Experts from security firm Bkav have identified a vulnerability in Viber – the popular application that allows users to make calls, send text messages and photos for free. The security hole could be exploited to bypass the lock screen on Android smartphones and gain full access to the device. According to the figures from Viber’s website and Google Play, as many as 100 million users might be impacted by the issue.
Attack works in three main steps:
1- Send a Viber message to the victim.
2- Make the Viber keyboard appear on the targeted device by performing some actions with message pop-ups.
3- Once the keyboard has appeared, a missed call must be created or the “Back” button must be pressed.
The lock screen should be unlocked, in order to give the attacker complete access to the vulnerable device. <more>
On April 16, Oracle has closed 128 security holes across its whole range of products. Two of the vulnerabilities addressed by these patches are rated with the highest severity and a score of 10 according to the CVSS2. These two vulnerabilities affect the Workload Manager in Oracle’s 11g Database Server (CVE-2013-1534) and the JRockit JVM in the company’s Fusion Middleware (CVE-2013-2380). Because of the threat posed by the holes, Oracle recommends that customers apply the Critical Patch Update fixes as soon as possible. Oracle’s Database Server, both the 10g and 11g versions, is affected by four vulnerabilities in total; aside from the hole in Workload Manager with a score of 10, the other three vulnerabilities have a CVSS2 score of 5. All of these vulnerabilities are remotely exploitable without authorization.<more>
A trojan that uses an authentication code to communicate with its command-and-control (C&C) server has tainted thousands of organizations around the globe, primarily companies in the U.K. Seculert, an advanced threat detection firm, posted the findings Wednesday about malware called “Magic” on its blog. The company discovered that the backdoor – capable of setting up a backdoor to download additional malware, steal data and inject HTML into users’ browsers – had remained undetected on victims’ machines for the past 11 months. But so far, some of the malicious capabilities of Magic haven’t been used – such as installing more advanced malware – leading researchers to believe that attackers merely are in a reconnaissance phase, but potentially setting the stage for a “much broader attack,” the blog post said.
Hosting providers around the world are seeing a massive increase in brute force attacks against WordPress and Joomla sites. Attackers are looking to gain access to and compromise accounts, but failing that, they are slowing down their targets or even rendering them unavailable as they exhaust the sites’ resources. Melbourne Server Hosting is reporting that it has seen signs over the past 48 hours of increased attempts, while Immotion Hosting has noted they are coming from a large amount of IP addresses spread across the world. This would suggest the attackers are using a botnet to break in. <more>
Microsoft has pulled the plug on a buggy security update released as part of Patch Tuesday earlier this week. The issue first came to light a couple of days ago when some PCs in Brazil were rendered unbootable after installing update 2823324. Microsoft has since addressed the issue in a post on TechNet. In it, Microsoft said they stopped pushing the update in question as a precaution when they began investigating error reports. The issue has to do with the update conflicting with certain third-party software, Microsoft said.<more>
A security consultant has demonstrated how a specially developed Android app can be used to take control of a commercial aircraft. Presenting at the Hack in the Box security forum in Amsterdam, Hugo Teso has demonstrated how an app he has developed can extract important information from aircraft systems, and can even be used to control the aircraft; either by uploading a new flight plan or by remotely adjusting the plane’s steering wheel. Trained as a commercial pilot, Teso says that several systems on planes are unencrypted and insecure, and that once he had access to these systems he could control the plane once it was put into auto-pilot mode. Luckily for the unsuspecting passengers and crew, he also loses control once the pilot switches back to manual controls. <more>
Kaspersky Lab’s researchers have identified a spam message campaign on Skype that spreads a piece of malware with Bitcoin mining capabilities. Bitcoin is a decentralized digital currency based on an open-source, peer-to-peer internet protocol and currently trading at over $130 per unit making it an attractive investment for legitimate currency traders, but also cybercriminals.<more>
Security firm Sophos has asked that its customers install version 220.127.116.11 of the Web Protection Appliance immediately. At the end of February, staff at security firm SEC Consult discovered vulnerabilities in the product’s web-based user interface. Sophos has closed the security holes in the latest version. The vulnerabilities allow attackers to harvest sensitive data such as passwords and session cookies and provide access to private certificate keys.<more>