Monthly Archives: February 2014

Apple iOS bug puts iPhones and iPads at risk

Security researchers have discovered a new flaw in Apple’s iOS that could expose every action the user takes to a third party, even down to each letter and number typed. A team from security company FireEye have outlined how they were able to get an app onto iOS 7 devices such as iPads and iPhones that would monitor every single tap of the screen and broadcast that information to any remote server. Such information would potentially give hackers access to every single SMS, email and written note as the location of the screen presses gives away which button is being pressed on the virtual keyboard. The app can also record every home button press, changes of volume and TouchID fingerprint scanner use. Researchers claim that the attack is only at the “proof-of-concept” stage and there is no evidence that it has been used outside of a lab. And the group have informed Apple of their work and claim to be “collaborating on the issue”. The attack works on even the latest version 7.0.4 of iOS and on non-jailbroken iPhones. <more>

Wi-Fi ‘virus’ could be used to attack wireless access points

Researchers from the University of Liverpool have demonstrated that a computer virus can spread through Wi-Fi access points between homes and businesses just like the common cold spreads from one human to another. The researchers have performed an experiment in a laboratory setting with the aid of the Chameleon virus, which uses a WLAN attack technique to infect access points and collect the credentials of all Wi-Fi users who connect to it. Then, it seeks out other access points, connects to them and infects them. The main issue highlighted by the researchers is the fact that many Wi-Fi access points are unprotected, allowing viruses like Chameleon to spread without difficulty. In their experiment, researchers simulated an attack on the cities of Belfast and London. While the virus can’t spread via access points protected by encryption and passwords, it relies on ones that are not protected, like the ones in airports and coffee shops. “WiFi connections are increasingly a target for computer hackers because of well-documented security vulnerabilities, which make it difficult to detect and defend against a virus,” said Alan Marshall, professor of Network Security at the University of Liverpool and one of the authors of the research paper. <more>

Adobe releases another emergency update for Flash

Adobe has released an emergency update for its widely used Flash Player to combat active attacks that exploit a previously unknown security bug that hackers are actively exploiting to surreptitiously install malware on end-user computers. The vulnerability, which affects the latest versions of Flash, was being exploited in drive-by attacks on the websites of at least three nonprofit organizations, according to a blog post published Thursday by researchers from security firm FireEye. <more>

Microsoft delivers ‘Fix it’ solution for IE10 attacks

Microsoft has finally issued a security advisory addressing the IE zero-day that has been recently actively exploited in attacks in the wild, and has followed with a Fix it tool to temporarily mitigate the issue until a patch is released. This zero-day is a remote code execution vulnerability, which may corrupt memory and allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. The vulnerability is easily triggered, and requires the targets to simply visit a specially crafted website hosting the exploit, or websites that accept or host user-provided content or advertisements that could exploit the vulnerability. It’s only a matter of luring users to such a site. <more>

Critical IE vulns addressed in Feb’s Patch Tuesday

Microsoft has released 31 security fixes as part of its Patch Tuesday software update. These cover major products including Windows and Internet Explorer, as well as the firm’s .NET Framework and Forefront Protection for Exchange. Four of the updates are marked as critical and three as important. Dustin Childs, group manager for Microsoft’s Trustworthy Computing division, gave some more information in a blog post about the nature of the fixes, explaining that the issues with Internet Explorer were widespread. “This cumulative update addresses one public and 23 privately disclosed issues in Internet Explorer,” he wrote. <more>

DoS issue puts Apache Tomcat servers at risk

Apache Tomcat is a widely used Web server for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies are at risk due to denial-of-service issue. Recently, Security researchers published a proof-of-concept exploit for vulnerability that allows attackers to launch denial-of-service attacks against websites hosted on Apache Tomcat servers. The new denial-of-service vulnerability is located in Apache Commons FileUpload, a stand-alone library that developers can use to add file upload capability to their Java Web-based applications. This library is also included by default in Apache Tomcat versions 7 and 8 in order to support the processing of mime-multipart requests. The multipart content type is used when an HTTP request needs to include different sets of data in its body. <more>

Adobe releases critical 0-Day exploit patch for Flash

Adobe has released a patch for a critical flaw in its Flash Player, which is believed to have been actively exploited by hackers. The patch addresses a flaw prevalent in the Windows and Mac OS versions of Adobe Flash Player 12.0.0.43 and earlier, and Adobe Flash Player 11.2.202.335 and earlier in Linux. The vulnerability was originally discovered by Kaspersky Labs researchers on 3 February. The Kaspersky researchers warned that the vulnerability is being used by an advanced group of hackers to mount sophisticated attacks capable of bypassing most security tools. “During the past months we have been busy analysing yet another sophisticated cyber espionage operation, which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation ‘The Mask’,” read the research note. “The Mask is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customised attack against Kaspersky products. <more>

Firefox 27 fixes 13 security holes

Mozilla has addressed a total of 13 security vulnerabilities with the release of Firefox 27. The list includes four critical, four high, four moderate and one low-impact flaws. The critical vulnerabilities, which can be exploited to execute arbitrary code without user interaction, are a use-after-free during image processing, an issue with image decoding in RasterImage, a crash when terminating a web worker running asm.js code, and miscellaneous memory safety hazards. The high-impact security holes are a cross-origin information leak through web workers, NSS ticket handling problems, and cloning protected XUL elements with XML Binding Language scopes. Boris Zbarsky, a Mozilla developer, has identified an inconsistency with the different JavaScript engines in the way they handle “window” objects. For additional details on the vulnerabilities fixed in Firefox 27, check out the vendor security advisories. <more>