Tag Archives: Vulnerability

‘Serialization’ vulnerability: 6 in 10 Android devices can be hijacked

If one day, you were asked by your dearly trusted Facebook Messenger app to log in because your session had expired, would you do that? If the answer is yes, you might have just shared your Facebook credentials with an impostor app disguised in, otherwise legit, Facebook Messenger app.

The post ‘Serialization’ vulnerability: 6 in 10 Android devices can be hijacked appeared first on Avira Blog.

Big Brother(s) Could be Watching You Thanks to Stagefright  

Earlier this week, security researchers unveiled a vulnerability that is believed to be the worst Android vulnerability yet discovered. The “Stagefright” bug exposes nearly 1 billion Android devices to malware. The vulnerability was found in “Stagefright”, an Android media library. Hackers can gain access to a device by exploiting the vulnerability and can then access contacts and other data, including photos and videos, and can access the device’s microphone and camera, and thus spy on you by recording sound and taking photos.

All devices running Android versions Froyo 2.2 to Lollipop 5.1.1 are affected, which are used by approximately 95% of all Android devices.

The scary part is that hackers only need your phone number to infect you. The malware is delivered via a multimedia message sent to any messenger app that can process MPEG4 video format – like an Android device’s native messaging app, Google Hangouts and WhatsApp. As these Android messaging apps auto-retrieve videos or audio content, the malicious code is executed without the user even doing anything – the vulnerability does not require the victim to open the message or to click on a link. This is unique, as mobile malware usually requires some action to be taken to infect the device. The malware could also be spread via link, which could be sent via email or shared on social networks, for example. This would, however, require user interaction, as the video would not load without the user opening  a link. This exploit is extremely dangerous, because if abused via MMS, victims are not required to take any action and there are neither apparent nor visible effects. The attacker can execute the code and remove any signs that the device has been compromised, before victims are even aware that their device has been compromised.

A cybercriminal’s and dictator’s dream

Cybercriminals can take advantage of the vulnerability to collectively spy on millions of people – and even execute further malicious code. Repressive governments could abuse the bug to spy on their own people and enemies. The vulnerability, however, could also be used for non-political spying. Hackers can easily spy on people they know, like their spouse or neighbour – all they need to know is their victim’s phone number. Hackers can also steal personal information and use it to blackmail millions of people, or use the data for identity theft. The possible consequences of this vulnerability need to be taken seriously.

Fixes are urgently needed

Now comprehensive fixes need to be provided by the phone’s manufacturers in an over-the-air (OTA) firmware update for Android versions 2.2 and up. Unfortunately, updates for Android devices have historically taken a long time to reach users. Hopefully, manufacturers will respond quicker in this case. On a positive note, Google has already responded. HTC told Time “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.”

In the meantime, what can you do to protect yourself?

We recommend users disable “auto retrieve MMS” within their default messaging app’s settings, as a precautionary measure for the moment. We have put together step-by-step instructions on how you can disable auto retrieve for MMS in various Android messaging apps:

Messages App:

Step 1: Open the Messages app and click on the three dots in the upper right hand corner Messages app Step 2: Click on “Settings” in the dropdown menu Messages Settings Step 3: Click on “Multimedia messages” Messages settings Step 4: Uncheck “Auto retrieve” Messages settings Your Messages “Multimedia messages” settings should now look like this:

Messages settings Google Hangout

Step 1: Open the Google Hangout app and click on the three lines in the upper left corner Google Hangout settings Step 2: Click on “Settings” Google Hangout SettingsStep 3: Click on “SMS” Google Hangout settings Step 4: Scroll down to “Advanced” and uncheck “Auto retrieve MMS” Google Hangout settings Your Google Hangout “SMS” settings should now look like this: Google Hangout settings

Messenger App:

Step 1: Open the Messenger app and click on the three dots in the upper right hand corner Messenger 1 Step 2: Click on “Settings” in the dropdown menu Messenger 2 Step 3: Click on “Advanced” Messenger app settings Step 4: Uncheck “Auto retrieve” Messenger app settings Your Messenger “Advanced Settings” should now look like this: Messenger app settings

Messenger:

Step 1: Open the Messaging app and click on the three dots in the lower right hand corner Messaging app settings Step 2: Click on “Settings” Messaging app settings Step 3: Scroll down to “Multimedia (MMS) messages” and uncheck “Auto retrieve MMS” Messaging app settings Your Messaging “Settings” should now look like this: Messaging app settings

WhatsApp

Step 1: Open WhatsApp and click on the three dots in the upper right hand corner WhatsApp settingsStep 2: Click on “Settings” Whatsapp settingsStep 3: Click on “Chat Settings” Whatapp settings Step 4: Click “Media auto-download” Whatsapp settings   Step 5: Click “When using mobile data” and/or “When connected on Wi-Fi” Whatsapp settings Step 6: The “When connected on Wi-Fi” settings are automatically set to download videos, so it is important to uncheck the checkmark Whatsapp settings Step 7: The “When connected on mobile data” settings are NOT automatically set to download videos, but in case you did enable it, you should disable it Whatsapp settings Your WhatsApp “Media auto-download” should now look like this: Whatsapp settings

Cybersecurity and manufacturers: what the costly Chrysler Jeep hack reveals

As the cost of fixing security mistakes in Jeep Chrysler Dodge vehicles mounts, so does the need for manufacturers to weigh cybersecurity risks in the product development process, alongside features and benefits.

The post Cybersecurity and manufacturers: what the costly Chrysler Jeep hack reveals appeared first on We Live Security.

XSS Vulnerability In WordPress – Update Now

The guys from WordPress just released version 4.2.3 of their software, which is mostly a security update. They “strongly encourage you to update your sites immediately.“ To do so just visit your Dashboard, click on ‘Updates’ and then on ‘Update Now’. As mentioned above you’ll only have to update manually if, for whatever reason, you decided to disable the automatic updates.

According to their blog entry the newest version contains fixes for 20 bugs from 4.2. The page also says: “WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen.

We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.“

And don’t forget: Since WordPress is definitely one of the most popular Content Management Systems and blogging platforms out there it remains an attractive target for cybercriminals – especially due to the huge user base. Administrators should always keep their WordPress installations (including addons and themes) updated and patch as soon as there are security updates available.

If you want to find out more about the dangers you could face as a blog administrator and get some advice which might help you to protect your page, take a look at Ange Albertini’s blog article concerning the topic.

The post XSS Vulnerability In WordPress – Update Now appeared first on Avira Blog.

New Study: 10 Out of 10 Smartwatches Vulnerable

A new study on the Internet of Things with focus on smartwatches released by HP revealed that of 10 smartwatches that were tested, all contain significant vulnerabilities and are a “risk that goes beyond the device”.

So what exactly are we talking about? According to the study (PDF) “the results of the research were disappointing, but not surprising.” There are deficiencies when it comes to authentication and authorization, privacy concerns, and problems with the implementation of SSL/TSL.

Their key takeaways are as following:

  • “Data collected initially on the watch and passed through to an application is often sent to multiple backend destinations (often including third parties)
  • Watches that include cloud interfaces often employed weak password schemes, making them more susceptible to attack
  • Watch communications are trivially intercepted in 90% of cases
  • Seventy percent of watch firmware was transmitted without encryption
  • Fifty percent of tested devices offered the ability to implement a screen lock (PIN or Pattern), which could hinder access if lost or stolen
  • Smartwatches that included a mobile application with authentication allowed unrestricted account enumeration
  • The combination of account enumeration, weak passwords, and lack of account lockout means 30% of watches and their applications were vulnerable to Account Harvesting, allowing attackers to guess login credentials and gain access to user account”

So yes, it’s basically the same cycle as with most of the ‘newer’ tech gadgets. They get released, there is a big hype, but security becomes only important after lots and lots of reports on hacks, vulnerabilities, and the inevitable bad press. Think nothing of it guys, everything is just the way it always was …

The post New Study: 10 Out of 10 Smartwatches Vulnerable appeared first on Avira Blog.

Adobe Flash zero-day vulnerabilities threaten your security

Last Friday, Adobe confirmed two new “critical” zero-day flaws in the Adobe Flash Player browser plugin 18.0.0.204 – and earlier versions – for Windows, Mac OS X, and Linux. Today, a third flaw was found. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages.

We recommend disabling Flash until the bugs are fixed. 

Three "critical" zero-day flaws in Adobe Flash Player discovered

Three “critical” Flash zero-day flaws in Adobe Flash Player discovered

Security experts say the two flaws were found in stolen files that were dumped earlier this month from Hacking Team, an Italian security firm that sells communication interception and surveillance software to governments around the world. The third one came from the same documents.

“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in their blog. “Depending on the privileges associated with the user account targeted, an attacker could install programs on the system, alter or delete data, create new accounts with similar user rights, or cause a denial-of-service.”

“Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015,” the blog said.

We recommend you do the following:

  • Remove or disable Flash until Adobe sends out a fix.
  • Once a patch is released by Adobe, update immediately.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Avoid visiting websites or following links provided by unknown or untrusted sources.
  • Avoid clicking on links contained in emails or attachments from unknown sources.

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Affected systems:

  • Adobe Flash Player 18.0.0.203 and earlier for Windows and Macintosh
  • Adobe Flash Player 18.0.0.204 and earlier for Linux installed with Google Chrome
  • Adobe Flash Player Extended Support Release 13.0.0.302 and earlier for Windows and Macintosh
  • Adobe Flash Player Extended Support Release 11.2.202.481 and earlier for Linux