HTC held true to its promise to look into the security vulnerability that surfaced over the weekend, an apparent glitch that allows any app requesting internet access to take a peek at a user account information, GPS location, system logs, and other potentially private data. While HTC assured us that user data isn't at risk of being harmed by its own software, a third party malware app could exploit the security flaw and cause some trouble. The outfit is already building a patch, and will ship it out in an over the air update after a short testing period with its carrier partners. Until then? HTC recommends steering clear of apps from publishers you don't trust. Hit the break to see the official statement.
The folks at Android Police seem to have stumbled across a rather jarring security vulnerability in HTC handsets running Android, giving common apps with internet access a peek at the device's vital statistics, user information and more. Demonstrated in the above video, developer Trevor Eckheart found that a recent HTC update packed in a suite of logging tools that collects data on user accounts (including email addresses), recent GPS locations, SMS data and encoded text, phone numbers, system logs, running processes and more -- all of which can be accessed by common apps requesting access to android.permission.INTERNET.
HTC is already looking into the issue, stating, "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken." If you're too antsy to wait for HTC's update, head on over to the source link below -- Eckheart says the issue can be resolved by removing HTCloggers from a rooted device.
It's been a rough Black Hat conference for Google. First, FusionX used the company's homepage to pry into a host of SCADA systems, and now, a pair of experts have discovered a way to hack into Chrome OS. According to WhiteHat security researchers Matt Johansen andKyle Osborn, one major issue is Google's vet-free app approval process, which leaves its Chrome Web Store susceptible to malicious extensions. But there are also vulnerabilities within native extensions, like ScratchPad -- a note-taking extension that stores data in Google Docs. Using a cross-site scripting injection, Johansen and Osborn were able to steal a user's contacts and cookies, which could give hackers access to other accounts, including Gmail. Big G quickly patched the hole after WhiteHat uncovered it earlier this year, but researchers told Black Hat's attendees that they've discovered similar vulnerabilities in other extensions, as well. In a statement, a Google spokesperson said, "This conversation is about the Web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels." The company went on to say that its laptops can ward off attacks better than most, thanks to "a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced."
Well, it looks like Microsoft is taking those warnings about WebGL pretty seriously. The company has decided not to support the web-based 3D standard because it wouldn't be able to pass security muster. Highest on the list of concerns is that WebGL opens up a direct line from the internet to a system's GPU. To make matters worse, holes and bugs may crop up that are platform or video card specific, turning attempts to plug holes in its defense into a game of whack-a-mole -- with many players of varying reliability. Lastly Microsoft, like security firm Context, has found current solutions for protecting against DoS attacks rather unsatisfying. Lack of support in Internet Explorer won't necessarily kill WebGL and, as it matures, Microsoft may change its tune -- but it's still a pretty big blow for all us of hoping the next edition of Crysis would be browser-based.
Update: As is usually the case Apple and the Windows folks are on opposite sides of this one. In fact, the Cupertino crew plans to bring WebGL to iOS 5 with one very strange restriction -- it will only be available to iAd developers. Now, chances are it will eventually be opened up in mobile Safari for everyone, but for the moment it seems browser-based 3D graphics will be limited to advertisements on the iPhone. Still, that's another big name throwing its support behind the burgeoning standard.
Here's a little tip for app developers: encrypt everything, especially passwords. Security firm viaForensics fed some popular iPhone and Android apps through its appWatchdog tool and found that Netflix, LinkedIn, and Foursquare all stored account passwords unencrypted. Since the results were first published on the 6th, Foursquare has updated its app to obscure users' passwords, but other data (such as search history) is still vulnerable. While those three were the worst offenders, other apps also earned a big fat "fail," such as the iOS edition of Square which stores signatures, transaction amounts, and the last four digits of credit card numbers unencrypted. Most of this data would take some effort to steal, but it's not impossible for a bunch of ne'er-do-wells to create a piece malware that can harvest it. Let's just hope Netflix and LinkedIn patch this hole quickly -- last thing we need is someone discovering our secret obsession with Meg Ryan movies.
No Android security flaw is good news for Google, but the recently discovered ClientLogin issue that left the OS vulnerable to impersonation attacks is surely at least a bit more welcome than some of the alternatives. That's because the flaw can be fixed at the server-side level (rather than on millions of Android phones), and Google has now confirmed that a fix is rolling out today, although it may take a few more days for it to cover all users (there's no action required on your part). The company's not quite out of the woods just yet, though -- while we've confirmed with Google that the fix addresses the issues with Calendar and Contacts, the problem with Picasa remains, and there's still no indication of a fix for it. Incidentally, Google had already fixed the Calendar and Contacts issues on the phone-side with Android 2.3.4 (although that still left 99 percent of phones vulnerable), but it too is still stuck with the Picasa vulnerability.
Google spent a lot of time yesterday talking up WebGL, but UK security firm Context seems to think users should disable the feature because it poses a serious security threat, and the US Computer Emergency Readiness Team (CERT) is encouraging people to heed that advice. According to Context, a malicious site could pass code directly to a computer's GPU and trigger a denial of service attack or simply crash the machine. Ne'er-do-wells could also use WebGL and the Canvas element to pull image data from another domain, which could then be used as part of a more elaborate attack. Khronos, the group that organizes the standard, responded by pointing out that there is an extension available to graphics card manufacturers that can detect and protect against DoS attacks, but it did little to satisfy Context -- the firm argues that inherent flaws in the design of WebGL make it very difficult to secure.
Now, we're far from experts on the intricacies of low-level hardware security but, for the moment at least, there seems to be little reason for the average user to panic. There's even a good chance that you're not vulnerable at all since WebGL won't run on many Intel and ATI graphics chips (you can check by clicking here). If you're inclined to err on the side of caution you can find instructions for disabling WebGL at the more coverage link -- but come on, living on the cutting edge wouldn't be anywhere near as fun if it didn't involve a bit of danger.
It's hard to believe that Russian President Dmitry Medvedev and Apple man Steve Jobs would get all giggly over a Granny Smith, and that's for good reason: that apple's about as phony as this tiny iPhone. According to a Russian security firm, however, Nikon's Image Authentication Software would tell you otherwise. This rendering is one of a handful used to demonstrate a flaw in the camera maker's image verification system. Programs like Nikon's apply an encrypted signature to image files at the time they are captured, and overwrite those signatures when a file is altered, allowing for verification of a photograph's integrity. According to ElcomSoft, the firm exposed a flaw in the system used by Nikon, as well as a similar program employed by Canon's DSLRs, that allowed them to extract the signature key from a camera and apply it to phonies like the one above. According to the outfit, neither company has responded to its findings. For more funny fakes, including a shot of Mike Tyson rocking an Angry Birds tattoo, check out the source link below.
Hey, guess what? Adobe has found yet another serious security flaw in Flash. We can already hear the iOS fanboys warming up their commenting fingers. The vulnerability affects all platforms, including Android, though only attacks on Windows have been seen in the wild so far. Just like last month's exploit, this one is spreading via malicious .swf files embedded in Office documents, only this time it's Word instead of Excel being targeted (a hacker's gotta keep it fresh, after all). Once again Reader and Acrobat are also vulnerable, but attacks can be thwarted using Reader's Protected Mode. When exactly Adobe plans on plugging this hole is anyone's guess, so when a deposed Nigerian prince tells you about the fabulous sum of money he'd like you to transfer, you'll have yet another reason not to open the Office attachments in his email.
Oh, woe is us. Or, to be more precise, woe is us if we wanted the Xperia Play on the UK's O2 network on the day of its release, April 1st. The British carrier has been candid in admitting it found software bugs on the Play and is holding back release of the gamer-friendly device until those have been ironed out. We appreciate its effort in "testing the phone non-stop for weeks" and its reluctance to grab a quick buck by releasing imperfectly baked goods, but a major question remains -- if this isn't an O2-specific software problem, and we've heard no peep of O2 customizing the Android 2.3 build on the Play, why are no other carriers signaling a similar delay? Vodafone is still aiming to deliver UK pre-orders by April 5th and there seems to be no indication of flawed software from others. Only thing we can think of, given that O2 has the white Xperia Play exclusive, is that the white phone curse has struck again.
Update: Here's what Sony Ericsson has to say on the matter:
"Sony Ericsson Xperia[TM] PLAY will be launching on 1st April across all UK mobile operator partners except for O2, who have decided to prolong the testing period in order to ensure that the software meets the requirements of its procedures. Sony Ericsson will be workingwith O2 over the next couple of weeks to expedite the process and ensure that O2 customers can soon join consumers across the UK in being able to enjoy the world's first PlayStation certified smartphone."
Android Police, InfectedROM | Email this | Comments
WinRumors, The Register | 
Hey, guess what? Adobe has found yet another serious security flaw in Flash. We can already hear the iOS fanboys warming up their commenting fingers. The vulnerability affects all platforms, including Android, though only attacks on Windows have been seen in the wild so far. Just like last month's exploit, this one is spreading via malicious .swf files embedded in Office documents, only this time it's Word instead of Excel being targeted (a hacker's gotta keep it fresh, after all). Once again Reader and Acrobat are also vulnerable, but attacks can be thwarted using Reader's Protected Mode. When exactly Adobe plans on plugging this hole is anyone's guess, so when a deposed Nigerian prince tells you about the fabulous sum of money he'd like you to transfer, you'll have yet another reason not to open the Office attachments in his email.
Recent Comments