From the year 2000 through today, Java, Adobe Reader and Flash were responsible for 66% of the vulnerabilities exploited by malware on Windows, according to a new study by the research group AV-Test Institute.
The study reinforces the well-known rule that keeping applications software up to date is of critical importance for system security. The study does not indicate how many of the exploits were active when the vulnerabilities were unpatched, but such exploits are undoubtedly a small percentage of the total.
The long time span of the study may make it more of historical interest than practical value. Within the last five to ten years both Adobe and Microsoft have improved their software development processes lowering the overall number of vulnerabilities and the severity of those that get through. Current versions of Windows and both Microsoft and Adobe applications, are far more secure than in 2000, or even 2008.
The same is not as true of Java, which is the biggest current problem of the programs tracked by the study, in part because so many users still have old versions of Java installed on their systems.
Other user practices, such as running as a standard user rather than as Administrator, also limit the severity of application exploits. This was a difficult practice to employ with Windows XP, but in current versions of Windows it is far more practical to run as standard user.
Source: ZD Net
The pre-installed crapware that fills many Android phones is more than just annoying — it also frequently opens up big security holes. Here’s how to kill the crapware and keep your phone safe and in tip-top shape.
The crapware problem is much worse than you think. New research by the Department of Computer Science at North Carolina State University found that many popular Android phones are vulnerable because of security holes introduced by pre-installed apps you don’t want.
The researchers examined ten Android phones, looking for how much crapware is on each, although they preferred the gentler and more academic-sounding term “vendor customizations.” They then examined the crapware to see if it made the phones more vulnerable. The phones they studied were Google’s Nexus S and Nexus 4, HTC’s Wildfire S and One X, Samsung’s Galaxy S2 and S3, Sony’s Xpreia Arc S and Xperia SL, and LG’s Optimus P350 and P8880. The results are sobering — and scary. Here’s the summary of their findings:
“Our results also show that vendor customizations are responsible for a large proportion of the vulnerabilities in each phone. For the Samsung, HTC, and LG phones, between 64.71% and 85.00% of the vulnerabilities were due to vendor customizations. This pattern was largely stable over time, with the notable exception of HTC, whose current offering is markedly more secure than the last-generation model we evaluated.”
The core of the problem are apps that the researchers call “over-privileged.” That means that apps get more access to the phones’ various systems, data, and resources than they actually use. That leaves the phone open to exploitations.
Of the phones, which are the least and most secure? Here are the findings:
“The HTC Wildfire S is still the least secure pre-2012 device, but only by a hair — the Samsung Galaxy S2 has only one fewer vulnerability. The Sony Xperia Arc S is tied with the Google Nexus S for the most secure pre-2012 device. Meanwhile, there is a complete shake-up among the post-2012 devices: the Samsung Galaxy S3 has 40 vulnerabilities to the LG Optimus P880′s 26, while the HTC One X (at 15 vulnerabilities) falls to mid-pack, behind the Nexus 4 (at three) and the Sony Xperia SL (at eight).”
Even if you don’t have one of those phones, pre-installed crapware is making your phone less secure. So to make your phone safer, you should disable or kill the crapware. There’s the easy way and the hard way. The easy way disables the apps but doesn’t remove them from the device. And to use it, your phone has to have Ice Cream Sandwich (Android 4.0 or above). The hard way requires you to root your phone, then use a free app.
If you’ve got Android 4.0 or above and want to disable the crapware without rooting the phone, here’s how to do it. Note that many manufacturers have customized Android, so the instructions here might differ a bit from what you’ll see on your phone. But the general instructions and principles are the same.
First, go to Settings. You’ll find the Settings menu in the App Menu , or else you can get there by pulling down the notification drawer and tapping Settings. Once you’re there, go to “Apps.” Depending on your phone, it might be called “Manage Apps,” or even “Application Manager.”
Now swipe to the All apps list. Scroll to find an app you want to disable. Tap it. The App Info page appears. If the app isn’t true crapware, there will be an Uninstall button. Simply tap the button to uninstall the app. But if it is crapware, an Uninstall button won’t be there. There will, however, be a button that reads either “Uninstall updates” or Disable. If there’s an “Uninstall updates” button, tap it. The button will change to read Disable.
Tap the Disable button. That will disable the app, and from now on, the app won’t launch in the background. If you want to enable the app, head back to the All apps list. You’ll find disabled apps at the bottom. Tap any you want to enable, then tap the Enable button.
Disabling the app, won’t actually remove it from your system, which means it will take up hard disk space. That shouldn’t be a problem. But if you absolutely, positively want to get the app off your system, you’re going to have to root your phone, then use a free piece of software called NoBloat Free. There are plenty of ways to root your phone, and my suggestion is to do an Internet search. Keep in mind that it can prove to be problematic, and you’ll void your phone’s warranty if you do it, so make sure it’s really something you want to do. A few good starting points are this page from Android Central and this page from LifeHacker. Once you’ve rooted the phone, run NoBloat Free.
Source: IT World
A vulnerability mostly affecting older versions of Google’s Android operating system may make it possible for attackers to execute malicious code on end-user smartphones that use a wide variety of apps, researchers said.
The weakness resides in a widely used programming interface known as WebView, which allows developers to embed Web-based content into apps used for banking, entertainment, and other purposes. Many apps available on the official Google Play market don’t properly secure the connection between the WebView component on a phone and the Web content being downloaded, researchers from UK-based MWR Labs recently warned. That makes it possible for attackers who are on the same open Wi-Fi network as a vulnerable user to hijack the connection and inject malicious code that can be executed by the phone.
“The lowest impact attack would be downloading contents of the SD card and the exploited application’s data directory,” the researchers wrote in an advisory published earlier this week. “However, depending on the device that was exploited this could extend to obtaining root privileges, retrieving other sensitive user data from the device or causing the user monetary loss.”
Google representatives declined to comment for this story.
Einar Otto Stangvik, a security consultant with Indev.no, said he has identified Android banking apps used in Norway that are also open to remote-code attacks that make users more susceptible to phishing attacks. He theorized that attackers might exploit the weakness by planting malware on a target’s PC that hijacks a smartphone when both devices are connected to the same network.
The reports of the weak apps come almost a year after two academic reports uncovered wide-ranging deficiencies in the cryptographic protections in smartphone software. One found that Android apps used by as many as 185 million people contained holes that leaked login credentials and other sensitive data even though they were supposed to be protected by SSL. The other revealed a variety of apps running on Android and PCs that were fooled by fraudulent SSL certificates. It’s possible that similar defects could fail to protect code exposed in WebView objects even when developers think they’re properly contained inside an SSL channel.
The good news
While the vulnerability is potentially serious, there are several limitations that minimize the damage attackers can do when exploiting vulnerable apps. Chief among them is the fact that Android’s permissions and sandboxing mechanisms prevent most Android apps from installing other apps without explicit permission from the end user. That will probably prevent the technique from being used to install malicious apps in most cases. As a backup, the “Verify Apps” setting available in all versions of Android could also be updated to stop malicious installations should attackers find a way to bypass the permissions and sandbox protections.
What’s more, Tim Wyatt, director of security engineering at smartphone security provider Lookout, said some researchers may be exaggerating the threat of attackers obtaining root privileges unless they can exploit a second, unknown vulnerability in Android’s permissions and sandbox protections.
Source: Ars Technica
This entry was posted in Android, Google, Mobile OS, Mobile Phone Application, Mobile Phones, Operating System, Security, Smartphone, Software and tagged Android, apps, Google, Malware, Security, Virus, Wi-Fi.
Via: Android Central
It’s no secret that Apple has just unveiled its latest devices, the iPhone 5s and 5c, and while our friends over at iMore dive deeper into the Apple-centric coverage we want to see how its latest device’s specs stack up against the Android hardware.
Going head-to-head with Google’s (admittedly 11-month old) latest reference device the Nexus 4 and the HTC One, the iPhone 5s stacks up pretty comparably. The latest iPhone sticks with the 4-inch 326 ppi “Retina” display, matching up to the 4.7-inch 320 ppi of the Nexus 4 and absurdly nice 4.7-inch 468 ppi of the One. On the camera front Apple has moved to an 8MP BSI camera much like the Nexus 4, but with larger pixels like the One and a few new features included in the form of software optimization, a new image signal processor and dual LED flash.
The rest of the specs round out very similarly as other high-end devices out there today, but there are naturally a few points where each device stands out. Stick around after the break for a full spec-by-spec breakdown of the iPhone 5S vs. the Nexus 4, HTC One and the latest BlackBerry and Windows Phone handsets.
Source: Android Central
This entry was posted in Android, Apple, BlackBerry, Mobile OS, Mobile Phones, Operating System, Smartphone, Windows Phone and tagged Android, Apple, Blackberry, HTC, iPhone 5s, Nokia, Windows Phone., Z10.
Hackers will bank bugs until after Microsoft retires Windows XP in April 2014; expect attacks, say security experts
Cyber criminals will bank their Windows XP zero-day vulnerabilities until after Microsoft stops patching the aged operating system next April, a security expert argued today.
Jason Fossen, a trainer for SANS since 1998 and an expert on Microsoft security, said it’s simply economics at work.
“The average price on the black market for a Windows XP exploit is $50,000 to $150,000, a relatively low price that reflects Microsoft’s response,” said Fossen. When a new vulnerability — dubbed a “zero-day” – is spotted in the wild, Microsoft investigates, pulls together a patch and releases it to XP users.
If the bug is critical and being widely used by hackers, Microsoft will go “out-of-cycle,” meaning it will issue a security update outside its usual monthly Patch Tuesday schedule.
But after April 8, 2014, Microsoft has said it will retire Windows XP and stop serving security updates. The only exceptions: Companies and other organizations, such as government agencies, that pay exorbitant fees for custom support, which provides critical security updates for an operating system that’s officially been declared dead.
Because Microsoft will stop patching XP, hackers will hold zero-days they uncover between now and April, then sell them to criminals or loose them themselves on unprotected PCs after the deadline.
“When someone discovers a very reliable, remotely executable XP vulnerability, and publishes it today, Microsoft will patch it in a few weeks,” said Fossen. “But if they sit on a vulnerability, the price for it could very well double.”
Minus any official patching from Microsoft, XP zero-days and their associated exploits could remain effective for months, maybe even years, depending on how well security software detects and quarantines such attacks.
If Fossen’s thesis is correct, there should be signs of bug banking, most notably a sharp reduction in the number of publicly-disclosed or used-in-the-wild XP vulnerabilities during the fourth quarter of 2013 and the first quarter of 2014.
“[Hackers] will be motivated to sit on them,” Fossen stressed.
There really aren’t precedents to back up Fossen’s speculation, he acknowledged, because the last time Microsoft pulled the plug on an edition was July 2010, when it retired Windows 2000. But according to metrics firm Net Applications, at the time Windows 2000 powered just four-tenths of one percent of all PCs.
Windows XP will have a much larger share when it’s retired next year: Based on XP’s current rate of decline, Computerworld has projected that the old OS will still run between 33% and 34% of the world’s personal computers at the end of April 2014.
That would be 80 times the share of Windows 2000 when it retired.
But even with Windows 2000′s minuscule share when it left support, there were reports that an edition-specific zero-day was created and sold.
“I heard rumors of a new zero-day being found and sold after the support period expired [for Windows 2000],” said HD Moore, creator of the popular Metasploit penetration testing toolkit and the chief security officer of security company Rapid7. “But there were few if any examples that ended up in the public eye.”
Moore agreed with Fossen that XP bugs would be more valuable after April 2014, but contended that all Windows vulnerabilities would jump in value.
“Something more common [three years ago] was backporting new security advisories into functional exploits on Windows 2000,” said Moore in an email. “Every time a server-side vulnerability was found in Windows XP or 2003 Server, quite a few folks looked at whether this would also work against Windows 2000. My guess is that the retirement of Windows XP will result in all Windows vulnerabilities being of slightly higher value, especially given the difference in exploit mitigations between XP and newer platforms.”
It’s far easier to exploit flaws in Windows XP than in newer editions, such as Windows 7 and Windows 8, noted Moore, because of the additional security measures that Microsoft’s baked into the newer operating systems.
Microsoft has said the same. In the second half of 2012, XP’s infection rate was 11.3 machines per 1,000 scanned by the company’s security software, more than double the 4.5 per 1,000 for Windows 7 SP1 32-bit and triple the 3.3 per 1,000 for Windows 7 SP1 64-bit.
“Windows XP vulnerabilities will be valuable as long as enterprises utilize that version of the operating system,” said Brian Gorenc, manager of HP Security Research’s Zero Day Initiative, the preeminent bug bounty program. But Gorenc also argued that any XP zero-days would be outweighed by higher-priority hacker work.
“Researchers are primarily focused on the critical applications being deployed on top of the operating system,” said Gorenc in an email reply to questions today. “Attackers and exploit kit authors seem to rely on the fact that the update process and tempo for applications are not as well defined as those for operating systems.”
Fossen, convinced that XP would be a big fat target after April 8, wondered whether Microsoft might find itself in a tough spot, and back away from the line in the sand it’s drawn for XP’s retirement.
“If hackers sit on zero-days, then after April use several of them in a short time, that could create a pain threshold [so severe] that people organize and demand patches,” said Fossen.
The consensus among analysts and security experts is that Microsoft will not back down from its decision to retire XP, come hell or high water, because it would not only set an unwelcome precedent but also remove any leverage the company and its partners have in convincing laggards to upgrade to a newer edition of Windows.
But a few have held out hope.
“Suppose we get to a date post the end of Extended support, and a security problem with XP suddenly causes massive problems on the Internet, such as a massive [denial-of-service] problem?” asked Michael Cherry, an analyst with Directions on Microsoft, in an interview last Decembe. “It is not just harming Windows XP users, it is bringing the entire Internet to its knees. At this time, there are still significant numbers of Windows XP in use, and the problem is definitely due to a problem in Windows XP. In this scenario, I believe Microsoft would have to do the right thing and issue a fix.”
Jason Miller, manager of research and development at VMware, had some of the same thoughts at the time. “What if XP turns out to be a huge virus hotbed after support ends? It would be a major blow to Microsoft’s security image,” Miller said.
Another option for Microsoft, said Fossen, would be to take advantage of a post-retirement disaster to do what it’s been doing for years, push customers to upgrade.
“They might also respond with a temporary deal on an upgrade to Windows 8,” said Fossen, by discounting the current $120 price for Windows 8 or the $200 for Windows 8 Pro. “Then they could say, ‘We’re aware of these vulnerabilities, but you should upgrade.’”
T-Mobile has joined the Ubuntu Carrier Advisory Group as a member according to a press release issued yesterday. According to Canonical:
T-Mobile USA is the newest member of the Ubuntu Carrier Advisory Group. T-Mobile USA reaches almost 300 million American consumers and business people today. As a member of the CAG, T-mobile USA will join discussions to influence the development of Ubuntu for smartphones.
As T-Mobile continues to look for ways to differentiate from the likes of Sprint and AT&T, perhaps joining the Ubuntu advisory group is one way to do exactly that. Canonical is making a concentrated effort to make sure carriers won’t be able to exert too much control over the operating system’s look and feel. As Ubuntu’s community manager Jono Bacon said as OSCon, Ubuntu is looking to prevent a world where interface fragmentation ala Android.
“My wife and I both had Android phones and they gave us two entirely different experiences,” said Bacon. “We’re avoiding that.”
Ubuntu’s handset interface has already been previewed but is said to include some of the following features:
1. Edge magic: thumb gestures from all four edges of the screen enable users to find content and switch between apps faster than other phones.
2. Deep content immersion – controls appear only when the user wants them.
3. A beautiful global search for apps, content and products.
4. Voice and text commands in any application for faster access to rich capabilities.
5. Both native and web or HTML5 apps.
6. Evolving personalized art on the welcome screen.
Bacon added, “The design and implementation of the phone is beautiful You can immediately tell it is Ubuntu; the Unity mobile experience looks clean and consistent with the desktop and touch is stunningly integrated. The Ubuntu for phones experience is designed to make all your phone content easier to access and your apps more immersive – every edge has a specific purpose, making all your apps, content and controls instantly accessible, without navigating back to the home screen every time. It’s a uniquely, beautifully converged experience.”
Source: Tmo News
Awesome commercial from QNX showing how powerful the BlackBerry 10 software is. Great commercial and I would love to see this one playing on TV, it would definitely help get the word out more about BlackBerry 10.
Potential attackers can exploit the flaw by sending specifically crafted IPv6 packets to the targeted computers
Kaspersky Lab’s Internet Security 2013 product contains a bug that can be exploited remotely, especially on local networks, to completely freeze the OS on computers running the software.
The bug can be attacked by sending a specifically crafted IPv6 (Internet Protocol version 6) packet to computers running Kaspersky Internet Security 2013 and other Kaspersky products that have the firewall functionality, security researcher Marc Heuse said earlier this week in an advisory published on the Full Disclosure mailing list.
“A fragmented packet with multiple but one large extension header leads to a complete freeze of the operating system,” he said. “No log message or warning window is generated, nor is the system able to perform any task.”
IPv6 support is enabled by default for network interfaces in Windows Vista and later, as well as in many Linux distributions and in Mac OS. IPv6 adoption on the Internet is relatively low at the moment so the number of computers that are publicly accessible over IPv6 is not very high. However, most computers are accessible over IPv6 on local networks and have local IPv6 addresses assigned to them by default.
Heuse claims that he reported the bug to Kaspersky Lab on Jan. 21 and again on Feb. 14, but received no feedback from the company so he decided to disclose it publicly. In addition to the advisory he also published a proof-of-concept tool that can exploit the bug.
Kaspersky Lab acknowledged the existence of the issue for Kaspersky Internet Security 2013. “After receiving feedback from the researcher, Kaspersky Lab quickly fixed the error,” the company said Thursday via email. “A private patch is currently available on demand and an autopatch will soon be released to fix the problem automatically on every computer protected by Kaspersky Internet Security 2013.”
Although the issue is valid, there was no threat of malicious activity affecting the computers of any users who experienced the rare problem, the company said. “Actions have been taken to prevent such incidents from occurring in the future,” it said.
The company could not immediately confirm whether any other of its products are affected as well.
Source: Network World
iOS 6 Bug Lets Institutional Users Bypass “Don’t Allow Changes” Account Restriction, Install Unapproved Apps
For those of you that are unfamiliar, iOS 6 received some beefed up Restriction settings when it was released, allowing users to select “Don’t Allow Changes” for an entire account linked to an iOS device. This option was particularly useful for schools and other organizations that wanted to limit a device to a specific account and keep students and others from installing apps not approved by the institution. Without the restriction, students or employees could easily change the iTunes account linked to the iOS device. Unfortunately, as noticed by one frustrated 9to5Mac reader, it appears there is several backdoor methods of bypassing the setting…
As highlighted in the video, while users can no longer change the account in the Settings app after enabling the “Don’t allow changes” setting, they can still change accounts directly in the App Store and iTunes apps. For teachers and organizations trying to prevent users from installing unapproved content, the bug is clearly an oversight on Apple’s part.
Apple has confirmed to our source that the problem is indeed a bug that needs to be fixed. However, Apple didn’t confirm when a fix for the “Don’t allow changes” bug would arrive. Apple’s temporary solution is to turn off the “Installing Apps” option within Restrictions. Unfortunately, as noted in the video above, that prevents organizations from pushing apps and allowing users to update apps.
We’ve reached out to Apple and will update if we hear back.
A number of other bugs have popped up in recent weeks, including the “Continuous Loop” Exchange bug and a passcode vulnerability both related to iOS 6.1 bugs. Apple has confirmed fixes for these issues are in the works and a 6.1.2 software update is expected as early as next week.
For more and to watch a video demonstration click the source link below:
Source: 9 to 5 Mac