As far back as September, security researchers discovered a "critical" bug in many HTC Android handsets that exposed users' WiFi credentials to any hacker who cared to look. The flaw affected recent devices like the Thunderbolt and EVO 4G all the way back to the Desire HD. The researchers promptly notified HTC, but the manufacturer waited a full five months before acknowledging the flaw publicly a few days ago. Sounds shady, perhaps, but HTC sent us a statement clarifying that this is standard policy to protect customers. It says it waited to develop a fix before it alerted the big bad world to the vulnerability. Most newer devices have already received their fix OTA, but owners of some older phones -- we'll update this post when we know exactly which ones -- will need to check the HTC Support site for a manual update next week. Meanwhile, in the manufacturer's defense, the guys at the Open1X group who discovered the bug say that HTC was "very responsive and good to work with." Here's HTC's statement to us:
"HTC takes customer data security very seriously. If there is a known breach of sensitive customer data, our priority is customer notification along with corrective actions. It is our policy, and industry standard procedure, to protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected. In those cases, premature disclosure of vulnerabilities could spur creation of malicious apps to take advantage of any vulnerability before it is fixed. For this specific WiFi bug issue, we worked closely with Google and the security researchers from the date of notification and throughout this process to ensure that the majority of affected HTC phones had already received the fix prior to the vulnerability being made public."
Update: We changed our original headline to make it clearer that HTC deliberately kept quiet to protect its customers. We're certainly not accusing HTC of any wrong-doing here.
Some of you might remember the story that HP LaserJet printers might be open to hack attacks that could result in some not-so-spontaneous combustion? Now the company has issued a statement saying that no-one reported their printer exploding, but to be on the safe side, it's produced a firmware update (available at the source link) that'll close the hole and ensure your Holiday doesn't end with a visit from the fire department.
An SMS message on your Windows 7.5 handset could knock messaging out cold, a one shot kill you can't prepare for. Apparently, WP devices that receive a text containing a certain string of characters will reboot and return with a non-functional messaging client which can only be restored via a hard reset. The flaw is not device-specific and has been found to affect other parts of the OS, locking up your handset if you've pinned a friend as a live tile and that buddy posts the magic bug words on Facebook or Windows Live Messenger. Fixing the problem requires quick tapping fingers, as you've got to remove the pinned tile after rebooting before it flips and freezes the phone again. Before you go abandoning WP7's ship, just know that SMS issues are a known phenomenon and have affected all the major mobile players, iOS and Android included. Until Microsoft releases a fix, cross your fingers and hang tight, but in the meantime, all you mobile masochists can see the bug in action after the break.
Eight Android phones, including the Motorola Droid X and Samsung Epic 4G, were found to house major permission flaws according to a research team at North Carolina State University. Their study revealed untrusted applications could send SMS messages, record conversations and execute other potentially malicious actions without user consent. Eleven of the thirteen areas analyzed (includes geo-location and access to address books) showed privileges were exposed by pre-loaded applications. Interestingly, Nexus devices were less vulnerable, suggesting that the other phone manufacturers may have failed to properly implement Android's security permissions model. Google and Motorola confirm the present flaws while HTC and Samsung remain silent. Exerting caution when installing applications should keep users on their toes until fixes arrive.
Your precious printer might seem innocuous but, in reality, it could be a ticking time bomb just waiting for some hacker to trigger it. Oh, and we mean that not just figuratively, but literally as well -- they could actually be caused to burst into flames by some ne'er-do-well half-way around the globe. Of course, the potential doesn't end at remote arson, an attacker could easily gain access to a network or steal documents, and hijacking the lowly device would require little more than printing an infected file. So far researchers at Columbia University have only managed to exploit the hole on HP printers, but it's possible (if not likely) that others are also affected. Most printers look for a firmware update every time they receive a job but, for some reason, they rarely check the validity of an incoming file. A fake upgrade could easily be attached to a file sent over the internet, directly to a device -- no need to even trick anyone. HP says it's taking the issue very seriously and looking into the vulnerability, though, it says newer devices aren't affected (a claim the researchers challenge). For a lot more detail on the what and how check out the source link.
Update: HP (unsurprisingly) issued a rebuttal. It's working up a firmware update right now for certain flaws, but it'll have you know that "no customer has reported unauthorized access."
This isn't the first brush Apple's iOS platform has had with apps that exploit security holes to run unsigned code, but according to the developer of InstaStock, this may be the first to get a security researcher booted from its developer program. Charlie Miller shared his discovery with Forbes earlier today, showing off an app which successfully made it through Apple's approval process despite packing the ability to download and run unsigned code. That could allow a malicious app to access user data or activate hardware features remotely. Apple pulled the app after the findings were published, and according to Miller, revoked his developer access shortly afterward for what seems to be a clear violation of the guidelines. He told CNET that he alerted Apple to the exploit three weeks ago, however it's unknown whether or not a fix for the problem is included in the new 5.0.1 version of iOS that's currently in testing. He'll be explaining his method in more detail next week at SysCan, but until the hole is confirmed closed we'd probably keep a tight leash on our app store browsing.
HTC held true to its promise to look into the security vulnerability that surfaced over the weekend, an apparent glitch that allows any app requesting internet access to take a peek at a user account information, GPS location, system logs, and other potentially private data. While HTC assured us that user data isn't at risk of being harmed by its own software, a third party malware app could exploit the security flaw and cause some trouble. The outfit is already building a patch, and will ship it out in an over the air update after a short testing period with its carrier partners. Until then? HTC recommends steering clear of apps from publishers you don't trust. Hit the break to see the official statement.
The folks at Android Police seem to have stumbled across a rather jarring security vulnerability in HTC handsets running Android, giving common apps with internet access a peek at the device's vital statistics, user information and more. Demonstrated in the above video, developer Trevor Eckheart found that a recent HTC update packed in a suite of logging tools that collects data on user accounts (including email addresses), recent GPS locations, SMS data and encoded text, phone numbers, system logs, running processes and more -- all of which can be accessed by common apps requesting access to android.permission.INTERNET.
HTC is already looking into the issue, stating, "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken." If you're too antsy to wait for HTC's update, head on over to the source link below -- Eckheart says the issue can be resolved by removing HTCloggers from a rooted device.
It's been a rough Black Hat conference for Google. First, FusionX used the company's homepage to pry into a host of SCADA systems, and now, a pair of experts have discovered a way to hack into Chrome OS. According to WhiteHat security researchers Matt Johansen andKyle Osborn, one major issue is Google's vet-free app approval process, which leaves its Chrome Web Store susceptible to malicious extensions. But there are also vulnerabilities within native extensions, like ScratchPad -- a note-taking extension that stores data in Google Docs. Using a cross-site scripting injection, Johansen and Osborn were able to steal a user's contacts and cookies, which could give hackers access to other accounts, including Gmail. Big G quickly patched the hole after WhiteHat uncovered it earlier this year, but researchers told Black Hat's attendees that they've discovered similar vulnerabilities in other extensions, as well. In a statement, a Google spokesperson said, "This conversation is about the Web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels." The company went on to say that its laptops can ward off attacks better than most, thanks to "a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced."
Well, it looks like Microsoft is taking those warnings about WebGL pretty seriously. The company has decided not to support the web-based 3D standard because it wouldn't be able to pass security muster. Highest on the list of concerns is that WebGL opens up a direct line from the internet to a system's GPU. To make matters worse, holes and bugs may crop up that are platform or video card specific, turning attempts to plug holes in its defense into a game of whack-a-mole -- with many players of varying reliability. Lastly Microsoft, like security firm Context, has found current solutions for protecting against DoS attacks rather unsatisfying. Lack of support in Internet Explorer won't necessarily kill WebGL and, as it matures, Microsoft may change its tune -- but it's still a pretty big blow for all us of hoping the next edition of Crysis would be browser-based.
Update: As is usually the case Apple and the Windows folks are on opposite sides of this one. In fact, the Cupertino crew plans to bring WebGL to iOS 5 with one very strange restriction -- it will only be available to iAd developers. Now, chances are it will eventually be opened up in mobile Safari for everyone, but for the moment it seems browser-based 3D graphics will be limited to advertisements on the iPhone. Still, that's another big name throwing its support behind the burgeoning standard.
TheNextWeb | 
My War with Entropy, HTC Support | Email this | Comments
Recent Comments