that jailbreak their iOS devices will want to avoid this update. The exploit that Apple will patch is the same one used by Comex in jailbreakme, an online jailbreak tool. Ironically, those that want to close this exploit now can do so using this jailbreak tool. Just jailbreak your iOS device and install a security patch from Cydia.
Square's Jack Dorsey calls VeriFone's vulnerability claims 'not fair or accurate'
We had a feeling that Square wouldn't let VeriFone call it out without issuing some sort of statement, and CEO Jack Dorsey has responded to the claims of a gaping security hole in the form of an open letter on the company's website. Dorsey calls its competitor's accusations "not fair or accurate" and says that many of the necessary security measures are already built-in to your credit card itself. He also points out that this sort of credit card number thievery is possible every time you hand your plastic over to a waiter or salesperson, and that its partner bank, JPMorgan Chase, stands behinds all aspects of the service. To us, it seems like Verifone is more than a little scared at the prospect of Square undercutting its fees and potentially upending the POS business -- but we're just theorizing. One thing is for sure though, we'll be hearing a lot more about this as the mobile payment war heats up in the future.
Security experts unearth unpleasant flaws in webOS
Researchers from security firm SecTheory have described a handful of flaws in webOS, saying that the platform -- by its very nature -- is more prone to these sorts of things than its major competitors because Palm puts web technologies like JavaScript closer to webOS' core where system functions are readily accessible. At least one of the flaws, involving a data field in the Contacts app that can be exploited to run arbitrary code, has already been fixed in webOS 2.0 -- but the others are apparently still open, including a cross-site scripting problem, some sort of floating-point overflow issue, and a denial-of-service vector. We imagine Palm will get these all patched up sooner or later, but as SecTheory's guys point out, how long is it until mobile malware becomes a PC-sized problem?
IE security flaw exploited in recent Google attacks
This next item's for any rogue states out there that might be planning a comprehensive wave of cyber-attacks: It looks like Microsoft has admitted that indeed it was a security flaw in Internet Explorer that hackers based in China exploited in the recent attacks on Google. As is often the case, the flaw is neatly summed up in the title of the advisory: "Vulnerability in Internet Explorer could allow remote code execution." According to news agency AFP, the incident (which targeted Chinese human rights activists) shows "a level of sophistication above that of typical, isolated cyber criminal efforts." (Which is, evidently, how we like to think of our own cyber criminal efforts.) Microsoft has yet to release a formal software update. In the meantime, if you think your machine could be at risk, hit the source link for all the details. Or just switch to Firefox.
Droid security flaw makes lock screen a mere inconvenience for evil-doers
You might recall Apple having a hard time keeping its lock screen locked at one point, and it looks like we've got a common theme brewing here now that Android's suffering from the same drama. Turns out that Android 2.0.1 -- the build currently deployed on the Droid -- suffers from a flaw whereby you can back out to a locked phone's home screen simply by pressing the Back button after accepting an incoming call. Of course, you'd either have to know a phone's number or wait for a call to actually take advantage of this, but we'd argue that it's a pretty low barrier of entry. The bright side of the story, we suppose, is that the phone goes back to being locked as soon as the call ends, but then again it doesn't take much time to peep your juicy emails. Google's aware of the issue, so we're thinking this'll make it into the Droid's next software update; we don't have a launch window for that just yet, so in the meantime... you know, just make sure no one ever calls you and you should be good to go.
iPhone OS 3.0.1 update released, fixes SMS vulnerability (updated with statement from Apple)
Looks like Apple pulled the trigger on patching that nasty iPhone SMS vulnerability a little earlier than we expected -- the iPhone OS 3.0.1 update just hit iTunes. It's not some lightweight, either: you're looking at 280MB of love here, so get downloading, friends. Update: Here's what Apple rep Tom Neumayr had to say about this little episode. We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms. This morning, less than 24 hours after a demonstration of this exploit, we've issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what's been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit. Well... what do you know about that? [Thanks to everyone who sent this in]
iPhone OS 3.0.1 update released, fixes SMS vulnerability
Looks like Apple pulled the trigger on patching that nasty iPhone SMS vulnerability a little earlier than we expected -- the iPhone OS 3.0.1 update just hit iTunes. It's not some lightweight, either: you're looking at 280MB of love here, so get downloading, friends.[Thanks to everyone who sent this in]
O2 claims iPhone security patch will hit iTunes on Saturday, Apple stays silent
According to UK carrier O2, the SMS-based iPhone security hole that Charlie Miller unveiled on Black Hat this week should be patched by this weekend. An O2 spokesperson claimed the update would be pushed through iTunes this Saturday, says BBC. Apple hasn't made a comment yet, and it's not perfectly clear that this will be an update for iPhones worldwide, but hopefully that's the case -- the security flaw certainly isn't geographically limited. [Thanks to everyone who sent this in]
