flaw
Latest
Netflix, Foursquare, LinkedIn, and Square apps expose your data
Here's a little tip for app developers: encrypt everything, especially passwords. Security firm viaForensics fed some popular iPhone and Android apps through its appWatchdog tool and found that Netflix, LinkedIn, and Foursquare all stored account passwords unencrypted. Since the results were first published on the 6th, Foursquare has updated its app to obscure users' passwords, but other data (such as search history) is still vulnerable. While those three were the worst offenders, other apps also earned a big fat "fail," such as the iOS edition of Square which stores signatures, transaction amounts, and the last four digits of credit card numbers unencrypted. Most of this data would take some effort to steal, but it's not impossible for a bunch of ne'er-do-wells to create a piece malware that can harvest it. Let's just hope Netflix and LinkedIn patch this hole quickly -- last thing we need is someone discovering our secret obsession with Meg Ryan movies.
Google confirms Android security issue, server-side fix rolling out today
No Android security flaw is good news for Google, but the recently discovered ClientLogin issue that left the OS vulnerable to impersonation attacks is surely at least a bit more welcome than some of the alternatives. That's because the flaw can be fixed at the server-side level (rather than on millions of Android phones), and Google has now confirmed that a fix is rolling out today, although it may take a few more days for it to cover all users (there's no action required on your part). The company's not quite out of the woods just yet, though -- while we've confirmed with Google that the fix addresses the issues with Calendar and Contacts, the problem with Picasa remains, and there's still no indication of a fix for it. Incidentally, Google had already fixed the Calendar and Contacts issues on the phone-side with Android 2.3.4 (although that still left 99 percent of phones vulnerable), but it too is still stuck with the Picasa vulnerability.
WebGL flaw leaves GPU exposed to hackers
Google spent a lot of time yesterday talking up WebGL, but UK security firm Context seems to think users should disable the feature because it poses a serious security threat, and the US Computer Emergency Readiness Team (CERT) is encouraging people to heed that advice. According to Context, a malicious site could pass code directly to a computer's GPU and trigger a denial of service attack or simply crash the machine. Ne'er-do-wells could also use WebGL and the Canvas element to pull image data from another domain, which could then be used as part of a more elaborate attack. Khronos, the group that organizes the standard, responded by pointing out that there is an extension available to graphics card manufacturers that can detect and protect against DoS attacks, but it did little to satisfy Context -- the firm argues that inherent flaws in the design of WebGL make it very difficult to secure. Now, we're far from experts on the intricacies of low-level hardware security but, for the moment at least, there seems to be little reason for the average user to panic. There's even a good chance that you're not vulnerable at all since WebGL won't run on many Intel and ATI graphics chips (you can check by clicking here). If you're inclined to err on the side of caution you can find instructions for disabling WebGL at the more coverage link -- but come on, living on the cutting edge wouldn't be anywhere near as fun if it didn't involve a bit of danger. [Thanks, Tony]
Skype security flaw already patched, but you have to download manually
There's a big problem with Skype on the Mac: and no, it's not its ugly UI (although that is a big problem). As noted by Mashable's (and former TUAW blogger) Christina Warren, the latest version of Skype for Mac has an unpatched security flaw that that allows a person to gain remote access to another's machine simply by sending a Skype message. The flaw was discovered last month thanks to the work of researcher Gordon Maddern from the firm Pure Hacking. Maddern contacted Skype, who was reportedly already aware of the vulnerability and working on a fix. They then issued a hotfix for the security hole in a minor update (Skype for Mac version 5.1.0.922) on April 14th. However, responding to the issue in an official blog post today the Skype for Mac team said, "As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update, as there is another update in the pipeline that will be sent out early next week." What's that mean to you as a Skype for Mac user? The cat's out of the bag, and if someone who has the skills to take advantage of the flaw now knows about it, Skype for Mac users who have not updated to version 5.1.0.922 are theoretically at risk. Don't wait for the automatic update to Skype next week. Be sure and download the April 14th update right now by clicking here, or simply run Skype on your Mac and choose Skype > Check for Updates. Now about that UI...
Nikon Image Authentication Software validates Photoshop phonies
It's hard to believe that Russian President Dmitry Medvedev and Apple man Steve Jobs would get all giggly over a Granny Smith, and that's for good reason: that apple's about as phony as this tiny iPhone. According to a Russian security firm, however, Nikon's Image Authentication Software would tell you otherwise. This rendering is one of a handful used to demonstrate a flaw in the camera maker's image verification system. Programs like Nikon's apply an encrypted signature to image files at the time they are captured, and overwrite those signatures when a file is altered, allowing for verification of a photograph's integrity. According to ElcomSoft, the firm exposed a flaw in the system used by Nikon, as well as a similar program employed by Canon's DSLRs, that allowed them to extract the signature key from a camera and apply it to phonies like the one above. According to the outfit, neither company has responded to its findings. For more funny fakes, including a shot of Mike Tyson rocking an Angry Birds tattoo, check out the source link below.
Adobe finds another 'critical' flaw in Flash, Steve Jobs smiles smugly
Hey, guess what? Adobe has found yet another serious security flaw in Flash. We can already hear the iOS fanboys warming up their commenting fingers. The vulnerability affects all platforms, including Android, though only attacks on Windows have been seen in the wild so far. Just like last month's exploit, this one is spreading via malicious .swf files embedded in Office documents, only this time it's Word instead of Excel being targeted (a hacker's gotta keep it fresh, after all). Once again Reader and Acrobat are also vulnerable, but attacks can be thwarted using Reader's Protected Mode. When exactly Adobe plans on plugging this hole is anyone's guess, so when a deposed Nigerian prince tells you about the fabulous sum of money he'd like you to transfer, you'll have yet another reason not to open the Office attachments in his email.
Xperia Play delayed by O2 UK due to software bugs, what are the other carriers doing?
Oh, woe is us. Or, to be more precise, woe is us if we wanted the Xperia Play on the UK's O2 network on the day of its release, April 1st. The British carrier has been candid in admitting it found software bugs on the Play and is holding back release of the gamer-friendly device until those have been ironed out. We appreciate its effort in "testing the phone non-stop for weeks" and its reluctance to grab a quick buck by releasing imperfectly baked goods, but a major question remains -- if this isn't an O2-specific software problem, and we've heard no peep of O2 customizing the Android 2.3 build on the Play, why are no other carriers signaling a similar delay? Vodafone is still aiming to deliver UK pre-orders by April 5th and there seems to be no indication of flawed software from others. Only thing we can think of, given that O2 has the white Xperia Play exclusive, is that the white phone curse has struck again. [Thanks, Ed] Update: Here's what Sony Ericsson has to say on the matter: "Sony Ericsson Xperia™ PLAY will be launching on 1st April across all UK mobile operator partners except for O2, who have decided to prolong the testing period in order to ensure that the software meets the requirements of its procedures. Sony Ericsson will be workingwith O2 over the next couple of weeks to expedite the process and ensure that O2 customers can soon join consumers across the UK in being able to enjoy the world's first PlayStation certified smartphone."
Adobe patches Flash flaw with Acrobat / Reader update
Armageddon averted. Exactly as promised, Adobe has rolled out a fix this week for the zero-day security vulnerability in Flash that had us sweating the world was about to come crashing to an end. It's a somewhat circuitous route to getting your system patched up, however, as you'll need to download an out-of-cycle update for Acrobat and Reader -- the other software affected by this issue. Still, a small price to pay for protecting yourself from the evils of the internets. [Thanks, Paul]
Google patches Flash vulnerability in Chrome, leaves other browsers hanging
Remember that massive security vulnerability that Adobe identified in its Flash Player, Acrobat and Reader software? Well, shockingly enough, it hasn't yet taken over the internet and ground productivity to a halt, but Google's been proactive about it and patched the flaw by itself. Of course, the fix applies only to its own Chrome web browser, Firefoxes and Internet Explorer types will have to wait for Adobe's fix, which is expected any minute now. Still, it's good to know someone's looking out for the security of our data, even if that someone already has access to most of it anyway.
Square's Jack Dorsey calls VeriFone's vulnerability claims 'not fair or accurate'
We had a feeling that Square wouldn't let VeriFone call it out without issuing some sort of statement, and CEO Jack Dorsey has responded to the claims of a gaping security hole in the form of an open letter on the company's website. Dorsey calls its competitor's accusations "not fair or accurate" and says that many of the necessary security measures are already built-in to your credit card itself. He also points out that this sort of credit card number thievery is possible every time you hand your plastic over to a waiter or salesperson, and that its partner bank, JPMorgan Chase, stands behinds all aspects of the service. To us, it seems like Verifone is more than a little scared at the prospect of Square undercutting its fees and potentially upending the POS business -- but we're just theorizing. One thing is for sure though, we'll be hearing a lot more about this as the mobile payment war heats up in the future.
Microsoft pulls Windows Phone 7 update from Samsung phones until it can resolve issues
Such a big load of trouble for such a small update. Microsoft's first WP7 firmware refresh has been causing some unfortunate brick-like behavior in Samsung Omnia 7s and the company has wisely decided to pull the new software back until it can correct whatever's going wrong. An official communiqué to WinRumors says Microsoft has identified the issue at hand and is working to correct it and redistribute the update as soon as possible. For any Samsung WP7 phone owners who haven't been able to resuscitate their device yet, the advised course of action is to go back to the store and swap it for a livelier one. Update: Timo wrote in to let us know that some people are still seeing the update. If that's you, you'd be advised to hold off.
Dell, Gigabyte and MSI pull products in wake of Sandy Bridge chipset flaw, HP faces delays (updated)
Every time we write about Intel's flawed Sandy Bridge chipset and the need for it to be physically replaced, the financial costs go up. Intel initially projected a $300 million hit to revenues, but then it set aside $700 million to cover repairs and replacements, which together brings us to the current estimate of $1 billion lost in "missed sales and higher costs." Those missed sales will be coming directly from guys like MSI and Gigabyte, two of the major motherboard makers, who have stopped selling their Sandy Bridge-compatible models until Intel delivers untainted stock, and also Dell, who has nixed availability of its Alienware M17x R3 gaming laptop. CNET did spot that HP and Dell were still selling laptops with the offending chipset in them yesterday, but we imagine both will get their online stores straightened out in due course. For its part, HP says it's pushing back a business notebook announcement due to this news, much like NEC has had to do. Moral of the story? Don't let faulty chips out of the oven. Update: Dell says the M17x R3 is just the tip of the iceberg here: "This affects four currently available Dell products, the XPS 8300, the Vostro 460, the Alienware M17x R.3 and the Alienware Aurora R.3, as well as several other planned products including XPS 17 with 3D. We're committed to addressing this with customers who have already purchased one of the four products and will provide further details on this as it becomes available." [Thanks, geller]
Two arrested for iPad security breach
Two arrests have been made connected to the security breach that exposed thousands of iPad users' email addresses and other info last year. Daniel Spitler and Andrew Auernheimer (yeah, that guy again) have been taken into custody and charged with conspiracy to access a computer without authorization and fraud, for allegedly using a custom script (built by Spitler) called iPad 3G Account Slurper to access AT&T's servers, mimic an iPad 3G, and try out random ICC identifiers. Once a valid ICC was found, one could harvest the user's name and email address. Of course, the hackers maintain that this was all done to force AT&T to close a major security flaw, and we'll be interested to see what exactly the company does to make things right.
Security experts unearth unpleasant flaws in webOS
Researchers from security firm SecTheory have described a handful of flaws in webOS, saying that the platform -- by its very nature -- is more prone to these sorts of things than its major competitors because Palm puts web technologies like JavaScript closer to webOS' core where system functions are readily accessible. At least one of the flaws, involving a data field in the Contacts app that can be exploited to run arbitrary code, has already been fixed in webOS 2.0 -- but the others are apparently still open, including a cross-site scripting problem, some sort of floating-point overflow issue, and a denial-of-service vector. We imagine Palm will get these all patched up sooner or later, but as SecTheory's guys point out, how long is it until mobile malware becomes a PC-sized problem?
The story behind the Twitter worm
When we heard about this malicious JavaScript code that hit Twitter yesterday, we were kind of relieved: perhaps it was nature's way of ridding us of celebrity micro-bloggers. But as the day went on, it seemed that even if this were the case, a sordid tale was emerging: apparently the whole thing began with a Norwegian programmer named Magnus Holm, who had experimented with a flaw in Twitter's website that let users execute code on a mouseover. His version of the code simply replicated itself: "The purpose was simply to see if it was possible to create a worm," he told The New York Times, adding that he was surprised it had spread as quickly as it did. "Because it was very easy to delete the Tweet that contained the worm, I expected that everyone would just delete it the moment they realized that they've been 'infected.'" But soon enough, folks were updating the code for malicious purposes, including redirects to spam sites and, perhaps worst of all, Rickrolling. By 8:30 AM President Obama's Press Secretary Robert Gibbs had inadvertently sent the thing out to his followers, and by 10:00 AM (when Twitter had patched the hole) an estimated 200,000-plus users had been hit. Fortunately, it looks like things are back to normal, which reminds us: @justinbieber hasn't tweeted for over twenty-four hours. We hope he's OK!
'Rainbow tweets' start hammering Twitter after onMouseOver exploit discovered
Oh dear. Some wise guys have discovered a JavaScript exploit in Twitter's web interface, which uses an onMouseOver instruction to hijack your own tweeting voice and force you to say things you don't want to say. Simply put, hovering on some of these colorful new tweets can result in you tweeting out the spammiest spam you ever did tweet. So, as with Tetris, be wary of those blocks of color, they are the harbingers of doom. And until the Twitter crew wrap their brains around sealing this vulnerability off, we'd recommend just using any of the cornucopia of Twitter apps floating about in the webosphere. [Thanks to everyone who sent this in] Update: The Twitgineers are already dealing with the issue and are rolling out a patch that should span the entire Twitterverse before too long.
iPad still has a major browser vulnerability, says group behind AT&T security breach
You know that tiny little security snafu that allowed over a hundred thousand iPad users' email addresses out? The one that the FBI felt compelled to investigate? Well, Goatse Security -- the group that discovered that particular hole (stop laughing) -- isn't best pleased to be described as malicious by AT&T's response to the matter, and has requited with its own missive to the world. Letting us know that the breach in question took "a single hour of labor," the GS crew argues that AT&T is glossing over the fact it neglected to address the threat promptly and is using the hackers' (supposedly altruistic) efforts at identifying bugs as a scapegoat. As illustration, they remind us that the iPad is still wide open to hijacking thanks to a bug in the mobile version of Safari. Identified back in March, this exploit allows hackers to jack in via unprotected ports, and although it was fixed on the desktop that same month, the mobile browser remains delicately poised for a backdoor entry -- should malevolent forces decide to utilize it. This casts quite the unfavorable light on Apple as well, with both corporations seemingly failing to communicate problematic news with their users in a timely manner.
HTC EVO suffering from glass separation issues?
Potential bad news for EVO owners: we're seeing plenty of reports from folks having issues with the lower portions of their screens. Conspiracy theories say that the adhesive holding the glass is failing, causing the screen to peel up a bit and embark on a very slow journey to capacitive independence. This separation is causing excessive light leakage from below, a problem that we noted in our review but apparently gets continually worse as users spend more time massaging their screens -- even those not being as hard on theirs as this guy was. No official response from HTC yet and we're not sure just what a fix could be, but we have seen people do some wonderful things with duct tape. Update: Still no word from HTC, but Troy, a Sprint employee, e-mailed us to say he's not seen any phones being brought in for this issue at his store. He also indicated the phone is a "repairable device" so, if indeed this is something HTC deems worthy of repair it could be something able to be fixed without requiring a replacement. Here's to hoping... [Thanks, Brandon; image courtesy of Ryan/Selfdestruct]
Adobe's Flash and Acrobat have 'critical' vulnerability, may allow remote hijacking
When Adobe said Flash gives you the full web experience, it meant it. Part and parcel of the web, as we all know, is the good old hacking community, which has been "actively exploiting" a vulnerability in Flash Player 10.0.45.2 (and earlier versions) and Adobe Acrobat and Reader 9.x to overtake people's machines and do hacky stuff with them. This so-called flaw also causes crashes, but that's probably not what's worrying you right now. Adobe says the 10.1 Release Candidate for Flash Player looks to be unaffected, while versions 8.x of Acrobat and Reader are confirmed safe. To remedy the trouble, the company advises moving to the RC for Flash, and deleting authplay.dll to keep your Acrobat from performing undesirable gymnastics. Oh boy, Steve's gonna have a field day with this one.
Charlie Miller to reveal 20 zero day security holes in Mac OS X
Say, Charles -- it's been awhile! But we're pleased as punch to see that you're back to your old ways, poking around within OS X's mainframe just looking for ways to remotely control the system, snag credit card data and download a few interoffice love letters that are carefully stashed 15 folders down within 'Documents.' The famed Apple security expert is planning yet another slam on OS X at CanSecWest, where he'll reveal no fewer than 20 zero day security holes within OS X. According to Miller, "OS X has a large attack surface consisting of open source components, closed source third-party components and closed source Apple components; bugs in any of these types of components can lead to remote compromise." He also goes on to reemphasize something he's been screaming for years: "Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." In other words, Apple users are "safer" (due to the lack of work that goes into hacking them), "but less secure." So, is this a weird way of applying for a security job in Cupertino, or what?
