vulnerability
Latest
Security firm claims to have hacked Chrome's sandbox
It didn't manage to do it during the most recent Pwn2Own challenge, but VUPEN Security is now claiming that it has finally managed to hack Google's Chrome browser and crack its so-called "sandbox." According to the firm, the exploit relies on some newly discovered zero day vulnerabilities, works on all Windows operating systems (and only Windows, apparently), and could give malicious websites the ability to download code from a remote source and execute it on a user's computer -- the video after the break shows an example, in which the Windows Calculator application is downloaded and run automatically. For its part, Google says it has been unable to confirm the hack since VUPEN hasn't shared any details with it -- something the firm apparently doesn't plan to do, as it says it only shares its vulnerability research with its "government customers for defensive and offensive security."
HTC Surround users getting NoDo, Samsung Omnia 7 and Focus owners sticking to scissors and glue
Despite Microsoft overcoming some initial hurdles with NoDo's rollout, its latest round of updates suggest Windows Phone is taking one step forward (and two steps back) with delivering copy / paste functionality to everyone. As encouragement, the company began delivering NoDo for HTC's Surround today -- which we're really hoping doesn't necessitate a follow-up story. Meanwhile, rollouts to Samsung's Omnia 7 are on hold due to technical issues, and some Focus owners aren't receiving the update properly, supposedly due to different supplies of flash memory. In both cases, MS insists it's working on a solution. Lastly -- just when you'd thought we'd covered all the Windows Phone news fit to publish -- Microsoft is releasing an important security update which corrects digital certificates that may be used to spoof provider content. Let's just hope the vulnerability can be fixed without that much fanfare.
Skype for Android update adds US 3G calling, fixes personal data hole
Verizon Android users have had 3G Skype calling since this time last year, but the latest app release -- v1.0.0.983 for those of you keeping tabs -- brings 3G calling to the masses, without the need for a VZW-sanctioned app. The update also patches a rather significant security hole discovered last week, which could let third-party apps get hold of your personal information. We're glad to see that's no longer the case, and who's going to object to free calling as part of the deal as well? Make sure your phone's running Android 2.1 (2.2 for Galaxy S devices) and head on over to the Android Market to get updated.
Skype acknowledges Android privacy vulnerability, says it's 'working quickly' on a fix
The results were certainly tough to deny, and now Skype has come forward and acknowledged that there is indeed a rather serious vulnerability in Skype for Android that could let malicious third-party applications access your personal information. Unfortunately, it's not offering much else in the way of help just yet, with it saying only that it is "working quickly" to protect folks from the vulnerability, and that they should simply be cautious of third-party apps in the meantime.
Skype for Android vulnerable to hack that compromises personal info
If you didn't already have enough potential app privacy leaks to worry about, here's one more -- Android Police discovered that Skype's Android client leaves your personal data wide open to assault. The publication reports that the app has SQLite3 databases where all your info and chat logs are stored, and that Skype forgot to encrypt the files or enforce permissions, which seems to be a decision akin to leaving keys hanging out of the door. Basically, that means a rogue app could grab all your data and phone home -- an app much like Skypwned. That's a test program Android Police built to prove the vulnerability exists, and boy, oh boy does it work -- despite only asking for basic Android storage and phone permissions, it instantly displayed our full name, phone number, email addresses and a list of all our contacts without requiring so much as a username to figure it out. Android Police says Skype is investigating the issue now, but if you want to give the VoIP company an extra little push we're sure it couldn't hurt.
Adobe finds another 'critical' flaw in Flash, Steve Jobs smiles smugly
Hey, guess what? Adobe has found yet another serious security flaw in Flash. We can already hear the iOS fanboys warming up their commenting fingers. The vulnerability affects all platforms, including Android, though only attacks on Windows have been seen in the wild so far. Just like last month's exploit, this one is spreading via malicious .swf files embedded in Office documents, only this time it's Word instead of Excel being targeted (a hacker's gotta keep it fresh, after all). Once again Reader and Acrobat are also vulnerable, but attacks can be thwarted using Reader's Protected Mode. When exactly Adobe plans on plugging this hole is anyone's guess, so when a deposed Nigerian prince tells you about the fabulous sum of money he'd like you to transfer, you'll have yet another reason not to open the Office attachments in his email.
Google patches Flash vulnerability in Chrome, leaves other browsers hanging
Remember that massive security vulnerability that Adobe identified in its Flash Player, Acrobat and Reader software? Well, shockingly enough, it hasn't yet taken over the internet and ground productivity to a halt, but Google's been proactive about it and patched the flaw by itself. Of course, the fix applies only to its own Chrome web browser, Firefoxes and Internet Explorer types will have to wait for Adobe's fix, which is expected any minute now. Still, it's good to know someone's looking out for the security of our data, even if that someone already has access to most of it anyway.
RIM issues PSA following Pwn2Own exploit: turn off JavaScript on your BlackBerry
It's not just desktop web browsers getting hacked at this year's Pwn2Own challenge -- mobile browsers have also been targeted for vulnerabilities, and a fairly big one has now been found in RIM's browser for BlackBerry OS 6. Apparently, there's a JavaScript-related bug that could let a "maliciously designed" website gain access to data stored on both the phone's media card and built-in storage, but not data stored in the storage portion for applications (such as email or contact information). For its part, RIM says that it hasn't actually seen any evidence of anyone exploiting the vulnerability, but it's nonetheless urging folks to disable JavaScript on affected devices, and it's now busy providing IT departments everywhere with guidelines on how to do so. If that proves to be complicated, it's suggesting that you simply disable the BlackBerry Browser altogether until it can be patched.
Adobe finds 'critical' security hole in Flash Player, won't fix it before next week
Oh, here we go again. Adobe's kicked out a security bulletin for users of its Flash Player on "all platforms" -- that'll be the entire population of the internet, then -- warning them that a new critical vulnerability has been discovered that may cause crashes and potentially permit the hijacking of systems. The issue also affects the company's Reader and Acrobat software products. Even better news is that Adobe has found it's being actively exploited "in the wild" via a .swf file embedded in an Excel spreadsheet, but a fix won't be forthcoming until the beginning of next week. So, erm, enjoy your full web experience until then!
Security firm warns lack of iOS 4.3 update leaves iPhone 3G vulnerable
Security company Sophos is warning iPhone 3G and older iPod touch owners that their devices could be vulnerable to attack following Apple's decision not to make the iOS 4.3 update available to them. In addition to AirPlay improvements and iTunes Home Sharing, the iOS 4.3 update fixes a number of security holes, but it's only available for the iPhone 3GS, iPhone 4, the iPad and more recent iPod touch models. "[I]f you have an earlier iPhone or iPod touch your device is probably vulnerable to attacks which exploit these security holes, and there is no official patch available for you to protect yourself. That's bad news for the many people who still have an iPhone 3G, for instance," says Graham Cluley, senior technology consultant at Sophos. The security fixes are detailed in an Apple knowledgebase article. They protect against maliciously-crafted TIFF image files, which could be used to run malicious code on your device, as well as fixing many memory corruption issues in WebKit, the basis of the Safari web browser. Sophos warns this could lead to unauthorised code being executed. Although none of these exploits have been found in the wild so far, owners of older Apple devices are still potentially vulnerable. "If you were looking for an excuse to upgrade your iPhone or iPod touch, maybe you've just been given a good one by Apple," says Cluley. "But if you were happy with your iPhone 3G, I doubt you're feeling too good about having to reach into your pocket." [Via Computer Weekly]
Microsoft rolls out long, long-awaited Windows update to disable AutoRun for USB drives
It's already changed the behavior in Windows 7, and Microsoft has now finally rolled out an update for earlier versions of Windows that prevents a program from executing automatically when a USB drive is plugged into a PC. That behavior has been blamed for the spread of malware in recent years -- including the infamous Conficker worm -- and Microsoft had actually already made it possible to disable the functionality back in November of 2009, albeit only through an update available from its Download Center website. It's now finally pushed the update out through the Windows Update channel, though, which should cause it to be much more broadly deployed (particularly in large organizations). As explained in a rather lengthy blog post, however, Microsoft has decided to simply make it an "important, non-security update" rather than a mandatory update, as it doesn't technically see AutoRun as a "vulnerability" -- it was by design, after all. That means you'll have to look for the option in Windows Update and check it off to install it -- if you choose, you can also re-enable it at anytime with a patch.
Google's paying $20,000 to hack Chrome -- any takers?
So far, Chrome is the only browser of the big four -- Safari, Firefox, and Internet Explorer being the other three -- to escape the Pwn2Own hacking competition unscathed the past two years. (Sorry Opera aficionados, looks like there's not enough of you to merit a place in the contest... yet.) Evidently, its past success has Google confident enough to pony up a cool $20,000 and a CR-48 laptop to anyone able to find a bug in its code and execute a clean sandbox escape on day one of Pwn2Own 2011. Should that prove too daunting a task, contest organizer TippingPoint will match El Goog's $10,000 prize (still $20,000 total) for anyone who can exploit Chrome and exit the sandbox through non-Google code on days two and three of the event. For those interested in competing, Pwn2Own takes place March 9th through 11th in Vancouver at the CanSecWest conference. The gauntlet has been thrown -- your move, hackers.
Android 2.3 security bug shows microSD access vulnerability
A researcher at North Carolina State University is warning of an Android 2.3 security vulnerability that gives attackers access to your personal information, further proof that Gingerbread isn't all sugar and spice (to be fair, that SMS issue has since been remedied). According to Xuxian Jiang, the bug allows malicious websites to access and upload the contents of a user's microSD card, including voicemails, photos, and online banking information to a remote server. The flaw apparently resembles a similar bug in previous version of Android, thought to have been addressed with Gingerbread. However, as Jiang points out, that fix is easily bypassed. Apart from removing the microSD card, disabling JavaScript, or switching to a third-party browser, Android 2.3 users have little recourse in squashing the bug. The folks at eWeek reported that Google is working on a solution to the problem, but there's no word on when we can expect to see an update.
Two arrested for iPad security breach
Two arrests have been made connected to the security breach that exposed thousands of iPad users' email addresses and other info last year. Daniel Spitler and Andrew Auernheimer (yeah, that guy again) have been taken into custody and charged with conspiracy to access a computer without authorization and fraud, for allegedly using a custom script (built by Spitler) called iPad 3G Account Slurper to access AT&T's servers, mimic an iPad 3G, and try out random ICC identifiers. Once a valid ICC was found, one could harvest the user's name and email address. Of course, the hackers maintain that this was all done to force AT&T to close a major security flaw, and we'll be interested to see what exactly the company does to make things right.
Dell Streak's pre-rooted Android 2.1 update quietly suspended, revision coming in two or three weeks
Ruh roh. Looks like Dell's stepped onto its own toes real hard with the Streak's Android 2.1 update -- O2 just confirmed to us that due to some "feedback from users," it's decided to suspend said download while Dell gets cranking on a revised software release over the next two or three weeks. We weren't given the exact reasons behind this quiet withdrawal, but our friends over at MoDaCo might have had the answer for some time -- soon after the release, they discovered that the 2.1 firmware was in fact pre-rooted, thus leaving the Streak vulnerable to unauthorized access and modification (although handy for the seriously tech-minded). Yikes. On the bright side, such substantial time frame suggests that the upcoming fix should also address other bugs like incompatibility with the desktop suite, weird loading behavior in the browser, and missing WMV video playback functionality. And here comes the inevitable question: what about Froyo? Well, neither Dell nor O2 could provide a date for the Streak's scoop of frozen dessert, but we'll bet you a white iPhone 4 that it won't be out in October.
Researcher will enable hackers to take over millions of home routers
Cisco and company, you've got approximately seven days before a security researcher rains down exploits on your web-based home router parade. Seismic's Craig Heffner claims he's got a tool that can hack "millions" of gateways using a new spin on the age-old DNS rebinding vulnerability, and plans to release it into the wild at the Black Hat 2010 conference next week. He's already tested his hack on thirty different models, of which more than half were vulnerable, including two versions of the ubiquitous Linksys WRT54G (pictured above) and devices running certain DD-WRT and OpenWRT Linux-based firmware. To combat the hack, the usual precautions apply -- for the love of Mitnick, change your default password! -- but Heffner believes the only real fix will come by prodding manufacturers into action. See a list of easily compromised routers at the more coverage link.
iPad still has a major browser vulnerability, says group behind AT&T security breach
You know that tiny little security snafu that allowed over a hundred thousand iPad users' email addresses out? The one that the FBI felt compelled to investigate? Well, Goatse Security -- the group that discovered that particular hole (stop laughing) -- isn't best pleased to be described as malicious by AT&T's response to the matter, and has requited with its own missive to the world. Letting us know that the breach in question took "a single hour of labor," the GS crew argues that AT&T is glossing over the fact it neglected to address the threat promptly and is using the hackers' (supposedly altruistic) efforts at identifying bugs as a scapegoat. As illustration, they remind us that the iPad is still wide open to hijacking thanks to a bug in the mobile version of Safari. Identified back in March, this exploit allows hackers to jack in via unprotected ports, and although it was fixed on the desktop that same month, the mobile browser remains delicately poised for a backdoor entry -- should malevolent forces decide to utilize it. This casts quite the unfavorable light on Apple as well, with both corporations seemingly failing to communicate problematic news with their users in a timely manner.
Adobe releases patch for 'critical' Flash vulnerability
As promised, Adobe has now released an update to Flash that fixes the critical vulnerability discovered earlier this month that could allow your computer to be remotely hijacked. The update naturally covers Windows, Mac and Linux users (and even Solaris, for that matter), and is recommended for anyone running Flash Player 10.0.45.2 or earlier -- the update will also, of course, bump you up to Flash 10.1 if you haven't made the jump already. Adobe AIR users are also advised to upgrade to the latest version released today but, as reported earlier, Adobe Acrobat and Reader users will still have to wait a bit for their fix -- while they're also affected by the vulnerability, they won't be getting an update until the end of the month. Update: Those not able (or willing) to upgrade to Flash 10.1 can also get a patched version of Flash Player 9 right here.
Adobe promises fix for Flash vulnerability by tomorrow, Reader and Acrobat fix on June 29th
Well, it looks like Adobe isn't wasting much time in fixing that "critical" Flash vulnerability that could allow remote hijacking of a user's computer, but it's a slightly different story when it comes to patching Adobe Acrobat and Reader. According to Adobe, the Flash fix will be rolled out by tomorrow at the latest, but it says the fix for Reader and Acrobat won't be available until June 29th. Somewhat curiously, Adobe says it had considered rushing out a "one-off 0-day" fix for Reader and Acrobat as soon as possible, but says that would have caused too much "churn and patch management overhead on our users" considering there's already a regular quarterly update scheduled for July 13th. So, instead, Adobe has decided to push that update up to June 29th and simply include the fix for the vulnerability with it. In the meantime? Stay frosty, we guess.
New issues with Adobe Flash, Google search links could compromise your account
We have news of two new tricks hackers are currently using to steal WoW accounts. First, from Curse, comes news of a Google sponsored link that claims to lead to the popular addon manager Curse Client, but instead leads to a malware download. To be absolutely safe, you should always only download the client from http://www.curse.com/client. In addition, Blizzard is warning that Adobe Flash version 10.0.45.2 contains a critical vulnerability that could be used to install a keylogger on your computer in order to steal your WoW account info. You can avoid this issue by installing Adobe Flash version 10.1 Release Candidate 7, which does not appear to have the same vulnerabilities.
