securityhole
Latest
Intel fixed a business security bug after almost a decade
Intel has released a firmware upgrade that can patch up a security hole that has reportedly been lurking in various enterprise PCs for almost a decade. In a note that came with the update, the chipmaker said the vulnerability can be found in Active Management Technology, Standard Manageability and Small Business Technology, all of which are parts of Intel's suite of processor features for enterprise systems. Your company's IT division uses those to manage its computer fleet, but since they have a security flaw, an unauthorized network attacker can also use them to hijack PCs in your network.
iOS 7 bug enables user to bypass lockscreen, send emails and status updates (update: Apple response)
The moment operating systems become available to the public is also the moment millions of people have the opportunity to hunt around and find bugs. And, it appears that at least one rather critical bug has already been discovered in iOS 7. A keen-eyed user found a way to bypass the passcode-protected lockscreen and gain access to the device's photos app, giving him the ability to hijack the email or social network account associated with that device. Essentially, you access the alarm clock through Control Center, make your way into the multitasking menu and head into the camera app from there. We've embedded the video evidence below, just in case you're interested in trying it out for yourself; we tested it out using an iPhone 5s running iOS 7.0.1, and were able to duplicate the user's claims. This isn't the first time we've seen an iOS bug capable of bypassing your lockscreen and compromising the security of your device, and Apple typically squashes those bugs with patches; the last one took a month, however, so we'd like to see an update to iOS 7.0.2 a bit sooner than that. While you wait, the easiest way to avoid this concern is to disable the ability to access Control Center from the lockscreen (this can be found in the settings). [Thanks, @vbarraquito!] Update: Apple tells AllThingsD that it's aware of the bug, and that it's working on a fix.
Google teases hackers with $2 million in prizes, announces Pwnium 2 exploit competition
The folks in Mountain View are starting to make a habit of getting hacked -- intentionally, that is. Earlier this year, Google hosted an event at the CanSecWest security conference called Pwnium, a competition that challenged aspiring hackers to poke holes in its Chrome browser. El Goog apparently learned so much from the event that it's doing it again -- hosting Pwnium 2 at the Hack in the Box 10th anniversary conference in Malaysia and offering up to $2 million in rewards. Bugging out the browser by exploiting its own code wins the largest award, a cool $60,000. Enlisting the help of a WebKit or Windows kernel bug makes you eligible for a $50,000 reward, and non-Chrome exploits that rely on a bug in Flash or a driver are worth $40,000. Not confident you can break Chrome? Don't let that stop you -- Google plans to reward incomplete exploits as well, noting that it has plenty to learn from unreliable or incomplete attacks. Check out the Chromium Blog at the source link below for the full details.
HP issues LaserJet firmware update, hopefully ends exploding printer saga
Some of you might remember the story that HP LaserJet printers might be open to hack attacks that could result in some not-so-spontaneous combustion? Now the company has issued a statement saying that no-one reported their printer exploding, but to be on the safe side, it's produced a firmware update (available at the source link) that'll close the hole and ensure your Holiday doesn't end with a visit from the fire department.
Windows Phone 7.5 SMS bug breaks messaging hub, hard reset is the only remedy
An SMS message on your Windows 7.5 handset could knock messaging out cold, a one shot kill you can't prepare for. Apparently, WP devices that receive a text containing a certain string of characters will reboot and return with a non-functional messaging client which can only be restored via a hard reset. The flaw is not device-specific and has been found to affect other parts of the OS, locking up your handset if you've pinned a friend as a live tile and that buddy posts the magic bug words on Facebook or Windows Live Messenger. Fixing the problem requires quick tapping fingers, as you've got to remove the pinned tile after rebooting before it flips and freezes the phone again. Before you go abandoning WP7's ship, just know that SMS issues are a known phenomenon and have affected all the major mobile players, iOS and Android included. Until Microsoft releases a fix, cross your fingers and hang tight, but in the meantime, all you mobile masochists can see the bug in action after the break.
Researchers expose printer vulnerability, turn LaserJets into literal time bombs (update)
Your precious printer might seem innocuous but, in reality, it could be a ticking time bomb just waiting for some hacker to trigger it. Oh, and we mean that not just figuratively, but literally as well -- they could actually be caused to burst into flames by some ne'er-do-well half-way around the globe. Of course, the potential doesn't end at remote arson, an attacker could easily gain access to a network or steal documents, and hijacking the lowly device would require little more than printing an infected file. So far researchers at Columbia University have only managed to exploit the hole on HP printers, but it's possible (if not likely) that others are also affected. Most printers look for a firmware update every time they receive a job but, for some reason, they rarely check the validity of an incoming file. A fake upgrade could easily be attached to a file sent over the internet, directly to a device -- no need to even trick anyone. HP says it's taking the issue very seriously and looking into the vulnerability, though, it says newer devices aren't affected (a claim the researchers challenge). For a lot more detail on the what and how check out the source link. Update: HP (unsurprisingly) issued a rebuttal. It's working up a firmware update right now for certain flaws, but it'll have you know that "no customer has reported unauthorized access."
Charlie Miller's latest iOS hack gets into the App Store, gets him tossed out (video)
This isn't the first brush Apple's iOS platform has had with apps that exploit security holes to run unsigned code, but according to the developer of InstaStock, this may be the first to get a security researcher booted from its developer program. Charlie Miller shared his discovery with Forbes earlier today, showing off an app which successfully made it through Apple's approval process despite packing the ability to download and run unsigned code. That could allow a malicious app to access user data or activate hardware features remotely. Apple pulled the app after the findings were published, and according to Miller, revoked his developer access shortly afterward for what seems to be a clear violation of the guidelines. He told CNET that he alerted Apple to the exploit three weeks ago, however it's unknown whether or not a fix for the problem is included in the new 5.0.1 version of iOS that's currently in testing. He'll be explaining his method in more detail next week at SysCan, but until the hole is confirmed closed we'd probably keep a tight leash on our app store browsing. [Thanks to everyone who sent this in]
Sprint issues OTA fix for HTC Android handset vulnerability
Earlier this month, we found out that after a software update HTC's Android handsets had a serious security flaw -- any app could gain access to user data, including recent GPS locations, SMS data, phone numbers, and system logs. To its credit, HTC responded quickly to the security issue, and now an OTA update with the fix is going out to those on the Now Network. Sprint users with an EVO 4G, 3D, Shift 4G, Design 4G or View 4G can get the download, as can Wildfire S owners. The patch available now for a manual download, and more info on the fix can be found at the source below. [Thanks, Korey]
Smart Cover can unlock password-protected iPads running iOS 5 (video)
Psst. Hey, do you carry a spare Smart Cover around with you? Well, if you're an unscrupulous sort, you can actually use it to bypass the lock screen of any iPad running iOS 5. This multi-step security hole will let you browse whatever's running behind the passcode screen, whether that's email, apps or the homescreen. To take advantage of the flaw, hold down the power button on the locked device until the power off slider appears, then whip the Smart Cover on, open and tap cancel. Fortunately for iPad owners, the rest of the tablet remains locked-down, but the main problem here is any sensitive information left on-screen. If you unlock the tablet to the main screen, you won't be able to open new apps, although anyone feeling particularly nefarious can apparently delete apps from that meticulously arranged home screen. See how it's done in the video after the break. [Thanks to everyone who sent this in]
Several Apple notebook models susceptible to battery hack
Security researcher Charlie Miller discovered a potential vulnerability affecting the batteries within select MacBook, MacBook Pro and MacBook Air models. The firmware on the chipset that controls the battery is secured with a single, easy to break default password. Once a hacker has this password, he could use it to manipulate the settings of the battery and possibly install malware that infects the computer every time it boots. Miller discovered this vulnerability when Apple issued an update that included code for the battery. He figured out the two default passwords and was able to reverse engineer the firmware. He then rewrote it to do whatever he wanted. He plans to show off this hack at the upcoming Black Hat Conference in August. This is more of an informative hack and not one likely to land on your computer. Thus far, Miller is the only one to discover this vulnerability and he is not releasing any details until next month. He also contacted Texas Instruments and Apple so a patch could be issued before the details of the hack goes public.
Adobe dominates Kaspersky Lab's top ten PC vulnerabilities list
Being number one is usually an honor, but not when it comes to Kaspersky Lab's top ten PC vulnerabilities list. Unfortunately for the software giant, Adobe took top dishonors for Q1 this year, pulling in five total spots on the list, including the top three. According to the security firm, all of the vulnerabilities appearing on the list allowed cyber-criminals to control computers at the system level. The number one spot was occupied by a vulnerability in Adobe Reader that was reportedly detected on 40 percent of machines running the application, while Flash Player flaws took second and third. Other dishonorees included the Java Virtual Machine, coming in at fourth and fifth place, Apple QuickTime, Winamp, and Microsoft Office. That ain't bad, considering Microsoft ruled the vulnerabilities roost in 2010.
Skype for Android update adds US 3G calling, fixes personal data hole
Verizon Android users have had 3G Skype calling since this time last year, but the latest app release -- v1.0.0.983 for those of you keeping tabs -- brings 3G calling to the masses, without the need for a VZW-sanctioned app. The update also patches a rather significant security hole discovered last week, which could let third-party apps get hold of your personal information. We're glad to see that's no longer the case, and who's going to object to free calling as part of the deal as well? Make sure your phone's running Android 2.1 (2.2 for Galaxy S devices) and head on over to the Android Market to get updated.
Skype for Android vulnerable to hack that compromises personal info
If you didn't already have enough potential app privacy leaks to worry about, here's one more -- Android Police discovered that Skype's Android client leaves your personal data wide open to assault. The publication reports that the app has SQLite3 databases where all your info and chat logs are stored, and that Skype forgot to encrypt the files or enforce permissions, which seems to be a decision akin to leaving keys hanging out of the door. Basically, that means a rogue app could grab all your data and phone home -- an app much like Skypwned. That's a test program Android Police built to prove the vulnerability exists, and boy, oh boy does it work -- despite only asking for basic Android storage and phone permissions, it instantly displayed our full name, phone number, email addresses and a list of all our contacts without requiring so much as a username to figure it out. Android Police says Skype is investigating the issue now, but if you want to give the VoIP company an extra little push we're sure it couldn't hurt.
Adobe finds another 'critical' flaw in Flash, Steve Jobs smiles smugly
Hey, guess what? Adobe has found yet another serious security flaw in Flash. We can already hear the iOS fanboys warming up their commenting fingers. The vulnerability affects all platforms, including Android, though only attacks on Windows have been seen in the wild so far. Just like last month's exploit, this one is spreading via malicious .swf files embedded in Office documents, only this time it's Word instead of Excel being targeted (a hacker's gotta keep it fresh, after all). Once again Reader and Acrobat are also vulnerable, but attacks can be thwarted using Reader's Protected Mode. When exactly Adobe plans on plugging this hole is anyone's guess, so when a deposed Nigerian prince tells you about the fabulous sum of money he'd like you to transfer, you'll have yet another reason not to open the Office attachments in his email.
Square's Jack Dorsey calls VeriFone's vulnerability claims 'not fair or accurate'
We had a feeling that Square wouldn't let VeriFone call it out without issuing some sort of statement, and CEO Jack Dorsey has responded to the claims of a gaping security hole in the form of an open letter on the company's website. Dorsey calls its competitor's accusations "not fair or accurate" and says that many of the necessary security measures are already built-in to your credit card itself. He also points out that this sort of credit card number thievery is possible every time you hand your plastic over to a waiter or salesperson, and that its partner bank, JPMorgan Chase, stands behinds all aspects of the service. To us, it seems like Verifone is more than a little scared at the prospect of Square undercutting its fees and potentially upending the POS business -- but we're just theorizing. One thing is for sure though, we'll be hearing a lot more about this as the mobile payment war heats up in the future.
VeriFone calls out Square for 'gaping security hole,' publishes sample app to demonstrate
VeriFone, a huge provider of credit card processing systems that's been around since time immemorial, has taken a huge swipe at upstart Square today, branding its free, headphone jack-based credit card readers "skimming devices" and demanding their immediate removal from the market. Crazy, right? VeriFone's CEO has thrown up a YouTube video talking about the exploit its thrown together, and it's more of a social engineering hack than a technical one: a bad guy makes a fake Square app for his phone, plugs in the reader, and steals your unencrypted credit card details without running a "real" payment through Square's system. They're really going big with this, too -- not only is VeriFone's sample app available for download, but they've sent notices to Visa, MasterCard, American Express, and JP Morgan Chase, which handles Square's processing. Sounds like a possible problem, sure -- but when the "exploit" is being announced in such grand fashion by a company that's most threatened by Square's business model, you can't help but feel a little icky about it. Follow the break for video.
Google's paying $20,000 to hack Chrome -- any takers?
So far, Chrome is the only browser of the big four -- Safari, Firefox, and Internet Explorer being the other three -- to escape the Pwn2Own hacking competition unscathed the past two years. (Sorry Opera aficionados, looks like there's not enough of you to merit a place in the contest... yet.) Evidently, its past success has Google confident enough to pony up a cool $20,000 and a CR-48 laptop to anyone able to find a bug in its code and execute a clean sandbox escape on day one of Pwn2Own 2011. Should that prove too daunting a task, contest organizer TippingPoint will match El Goog's $10,000 prize (still $20,000 total) for anyone who can exploit Chrome and exit the sandbox through non-Google code on days two and three of the event. For those interested in competing, Pwn2Own takes place March 9th through 11th in Vancouver at the CanSecWest conference. The gauntlet has been thrown -- your move, hackers.
Hackers disguise phone as keyboard, use it to attack PCs via USB
We've seen hackers use keyboards to deliver malicious code to computers, and we've seen smartphones used as remote controls for cars and TV -- but we've never seen a smartphone disguised as a keyboard used to control a computer, until now. A couple folks at this year's Black Hat DC conference have devised a clever bit of code that allows a rooted smartphone -- connected to a PC through USB -- to pose as a keyboard or mouse in order to attack and control the computer. The hack takes advantage of USB's inability to authenticate connected devices coupled with operating systems' inability to filter USB packets, which would enable users to thwart such an attack. While utilizing a digital costume to hack a computer is a nifty idea, it doesn't pose much additional risk to users because the method still requires physical access to a USB port to work -- and most of us would probably notice someone plugging a smartphone into our laptop while we're using it. [Image Credit: Angelos Stavrou / CNET]
Two arrested for iPad security breach
Two arrests have been made connected to the security breach that exposed thousands of iPad users' email addresses and other info last year. Daniel Spitler and Andrew Auernheimer (yeah, that guy again) have been taken into custody and charged with conspiracy to access a computer without authorization and fraud, for allegedly using a custom script (built by Spitler) called iPad 3G Account Slurper to access AT&T's servers, mimic an iPad 3G, and try out random ICC identifiers. Once a valid ICC was found, one could harvest the user's name and email address. Of course, the hackers maintain that this was all done to force AT&T to close a major security flaw, and we'll be interested to see what exactly the company does to make things right.
Critical security warning issued for Mac OS X 10.5 Leopard
Computerworld reports that security researchers from CoreLabs have publicly released details on a critical security flaw in Mac OS X 10.5 Leopard, an older version of the Mac's operating system. Curiously, the security flaw in Leopard is quite similar to a flaw we reported on back in August, which allowed easy-as-pie browser-based jailbreaking of iOS devices. CoreLabs became aware of the flaw in Leopard and informed Apple only a couple weeks after Apple patched a similar hole in iOS 4; according to those same researchers, Apple has had more than enough time since then to patch the flaw in Leopard. That the flaw remains unpatched was the researchers' motivation for sounding the alarm publicly. The current version of Mac OS X, 10.6 Snow Leopard, is not vulnerable to this exploit. Those using Mac OS X 10.5 Leopard will remain vulnerable until Apple offers a security update for the older OS, which theoretically should be coming soon (reportedly, Apple has developed a patch and is simply waiting to release it). As it stands now, Mac OS X Leopard's vulnerability could potentially leave the OS vulnerable to malware or remote attacks. More specific information is available on CoreLabs' website.
