Tag Archive | Vulnerability

Vulnerability: Samsung-branded Android Phones Allow Bypass of Lock Screen

A vulnerability was recently found in Samsung mobile Android devices, OS version 4.1.2, that would give an attacker (unauthenticated users) the ability to circumvent the screen lock, viewing the home screen. It can also give them rights to run apps, send arbitrary messages to contacts, rack up illegitimate phone services, etc. It could also lock out the original user of the device.

Terence Eden posted a video about the Galaxy Note II:

This isn’t the first time we’ve seen flaws on Samsung-branded Android smartphones. Before this, kernel trouble was the topic, where attackers can gain easy access to the Android kernel in some Samsung devices.

Advertisements

Adobe Flash Player Critically Affected Again! Two Bugs Resolved!

Adobe has published another update now, fixing three vulnerabilities. Two of these three vulnerabilities are currently being exploited in the wild.

Adobe has introduced the Flash Player sandbox a year ago protecting Firefox users from vulnerabilities in Flash Player. This sandbox is being actively targeted for attacks.

“Adobe is aware of reports that CVE-2013-0643 and CVE 2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content,” the company wrote in a security bulletin.

Adobe classifies the update at priority rating of 1 for Windows and Mac (which means super-critical: PATCH NOW!), and 3 for Linux (not as critical for Linux).

Google automatically patches for Chrome Browser. Microsoft automatically patches for Internet Explorer 10 for Windows 8 (note for Internet Explorer 10 for Windows 7, you have to patch).

The following issues are resolved:

  • Permissions issue with the Flash Player Firefox sandbox (CVE-2013-0643)
  • ExternalInterface ActionScript feature (CVE-2013-0648)
  • Buffer overflow in Flash Player broker service (CVE-2013-0504).

Update link for Windows and Mac

Update link for all other versions

To see version information about Flash Player or what browser/OS you’re running, check out the following.

Remember, when updating, UNCHECK McAfee | Security Scan Plus, unless you really want to scan your computer. It is pre-checked, so you have to uncheck it.

 

Recent Hacks: NBC.com, Twitter, and Zendesk – Warnings: Tumblr, Pinterest

After dealing with multiple attacks on several sites, including Apple, Facebook, and Twitter – this being Java exploits. Now, it’s time to deal with more hacks, including NBC.com (which has been serving up malware for a day now) and Twitter. As in recent reports now, Tumblr and Pinterest have been forewarned.

The latest high profile organization that was recently hacked is the National Broadcast Company (NBC), more specifically on their website. The idea from the hackers is to use the website to infect visitors, using exploits and other JavaScript injections.

NBC.com’s hacked pages were modified to include additional HTML component called IFRAME, which is inline frame. This allows at least a 1px x 1px frame to be included independently in the webpage, which may contain malicious code. In HTML code, frames can be made to host web content. But, in the hands of the evildoers, aka cybercriminals, it is used as an effort to launch malware campaigns.

Malicious JavaScript was added to the mix, and also used the exploit kit called RedKit. It delivers one of two exploit files to try to take control of your browser.

I recognized something was wrong with NBC.com, which may have already been hacked a few weeks ago, and I posted the information on my Twitter account that a downloaded file was sent to my browser asking me to save or open it. This was on a sister site/blog, RedTape. I asked people to replicate it. The Twitter status can be found here.

What type of malware was delivered? Citadel or ZeroAccess, which are both crimeware families and botnets. They are usually part of several exploit kits.

This drive-by download situation is no good, as the pages were taken offline. Therefore, that dropped the traffic of those specific areas of the site. It is sure that this situation is a matter of cybercrime aimed at a financial side of things, not defacement or pranks.

Was it a big deal that it was NBC? No. In fact, it is sure the hackers were aimed at using a high-profile site, and apparently NBC.com was the easiest or quickest to access. Hackers rely on time and many other factors to make their approach(es).

Zendesk hacks and other various warnings

Zendesk is all about customer support…therefore no one really knows, except for those in the business of customer support. Big names use this service, which include Tumblr, Twitter, and Pinterest, among others. Hackers broke into the Zendesk systems, accessing email addresses of those big name customers, namely Twitter, Tumblr, and Pinterest.

How “pinteresting” that another hack has been born, which is related to a social network. Zendesk detailed the hack:

We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response.

The companies involved made a point to tell its customers that they haven’t been hacked, but private information was stolen. Luckily, no password thievery was involved.

Obviously, an incident like this, just like the NBC.com incident, needs to be taken very seriously. Something must be done to stop the continuous hacks.

Twitter hacks additionally are nothing new. Many times, hackers used a backdoor, such as the tools the support team uses, to infiltrate the information of Twitter users. It’s not a huge gain, more possibly a waste of time.

Adobe Releases Emergency Patch for Adobe Reader

Adobe has released its emergency patch after a string of events in the past nearly ten days on dealing with a zero-day vulnerability. This was originally reported by FireEye in a blog post.

The FireEye blog stated the following:
“Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain.”

After that was published, the FireEye researchers sent the bug report & sample to Adobe. Soon after, Adobe released a notification that there is a problem.

Eventually, Adobe detailed this past weekend that a patch would be available next week…well it’s here.

Adobe released its patch yesterday, in efforts to remediate the situation.

According to Adobe, the following versions are now available:

  •  Users of Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Reader XI (11.0.02).
  •  For users of Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader X (10.1.6).
  •  For users of Adobe Reader 9.5.3 and earlier 9.x versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader 9.5.4.
  •  Users of Adobe Reader 9.5.3 and earlier 9.x versions for Linux should update to Adobe Reader 9.5.4.
  •  Users of Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Acrobat XI (11.0.02).
  •  Users of Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh should update to Adobe Acrobat X (10.1.6).
  •  Users of Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh should update to Adobe Acrobat 9.5.4.

 

Zero-Day Java Exploit Affects Facebook

After all of the latest attacks on government, corporate, and social networking organizations, Twitter the most recent, it appears Facebook had their share this year.

Facebook revealed yesterday that it was hit in January from an unidentified group of hackers, however, no user information was compromised during the attack.

Here is a snippet from the note issued:

Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.

It was said also that a zero-day Java exploit was found, when the suspicious domains in their logs revealed in the Java sandbox many vulnerabilities. The update was provided to Oracle who shipped patch(es) for the specific vulnerabilities found.

The company also stated, “We will continue to work with law enforcement and the other organizations and entities affected by this attack. It is in everyone’s interests for our industry to work together to prevent attacks such as these in the future.”

Other websites were additionally affected by this, and that the computers affected at Facebook were fully patched and clean before the attack.

Two Zero-Day Bugs Found in Adobe Flash Player; Fixed with Update

Recently, two zero-day vulnerabilities were found in Adobe Flash Player, in which Adobe – today, issued an emergency update to solve. Adobe said in its advisory over the issue that one of the vulnerabilities, CVE-2013-0634, is being exploited in the wild.

The currently exploited vulnerability is being delivered as an attack via malicious Flash content, which is hosted on sites that target Flash Player in Firefox or Safari on the Mac OS platform. There are also attacks found for Windows users that trick users into opening a Microsoft Word document delivered as an email attachment. No surprise?

The second flaw, CVE-2013-0633, is being exploited in the wild in targeted attacks, doing the same with malicious Microsoft Word documents being implanted in email attachments.

Updates are available for the following platforms:

  • Windows, 11.5.502.149, download
  • Macintosh, 11.5.502.149, download
  • Linux, 11.2.202.262, download
  • Android 4.x, 11.1.115.37, download
  • Android 2.x-3.x, 11.1.111.32, download
  • Google Chrome, 11.5.31.139, automatic update
  • Internet Explorer 10, Windows 8, 11.3.379.14, automatic update

To see version information about Flash Player or what browser/OS you’re running, check out the following.

Remember, when updating, UNCHECK McAfee | Security Scan Plus, unless you really want to scan your computer. It is pre-checked, so you have to uncheck it.

 

Get protection from vulnerabilities now:

Passwords are Losing Trust; Hello Fingerprints, Hashes, Unique Codes

One of the biggest vulnerabilities in computer security is the password. Let’s face it. Something’s got to give! What exactly will it take to authenticate somebody with their own personal information or data without being discovered or hacked?

There are many companies attempting to implement new changes in the way that users authenticate themselves. The best example is Google’s 2-step authentication. This system allows a user to log into their Google account like normal when they access it on their common browser/app…however, whenever they log in elsewhere, it requires an access code specialized for that given with a name.

Google has come up with other ideas such as having a smartcard embedded finger ring or using a smartphone to authorize a new device/computer to add to your account.

More companies are attempting hardware-based authentication. Most companies attempting such measures only have prototypes, and are awaiting the ability to beta the use. Most of these types of measures are called security or hardware tokens.

A pin or password is usually needed for devices…right? However, depending on the type of device will show what other forms of authentication are needed in addition to that. For example, a one-time password may be in order, similar to the Google access code as a second step in authentication, which would be too hard to hack. Others would take a challenge code, which would prove that your a human in public, instead of a hacker/robot on a different network trying to hack.

Many networking authentication proposals for authentication would only allow a certain unique IP address to access the login section or be able to enter a password. Some require a smart card or fingerprint. All of these are good ways to help authentication become more physical and legitimate.

Proving possession is everything in the computer security world now, but this type of authentication has been proposed for around ten years, at least. It’s time tpo get serious about authentication, and develop better solutions. This is the call to action.

%d bloggers like this: