security vulnerabilities
Latest
Microsoft issues security patches for Flash vulnerabilities in Windows 8 and Internet Explorer
As promised, Microsoft is issuing a security patch for a Flash vulnerability on Windows 8 in Internet Explorer 10. Though the operating system has yet to see its official public release, researchers testing the RTM version found a bug that could cause Flash to crash and allow for attackers to take control of a user's machine. Additionally, the company is rolling out an update to address a security hole in Internet Explorer versions 7 and 8 on Windows XP -- and IE 9 on Windows 7 and Windows Vista -- which left the door open for hackers to spread malware via a specially designed Flash animation. Both security patches are available via Microsoft's Windows Update service.
Sprint issues OTA fix for HTC Android handset vulnerability
Earlier this month, we found out that after a software update HTC's Android handsets had a serious security flaw -- any app could gain access to user data, including recent GPS locations, SMS data, phone numbers, and system logs. To its credit, HTC responded quickly to the security issue, and now an OTA update with the fix is going out to those on the Now Network. Sprint users with an EVO 4G, 3D, Shift 4G, Design 4G or View 4G can get the download, as can Wildfire S owners. The patch available now for a manual download, and more info on the fix can be found at the source below. [Thanks, Korey]
HTC confirms security hole, says patch is incoming
HTC held true to its promise to look into the security vulnerability that surfaced over the weekend, an apparent glitch that allows any app requesting internet access to take a peek at a user account information, GPS location, system logs, and other potentially private data. While HTC assured us that user data isn't at risk of being harmed by its own software, a third party malware app could exploit the security flaw and cause some trouble. The outfit is already building a patch, and will ship it out in an over the air update after a short testing period with its carrier partners. Until then? HTC recommends steering clear of apps from publishers you don't trust. Hit the break to see the official statement.
HTC security vulnerability said to leak phone numbers, GPS data, and more, HTC responds (video)
The folks at Android Police seem to have stumbled across a rather jarring security vulnerability in HTC handsets running Android, giving common apps with internet access a peek at the device's vital statistics, user information and more. Demonstrated in the above video, developer Trevor Eckheart found that a recent HTC update packed in a suite of logging tools that collects data on user accounts (including email addresses), recent GPS locations, SMS data and encoded text, phone numbers, system logs, running processes and more -- all of which can be accessed by common apps requesting access to android.permission.INTERNET. HTC is already looking into the issue, stating, "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken." If you're too antsy to wait for HTC's update, head on over to the source link below -- Eckheart says the issue can be resolved by removing HTCloggers from a rooted device.
Google search opens SCADA systems to doomsday scenarios
Google, the service so great it became a verb, can now add security risk to its roster of unintended results. The search site played inadvertent host to remotely accessed Supervisory Control and Data Acquisition (SCADA) systems in a Black Hat conference demo led by FusionX's Tom Parker. The security company CTO walked attendees through the steps required to gain control of worldwide utility infrastructure -- power plants, for one -- but stopped short of actually engaging the vulnerable networks. Using a string of code, unique to a Programmable Logic Controller (the computers behind amusement park rides and assembly lines) Parker was able to pull up a water treatment facility's RTU pump, and even found its disaster-welcoming "1234" password -- all through a Google search. Shaking your head in disbelief? We agree, but Parker reassured the crowd these types of outside attacks require a substantial amount of effort and coordination, and "would be extremely challenging to pull off." Panic attack worn off yet? Good, now redirect those fears to the imminent day of robot-helmed reckoning.
Security firm warns lack of iOS 4.3 update leaves iPhone 3G vulnerable
Security company Sophos is warning iPhone 3G and older iPod touch owners that their devices could be vulnerable to attack following Apple's decision not to make the iOS 4.3 update available to them. In addition to AirPlay improvements and iTunes Home Sharing, the iOS 4.3 update fixes a number of security holes, but it's only available for the iPhone 3GS, iPhone 4, the iPad and more recent iPod touch models. "[I]f you have an earlier iPhone or iPod touch your device is probably vulnerable to attacks which exploit these security holes, and there is no official patch available for you to protect yourself. That's bad news for the many people who still have an iPhone 3G, for instance," says Graham Cluley, senior technology consultant at Sophos. The security fixes are detailed in an Apple knowledgebase article. They protect against maliciously-crafted TIFF image files, which could be used to run malicious code on your device, as well as fixing many memory corruption issues in WebKit, the basis of the Safari web browser. Sophos warns this could lead to unauthorised code being executed. Although none of these exploits have been found in the wild so far, owners of older Apple devices are still potentially vulnerable. "If you were looking for an excuse to upgrade your iPhone or iPod touch, maybe you've just been given a good one by Apple," says Cluley. "But if you were happy with your iPhone 3G, I doubt you're feeling too good about having to reach into your pocket." [Via Computer Weekly]
