vulnerable
Latest
Some Android phones fail to enforce permissions, exposed to unauthorized app access
Eight Android phones, including the Motorola Droid X and Samsung Epic 4G, were found to house major permission flaws according to a research team at North Carolina State University. Their study revealed untrusted applications could send SMS messages, record conversations and execute other potentially malicious actions without user consent. Eleven of the thirteen areas analyzed (includes geo-location and access to address books) showed privileges were exposed by pre-loaded applications. Interestingly, Nexus devices were less vulnerable, suggesting that the other phone manufacturers may have failed to properly implement Android's security permissions model. Google and Motorola confirm the present flaws while HTC and Samsung remain silent. Exerting caution when installing applications should keep users on their toes until fixes arrive. [Thanks, John]
Hackers break into Subaru Outback via text message
We've already seen SCADA systems controlled by Google Search, and now the Black Hat Technical Security Conference is offering up yet another slice of cringe-inducing hacker pie. A pair of pros from iSec Partners security firm was able to unlock and start the engine of a Subaru Outback using an Android phone and a process they call war texting. By setting up their own GSM network, they were able to snatch up password authentication messages being sent from server to car, allowing them the option to ride off in a brand new crossover. Apparently, your car isn't the only thing in danger of a war-texting takeover, however, as the team says there are a slew of devices and systems, accessible over telephone networks, that are vulnerable to similar attacks, including A-GPS tracking devices, 3G security cameras, SCADA sensors -- and thus the power grid and water supply -- home automation, and urban traffic control systems. Somehow this group of otherwise innocent looking New York texters appears a whole lot more sinister now.
Google search opens SCADA systems to doomsday scenarios
Google, the service so great it became a verb, can now add security risk to its roster of unintended results. The search site played inadvertent host to remotely accessed Supervisory Control and Data Acquisition (SCADA) systems in a Black Hat conference demo led by FusionX's Tom Parker. The security company CTO walked attendees through the steps required to gain control of worldwide utility infrastructure -- power plants, for one -- but stopped short of actually engaging the vulnerable networks. Using a string of code, unique to a Programmable Logic Controller (the computers behind amusement park rides and assembly lines) Parker was able to pull up a water treatment facility's RTU pump, and even found its disaster-welcoming "1234" password -- all through a Google search. Shaking your head in disbelief? We agree, but Parker reassured the crowd these types of outside attacks require a substantial amount of effort and coordination, and "would be extremely challenging to pull off." Panic attack worn off yet? Good, now redirect those fears to the imminent day of robot-helmed reckoning.
Adobe dominates Kaspersky Lab's top ten PC vulnerabilities list
Being number one is usually an honor, but not when it comes to Kaspersky Lab's top ten PC vulnerabilities list. Unfortunately for the software giant, Adobe took top dishonors for Q1 this year, pulling in five total spots on the list, including the top three. According to the security firm, all of the vulnerabilities appearing on the list allowed cyber-criminals to control computers at the system level. The number one spot was occupied by a vulnerability in Adobe Reader that was reportedly detected on 40 percent of machines running the application, while Flash Player flaws took second and third. Other dishonorees included the Java Virtual Machine, coming in at fourth and fifth place, Apple QuickTime, Winamp, and Microsoft Office. That ain't bad, considering Microsoft ruled the vulnerabilities roost in 2010.
Adobe finds 'critical' security hole in Flash Player, won't fix it before next week
Oh, here we go again. Adobe's kicked out a security bulletin for users of its Flash Player on "all platforms" -- that'll be the entire population of the internet, then -- warning them that a new critical vulnerability has been discovered that may cause crashes and potentially permit the hijacking of systems. The issue also affects the company's Reader and Acrobat software products. Even better news is that Adobe has found it's being actively exploited "in the wild" via a .swf file embedded in an Excel spreadsheet, but a fix won't be forthcoming until the beginning of next week. So, erm, enjoy your full web experience until then!
Android 2.3 security bug shows microSD access vulnerability
A researcher at North Carolina State University is warning of an Android 2.3 security vulnerability that gives attackers access to your personal information, further proof that Gingerbread isn't all sugar and spice (to be fair, that SMS issue has since been remedied). According to Xuxian Jiang, the bug allows malicious websites to access and upload the contents of a user's microSD card, including voicemails, photos, and online banking information to a remote server. The flaw apparently resembles a similar bug in previous version of Android, thought to have been addressed with Gingerbread. However, as Jiang points out, that fix is easily bypassed. Apart from removing the microSD card, disabling JavaScript, or switching to a third-party browser, Android 2.3 users have little recourse in squashing the bug. The folks at eWeek reported that Google is working on a solution to the problem, but there's no word on when we can expect to see an update.
Adobe's Flash and Acrobat have 'critical' vulnerability, may allow remote hijacking
When Adobe said Flash gives you the full web experience, it meant it. Part and parcel of the web, as we all know, is the good old hacking community, which has been "actively exploiting" a vulnerability in Flash Player 10.0.45.2 (and earlier versions) and Adobe Acrobat and Reader 9.x to overtake people's machines and do hacky stuff with them. This so-called flaw also causes crashes, but that's probably not what's worrying you right now. Adobe says the 10.1 Release Candidate for Flash Player looks to be unaffected, while versions 8.x of Acrobat and Reader are confirmed safe. To remedy the trouble, the company advises moving to the RC for Flash, and deleting authplay.dll to keep your Acrobat from performing undesirable gymnastics. Oh boy, Steve's gonna have a field day with this one.
