Monthly Archives: May 2014

Android devices and routers over Wi-Fi under New Heartbleed attack

The Heartbleed attack that left encrypted data vulnerable to theft is still causing problems, according to a new report. Luis Grangeia, partner and security services manager at information security firm SysValue, claims to have found a new vector that leaves wireless routers and Android devices vulnerable to attack. Dubbed “Cupid”, the vulnerability theoretically lets attackers capture data transmitted between Android devices and Wi-Fi routers. Grangeia claims the attack uses the same procedure as Heartbleed, but it is carried out over Wi-Fi rather than the open web. Devices running Android 4.1.1 are already known to be vulnerable to Heartbleed, however Grangeia warns iOS and OSX may also be at risk from Cupid and that administrators should “test everything”. <more>

Microsoft warns against Windows XP security update hack

Microsoft has warned Windows XP users against using a hack that tricks the company’s servers into applying security patches to the now-unsupported operating system. The workaround first appeared on a forum website called Sebijk, which revealed how making a small change in XP’s registry will fool Microsoft’s upgrade servers into thinking they are applying security patches to newer versions of Windows. However, Microsoft has stressed that XP users exploiting the hack may encounter various problems and would not be fully protected. Microsoft said: “The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP.” It is not clear how long the update hack will remain usable now that Microsoft is aware of its existence. <more>

New IE 0-day details released

Hewlett Packard’s Zero Day Initiative has released information about a zero-day vulnerability in Internet Explorer 8 that empowers the attacker to remotely execute code. The bug was discovered by Peter ‘corelanc0d3r’ Van Eeckhoutte of the Corelan Team. ZDI disclosed the vulnerability to Microsoft in October, which confirmed it in February. In keeping with its policy at the time of giving vendors 180 days to patch, ZDI decided to release general details of the bug today to the public. That policy was changed in February to 120 days. “This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer,” according to ZDI’s advisory. “User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of CMarkup objects,” ZDI continues. <more>

Facebook plans to offer free browser-based malware scanner

Facebook has announced plans to integrate anti-malware technologies from security firms Trend Micro and F-Secure into its services, in a bid to help spot and clean infected machines logging in to the service. Facebook software engineer Chetan Gowda announced that the company will offer the technologies to customers in a public blog post. “We’ve worked with F-Secure and Trend Micro to incorporate free anti-malware software downloads directly into our existing abuse detection and prevention systems,” explained Chetan Gowda. “When logging in from the infected device, you’ll see a notification screen about a malware infection, along with a recommendation to use F-Secure’s malware scanning and cleanup technology or HouseCall from Trend Micro.” Chetan Gowda said that people can choose to not use the services, but recommended that they heed Facebook’s malware warnings. <more>

Eight security updates in May’s Patch Tuesday

Microsoft released eight bulletins addressing 13 vulnerabilities in Internet Explorer, Windows, and Office as part of May’s Patch Tuesday update. Three of them are already being exploited in the wild, Microsoft said. While Microsoft did not release any patches for XP users, experts believe the issues affect the old operating system as well. Microsoft ended support for Windows XP last month, which means users no longer receive security patches for the old operating system. Enterprises who shelled out for extended support contracts will still receive updates. The Internet Explorer update (MS14-029) is the highest priority patch this month. It is different from other IE patches because this is not a cumulative patch, which means users must install last month’s cumulative IE update (MS14-018) before installing this patch. This month’s bulletin includes the out-of-band fix from earlier this month which fixed a zero-day vulnerability (CVE-2014-1776). <more>

Adobe fixes Acrobat, Reader, Flash and Illustrator

Adobe Systems released critical security updates for several products Tuesday in order to fix vulnerabilities that could allow attackers to take remote control of systems running the vulnerable software. The products that received security patches were Flash Player, the Adobe AIR SDK (software development kit) and Compiler for building rich Internet applications, Adobe Reader, Adobe Acrobat, and Adobe Illustrator for CS6 (Creative Suite 6). While security updates for Flash Player, AIR, Reader and Acrobat are released on a monthly basis, security patches for Illustrator, especially critical ones, are rare, the previous one being released two years ago. In a security advisory Adobe said that the new Illustrator hotfix addresses a vulnerability that could be exploited to gain remote code execution on the affected system, but didn’t specify how. The company recommends that users of Adobe Illustrator on Windows and Mac upgrade to the newly released 16.2.2 or 16.0.5 versions, depending on whether they’re on a subscription or not. The new Flash Player versions released Tuesday, for Windows and Mac and for Linux, fix a total of six vulnerabilities. <more>

Apple iOS 7.1.1 flaw bypasses lock screen

A researcher has discovered an exploit in iOS 7.1.1 that allows hackers to bypass the iPhone’s lock screen to send a text, email or call contacts simply by activating Siri. Egyptian neurosurgeon and part-time white hat hacker Shefif Hashim discovered the glitch earlier this week and posted a Youtube video detailing the steps of the iOS exploit. Hashim first tried and failed to unlock an iPhone 5S using its built-in fingerprint sensor, showing that the phone was locked. <more>

IBM kicks off new Cyber-Security services

IBM is offering organisations concerned about the risk of security breaches, attacks and data losses a software and services suite that mitigates against the impact of such incidents. The firm said that its Threat Protection System “disrupts threats”, and will limit data losses, an increasingly common occurrence that can harm reputations and lead to financial and business penalties. The system has a range of features and tools and IBM said that one part, the Critical Data Protection Program, would help organisations identify and manage their key data and weak points. <more>

IE security flaw patched by Microsoft, includes XP

Microsoft has released an emergency patch for Windows XP, 7 and 8.1, plugging a critical zero-day vulnerability in its Internet Explorer (IE) web browser that is known to be leaving one in four web users vulnerable to cyber attacks. The vulnerability was discovered by security firm FireEye at the end of April and is known to affect the IE6 to IE11 web browser versions. The vulnerability is particularly dangerous as it affects the older unsupported Windows XP as well as newer Windows 7 and Windows 8.1 versions of Microsoft’s operating system (OS). Microsoft officially ceased support for Windows XP on 8 April, warning users that they would no longer receive security updates for newly discovered vulnerabilities affecting the OS. <more>

Facebook announces Anonymous Login

Facebook has unveiled a new tool that lets users log in to apps anonymously so they do not have to share information from their profile. Currently many applications allow users to log in with their Facebook profiles. However, many web users are wary about this as they are forced to let their data be siphoned off before they know anything about the app. Facebook has attempted to counter these concerns with its Anonymous Login service, so people can log in with their Facebook account, but not share any data. Users can choose to sign in with their account in full at a later date. The firm said: “Anonymous Login lets people log in to apps so they don’t have to remember usernames and passwords, but it doesn’t share personal information from Facebook. People can decide later if they want to share any additional information, once they understand more about the app.” As well as introducing this functionality, Facebook also improved its normal login service, by giving users more control over the information they share with specific apps and other websites. <more>