flaw
Latest
Internet Explorer flaw may let ad firms track mouse input, Microsoft says that will change
Many of us already complain that web ads follow us too closely. You can understand why Internet Explorer users might be nervous, then, when Spider.io claims that the ads are even tracking their mouse movements. A JavaScript hole in Internet Explorer 6 through 10 reportedly lets intruders follow along with the onscreen pointer, regardless of whether or not the browser is the active app. That could easily prove a security risk for anyone using a virtual keyboard, including some tablet owners. Microsoft has confirmed that it's investigating and plans to "adjust this behavior," although it takes issue with Spider.io both focusing on IE and decrying two ad analytics firms that are supposedly exploiting the flaw today. The Redmond team argues that other browsers have "similar capabilities" and that Spider.io has ulterior motives, being an ad analytics firm itself -- it allegedly wants to knock down two competitors that it doesn't think are playing fair. We've asked Spider.io for its reaction and will get back if we're told more. In the meantime, don't be too alarmed when the vulnerability would likely only work with detailed knowledge of the target PC.
Sony stops Xperia Tablet S sales due to gaps between display panel and case
When Sony's designers put a port flap on the Xperia Tablet S in an effort to make it splash-proof, they surely didn't count on their good intentions being undermined by leaky build quality in other areas. According to Reuters though, that's exactly what has happened: a number of tablets have come off the production line with gaps between the screen and the chassis, and it must be a significant proportion because Sony has now decided to halt sales until it can get the problem fixed. The company is also promising to repair any of the 100,000 tablets that have already shipped, but doesn't expect the issue to be serious enough to dampen its earnings (which, let's face it, could already do with some time out in the sun).
Apple responds to iPhone text message spoofing, reminds us how secure iMessage is
If you're a frequent texter, and the iPhone is your weapon of choice, there's a good chance you've been a wee bit concerned since yesterday's report that the device is vulnerable to a certain SMS spoofing attack. Basically, it's possible for a malicious individual to send a message and specify a reply-to number that is not their own, appearing as if they are someone else. We got in touch with an Apple representative and here's what we were told: Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS. Even if you aren't on an iPhone, we'd like to remind you to be careful when texting. There are numerous services out there that let you send a message that appears to be from anybody you like -- regardless of what model, OS or even carrier the recipient is using. All the more reason to think twice before filing that loan application over SMS.
iPhone reportedly vulnerable to text message spoofing flaw
If you're an iPhone owner, you may want to use good judgment before responding to any out-of-the-blue text messages in the near future. French jailbreak developer and security researcher pod2g finds that every iPhone firmware revision, even iOS 6 beta 4, is susceptible to a flaw that theoretically lets a ne'er-do-well spoof the reply address of outbound SMS messages. As Apple is using the reply-to address of a message's User Data Header to identify the origin rather than the raw source, receiving iPhone owners risk being fooled by a phishing attack (or just a dishonest acquaintance) that poses as a contact or a company. A proof of concept messaging tool is coming to the iPhone soon, but pod2g is pushing for an official solution before the next iOS version is out the door. We've asked Apple for commentary and will get back if there's an update. In the meantime, we wouldn't panic -- if the trickery hasn't been a significant issue since 2007, there isn't likely to be a sudden outbreak today.
Star Trek: TNG S1 Blu-ray set has an audio flaw, free replacements are available
Soon after the Star Trek: The Next Generation Season One Blu-ray set launched last week reports came in that there was an audio problem with the surround sound, and now CBS and Paramount have responded. According to a statement (included after the break) the problem is isolated to the English 7.1 DTS Master Audio track on some episodes where the front channels are mapped incorrectly. If you own the set, you can email (phe.stng@bydeluxe.com) or call (877-335-8936 between 8AM and 6PM PT) for replacements of Discs 1, 3 and 4, simply have your set nearby and ready to read the code located on the inner ring. You won't need to send in your discs, and the replacements are expected to ship after August 10th and take up to five days to arrive.
Android and iOS expose your photos to third party apps, promise fixes
2012 is still young, yet it's already shaping up to be a bad year for privacy and security on the mobile front. Apple found itself embroiled in a bit of a brouhaha over the iPhone address book and an app called Path. And, of course, Google was put under the microscope when mobile Safari was found to have a security flaw that its mobile ads were exploiting. Then, earlier this week, it was discovered that granting iOS apps access to your location could also expose your photos. Now it's been discovered that Android also exposes your images, though, it's doing so without asking for any permissions at all. While Apple was masking photo access with other permissions, Google is simply leaving your pics vulnerable as a part of a design quirk that came from the OS's reliance on microSD cards. Both companies have acknowledged the flaws and have said they're currently working on fixes. We're just hoping things start to quiet down soon, though -- our mobile operating systems are running out of personal data to expose. Check out the source links for more details.
Samsung may cough up millions over kaput TVs
A class action lawsuit filed by owners of faulty Sammy TVs has finally reached a settlement. The manufacturer has promised to foot the bill for new repairs, reimburse for previous repairs and hand out up to $300 to customers who no longer possess their broken TVs but can prove they once did. The fault can affects any of the models listed above -- possibly up to seven million sets in total -- and centers on an errant capacitor in the power circuit that stops the TV turning on, makes it slow to turn on, produces a "clicking sound" or makes it cycle on and off. If you think you're affected then check the source link for details on what to do next. Curious to know how much the lawyers got? A cool half-million for their troubles, which means they'll be upgrading to OLED.Update: A Samsung spokesperson offered up the following response, Approximately 1 percent of Samsung televisions sold in the U.S. from 2006 to 2008 have experienced some performance issues caused by a component called a capacitor. Since originally confirming this issue in early 2010, Samsung has voluntarily provided free repairs for U.S. customers with affected televisions. Recently, a nationwide class settlement covering all affected televisions in the U.S. was reached in Russell, et al. v. Samsung Electronics America, Inc., a lawsuit filed in the District Court of Oklahoma County in the U.S.
Google Wallet gets prepaid security fix, but 'brute-force' issue still hangs in the air
Google says it's fixed a Wallet security flaw that potentially allowed a phone thief to spend a user's prepaid balance. The ability to provision new prepaid cards had been suspended pending the update, but has now been restored. Things aren't quite back to normal in the Big G's world of mobile money, however. Users still find themselves caught between two competing arguments over an entirely different vulnerability, which involves a 'brute-force' attack on rooted devices. Google insists that this isn't a major concern, so long as Wallet users refrain from rooting, and that the system still "offers advantages over the plastic cards and folded wallets in use today." On the other hand, the company that discovered this issue -- zvelo -- has come back at Google with an equally blunt response. It acknowledges that a handset must be rooted to be vulnerable, but crucially its researchers also say that a device doesn't have to be rooted before it's stolen. In other words, they allege that a savvy thief can potentially steal a phone and then root it themselves, and they won't be happy with Wallet until it requires longer PIN number. Whichever argument sways you, it's worth bearing in mind that there's no evidence that anyone has yet managed to exploit these weaknesses for criminal purposes.
PSA: Google Wallet vulnerable to 'brute-force' PIN attacks (update: affects rooted devices)
Security hounds over at zvelo have discovered a vulnerability in Google Wallet that means your precious PIN can be "easily revealed." Digging through the app's code and using Google's open resources to reveal its contents, they uncovered a piratical treasure trove of data: unique user IDs, Google account information, and the PIN stored as a SHA256 hex-encoded string. Since this string is known to carry four digits, it only takes a "trivial" brute-force attack involving a maximum of 10,000 calculations to decode it. To prove their point, the researchers made a Wallet Cracker app -- demoed after the break -- that does the job quicker than you can say "unexpected overdraft."Google has been receptive to these findings, but its attempts at a fix have so far been hampered by the need to coordinate with the banks, since changing the way the PIN is stored could also change which agency is responsible for its security. In the meantime, zvelo advises that there are some measures users can take themselves, aside from putting a protective hand over their pockets: refrain from rooting your phone, enable your lock screen, disable USB debugging, enable Full Disk Encryption and keep your handset up-to-date.Update: Google has responded by emphasizing that it's only users of rooted devices who are at risk. In a statement to TNW it said: "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."[Thanks to everyone who sent this in.]
HTC acknowledges long-running WiFi security flaw, says it kept it quiet to prevent exploits
As far back as September, security researchers discovered a "critical" bug in many HTC Android handsets that exposed users' WiFi credentials to any hacker who cared to look. The flaw affected recent devices like the Thunderbolt and EVO 4G all the way back to the Desire HD. The researchers promptly notified HTC, but the manufacturer waited a full five months before acknowledging the flaw publicly a few days ago. Sounds shady, perhaps, but HTC sent us a statement clarifying that this is standard policy to protect customers. It says it waited to develop a fix before it alerted the big bad world to the vulnerability. Most newer devices have already received their fix OTA, but owners of some older phones -- we'll update this post when we know exactly which ones -- will need to check the HTC Support site for a manual update next week. Meanwhile, in the manufacturer's defense, the guys at the Open1X group who discovered the bug say that HTC was "very responsive and good to work with." Here's HTC's statement to us: "HTC takes customer data security very seriously. If there is a known breach of sensitive customer data, our priority is customer notification along with corrective actions. It is our policy, and industry standard procedure, to protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected. In those cases, premature disclosure of vulnerabilities could spur creation of malicious apps to take advantage of any vulnerability before it is fixed. For this specific WiFi bug issue, we worked closely with Google and the security researchers from the date of notification and throughout this process to ensure that the majority of affected HTC phones had already received the fix prior to the vulnerability being made public." Update: We changed our original headline to make it clearer that HTC deliberately kept quiet to protect its customers. We're certainly not accusing HTC of any wrong-doing here.
HP issues LaserJet firmware update, hopefully ends exploding printer saga
Some of you might remember the story that HP LaserJet printers might be open to hack attacks that could result in some not-so-spontaneous combustion? Now the company has issued a statement saying that no-one reported their printer exploding, but to be on the safe side, it's produced a firmware update (available at the source link) that'll close the hole and ensure your Holiday doesn't end with a visit from the fire department.
Windows Phone 7.5 SMS bug breaks messaging hub, hard reset is the only remedy
An SMS message on your Windows 7.5 handset could knock messaging out cold, a one shot kill you can't prepare for. Apparently, WP devices that receive a text containing a certain string of characters will reboot and return with a non-functional messaging client which can only be restored via a hard reset. The flaw is not device-specific and has been found to affect other parts of the OS, locking up your handset if you've pinned a friend as a live tile and that buddy posts the magic bug words on Facebook or Windows Live Messenger. Fixing the problem requires quick tapping fingers, as you've got to remove the pinned tile after rebooting before it flips and freezes the phone again. Before you go abandoning WP7's ship, just know that SMS issues are a known phenomenon and have affected all the major mobile players, iOS and Android included. Until Microsoft releases a fix, cross your fingers and hang tight, but in the meantime, all you mobile masochists can see the bug in action after the break.
Some Android phones fail to enforce permissions, exposed to unauthorized app access
Eight Android phones, including the Motorola Droid X and Samsung Epic 4G, were found to house major permission flaws according to a research team at North Carolina State University. Their study revealed untrusted applications could send SMS messages, record conversations and execute other potentially malicious actions without user consent. Eleven of the thirteen areas analyzed (includes geo-location and access to address books) showed privileges were exposed by pre-loaded applications. Interestingly, Nexus devices were less vulnerable, suggesting that the other phone manufacturers may have failed to properly implement Android's security permissions model. Google and Motorola confirm the present flaws while HTC and Samsung remain silent. Exerting caution when installing applications should keep users on their toes until fixes arrive. [Thanks, John]
Researchers expose printer vulnerability, turn LaserJets into literal time bombs (update)
Your precious printer might seem innocuous but, in reality, it could be a ticking time bomb just waiting for some hacker to trigger it. Oh, and we mean that not just figuratively, but literally as well -- they could actually be caused to burst into flames by some ne'er-do-well half-way around the globe. Of course, the potential doesn't end at remote arson, an attacker could easily gain access to a network or steal documents, and hijacking the lowly device would require little more than printing an infected file. So far researchers at Columbia University have only managed to exploit the hole on HP printers, but it's possible (if not likely) that others are also affected. Most printers look for a firmware update every time they receive a job but, for some reason, they rarely check the validity of an incoming file. A fake upgrade could easily be attached to a file sent over the internet, directly to a device -- no need to even trick anyone. HP says it's taking the issue very seriously and looking into the vulnerability, though, it says newer devices aren't affected (a claim the researchers challenge). For a lot more detail on the what and how check out the source link. Update: HP (unsurprisingly) issued a rebuttal. It's working up a firmware update right now for certain flaws, but it'll have you know that "no customer has reported unauthorized access."
Charlie Miller's latest iOS hack gets into the App Store, gets him tossed out (video)
This isn't the first brush Apple's iOS platform has had with apps that exploit security holes to run unsigned code, but according to the developer of InstaStock, this may be the first to get a security researcher booted from its developer program. Charlie Miller shared his discovery with Forbes earlier today, showing off an app which successfully made it through Apple's approval process despite packing the ability to download and run unsigned code. That could allow a malicious app to access user data or activate hardware features remotely. Apple pulled the app after the findings were published, and according to Miller, revoked his developer access shortly afterward for what seems to be a clear violation of the guidelines. He told CNET that he alerted Apple to the exploit three weeks ago, however it's unknown whether or not a fix for the problem is included in the new 5.0.1 version of iOS that's currently in testing. He'll be explaining his method in more detail next week at SysCan, but until the hole is confirmed closed we'd probably keep a tight leash on our app store browsing. [Thanks to everyone who sent this in]
Security researcher Charlie Miller finds serious bug in iOS
Security expert and Mac hacker Charlie Miller has uncovered an issue in iOS that would allow an app, downloaded from the App Store, to install and run malicious code on a device from a remote computer. The flaw, which Miller reportedly did upload to the App Store and got past Apple's security checks, would create an app that appears to be innocuous (like Miller's example app, which just runs stock information), but could then download instructions from another computer and then run any commands, steal user files (like photos and contacts) without permission, or even make the iOS device vibrate or play sounds. Miller's app has already been removed from the App Store, and we're certain Apple will plug this hole in an upcoming update. Even Miller admits it is a very obscure bug, hidden away in iOS but there nonetheless, a byproduct of how Apple had to tweak the system to speed up Javascript in Mobile Safari. He plans to detail the issue at the SysCan conference in Taiwan next week. Hopefully things will be fixed soon. If you're really worried, it's probably a good idea to hold off on updating or downloading any new apps, especially any that don't come from well-established developers. Still, as Apple is aware of this problem (since Miller's app has been pulled), it's unlikely that any more apps this bug will make it onto the Store itself. The larger issues are the flaw in iOS, why Apple had to create this exception to begin with, and how they are going to fix it.
HTC confirms security hole, says patch is incoming
HTC held true to its promise to look into the security vulnerability that surfaced over the weekend, an apparent glitch that allows any app requesting internet access to take a peek at a user account information, GPS location, system logs, and other potentially private data. While HTC assured us that user data isn't at risk of being harmed by its own software, a third party malware app could exploit the security flaw and cause some trouble. The outfit is already building a patch, and will ship it out in an over the air update after a short testing period with its carrier partners. Until then? HTC recommends steering clear of apps from publishers you don't trust. Hit the break to see the official statement.
HTC security vulnerability said to leak phone numbers, GPS data, and more, HTC responds (video)
The folks at Android Police seem to have stumbled across a rather jarring security vulnerability in HTC handsets running Android, giving common apps with internet access a peek at the device's vital statistics, user information and more. Demonstrated in the above video, developer Trevor Eckheart found that a recent HTC update packed in a suite of logging tools that collects data on user accounts (including email addresses), recent GPS locations, SMS data and encoded text, phone numbers, system logs, running processes and more -- all of which can be accessed by common apps requesting access to android.permission.INTERNET. HTC is already looking into the issue, stating, "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken." If you're too antsy to wait for HTC's update, head on over to the source link below -- Eckheart says the issue can be resolved by removing HTCloggers from a rooted device.
WhiteHat Security hacks into Chrome OS, exposes extension vulnerability at Black Hat
It's been a rough Black Hat conference for Google. First, FusionX used the company's homepage to pry into a host of SCADA systems, and now, a pair of experts have discovered a way to hack into Chrome OS. According to WhiteHat security researchers Matt Johansen and Kyle Osborn, one major issue is Google's vet-free app approval process, which leaves its Chrome Web Store susceptible to malicious extensions. But there are also vulnerabilities within native extensions, like ScratchPad -- a note-taking extension that stores data in Google Docs. Using a cross-site scripting injection, Johansen and Osborn were able to steal a user's contacts and cookies, which could give hackers access to other accounts, including Gmail. Big G quickly patched the hole after WhiteHat uncovered it earlier this year, but researchers told Black Hat's attendees that they've discovered similar vulnerabilities in other extensions, as well. In a statement, a Google spokesperson said, "This conversation is about the Web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels." The company went on to say that its laptops can ward off attacks better than most, thanks to "a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced."
Microsoft decides to pass on WebGL over security concerns (Update: iOS 5 supports WebGL, sort of))
Well, it looks like Microsoft is taking those warnings about WebGL pretty seriously. The company has decided not to support the web-based 3D standard because it wouldn't be able to pass security muster. Highest on the list of concerns is that WebGL opens up a direct line from the internet to a system's GPU. To make matters worse, holes and bugs may crop up that are platform or video card specific, turning attempts to plug holes in its defense into a game of whack-a-mole -- with many players of varying reliability. Lastly Microsoft, like security firm Context, has found current solutions for protecting against DoS attacks rather unsatisfying. Lack of support in Internet Explorer won't necessarily kill WebGL and, as it matures, Microsoft may change its tune -- but it's still a pretty big blow for all us of hoping the next edition of Crysis would be browser-based. Update: As is usually the case Apple and the Windows folks are on opposite sides of this one. In fact, the Cupertino crew plans to bring WebGL to iOS 5 with one very strange restriction -- it will only be available to iAd developers. Now, chances are it will eventually be opened up in mobile Safari for everyone, but for the moment it seems browser-based 3D graphics will be limited to advertisements on the iPhone. Still, that's another big name throwing its support behind the burgeoning standard. [Thanks, Greg]
