The newest jailbreak for Apple's iOS platform has exposed a serious exploit that could allow a remote attacker to compromise the device. The exploit is present in all iPhones, iPads, and iPod Touches running version 3.1.2 and higher. The exploit doesn't even require any particular user intervention, just opening a malicious PDF document.
The user is just required to visit a web address in mobile Safari that will load a PDF document. The PDF contains malicious code hidden in a font. The font will cause a stack overflow, allowing the code to be run on the device. A hacker could conceivably do anything at that point. Anything from deleting files, to installing spyware in the background.
This is similar to an exploit early in the iPhone's existence that used TIFF images. But this time around there are many more iPhones in the world, so we expect Apple to take this pretty seriously. Users are cautioned to avoid any PDFs for the time being.
Adobe is no stranger to criticism. The company has consistently drawn flak for its piss poor security track record. In fact, it would be reasonable to believe that Adobe is inured to the constant castigation.
But it now seems to be making more serious efforts to plug the many holes in its software. Back in April, it introduced an automatic updater for its Acrobat and Reader products, giving it the ability to tackle critical security issues speedily. And now it has turned its focus to “sandboxing,” a security mechanism that involves running the concerned software in an isolated environment - the sandbox.
Initially, the new feature, dubbed “Protected Mode, will only be used to sandbox “write calls.” But a subsequent update will also help stave off exploit code that tries to copy sensitive information from the user’s machine. "In the first release, everything that is involved in rendering a PDF has to happen within the sandbox.”
Adobe expects to have the next version of Reader ready before the end of the year.
Apple is a company that loves to control the news cycle. The Cupertino based hardware maker has a reputation for calling press conferences to announce even the most trivial new products or feature enhancements, it's annoying, but it seems to work for them. We rarely see a departure from this approach, that is until yesterday. In its most recent 10.6.4 Snow Leopard upgrade Apple included new antivirus signatures to help fight off some of the more high profile OSX exploits found in the wild.
The most notable of these is a file disguised as the iPhoto application which, when launched, lets attackers send spam, take screenshots, access files, and do just about anything else you can think of. Our guess is that the Apple marketing department couldn't find a positive light to spin the new OS enhancement, so it was conveniently left out of the patch notes. Cnet pointed out, and we agree, that Apple's ongoing refusal to acknowledge security flaws in its products exposes users to greater danger since they are lulled into a false sense of security.
With low single digit market share numbers, OSX exploits will continue to be few and far between, but I don't think anyone would suggest that simply ignoring the problem will make it go away. I'm sure Microsoft would be happy to give Steve a few tips on how to deal with the emerging threat, but somehow I doubt they would take them up on the offer.
Is Apple misleading its customers by telling them they don't need antivirus?
The life of a white hat hacker isn't one I envy. They do an amazing job of uncovering security exploits that threaten us all, but whistle blowers who come forward too often seem to get the cold shoulder, or worse yet, labeled as criminals. This is the situation allegedly facing Goatse security, the firm that first reported on the iPad data leak that exposed over 114,000 iPad email accounts last week.
According to a Goatse spokesman known only as "Weev", "We did this as niceguy as we could. The Wall Street Journal wrote an article that implies pretty strongly that we are criminals. We did not publically release the dataset, we waited until we confirmed the system was secured before we went public with technical details. I hope they don't try to get charges pressed but if charges are pressed we will fight it and win".
A similar situation is facing a Google employee who recently exposed a vulnerability in Windows XP and was labeled by Microsoft as "irresponsible". It can sometimes be difficult to gage the intention of those who bring these exploits to light, and at least in this case, Google insists the employee in question was acting alone. Regardless of how you feel about each of the individual cases listed above, it raises interesting concerns about how to deal with situations like this in the future.
Are these guys criminals or heroes? Let us know what you think after the jump.
Not a thing wrong with making some money. Right? Well, that's the great contradiction in both the open-source and freeware worlds. Everyone loves software that performs a unique task (or replicates the unique tasks of paid-for applications), but the second an aspiring developer attempts to tack a moneymaking scheme to an otherwise free program, said developer might as well call up the fire department and Internet police--there are going to be torches, pitchforks, and angry blog posts knocking on the front door within short order.
It's almost too easy to blame the developer. And for good reason: There's a definitive lack of add-ons, advertisements, and other such cash-generating schemes that actually deliver a valuable service to the user. But, to be fair, users share the fault--if you don't want to read the instructions, you only have yourself to blame for the various toolbars that have been installed on your machine as a result of your super-fast clicking on the "next" button in any given app's installer.
So what do we do? Is it fair of the open-source and freeware world to scorn any developer that tries to make a quick buck? Is it similarly fair for developers to pack their software to the gills with crapware in the hopes that you forget to uncheck a box or two whilst installing? How do we merge the capitalistic ideals of making money with the altruistic aspirations of consumer freeware and open-source development?
Alright, I'll admit it. I finally got hit with a virus.
Well, sort-of. I first thought that the strange "YOUR COMPUTER IS NOT PROTECTED" icon in my taskbar was some indication that my antivirus software of-choice had finally flipped out for good. Double-clicking on the icon brought up an obviously fake replica of Windows Security Essentials that, more annoyingly, wouldn't close no matter how many times I clicked on it. Over and over, my machine would be assaulted with "*.exe is not secure!" messages. My Internet sessions grinded to a halt no matter which browser I tried using. I started to fear for the safety of my World of Warcraft account.
As it turns out, I only got nailed with an annoying piece of malware. But after running through a number of analysis and removal techniques (which ultimately failed, as I had managed to disable the malware's process from starting up as-is using good ol' msconfig), I had amassed quite a list of rootkit removal programs, hardcore malware eliminators, and antivirus applications that were more surgeons in training than general practitioners.
I now share them with you.
Look, it's easy enough to install a common antivirus scanner on your system and call it a day. But you, like me, might forget to do so throughout the course of your PC building life. Or, worse, your system might become compromised in such a way as to render your analytical tools entirely useless. In that case, it's time to roll up your shirtsleeves and get crackin' with the digital equivalent of bleach for your mucked-up PC. Join me after the jump, and I'll share with you some of my favorite advanced freeware and open-source applications for virus and malware elimination!
I've been a relatively fortunate mobile phone owner. I've dropped various phones countless times throughout my geek life, including the extended cleaning of my first-ever iPhone by accidentally introducing it to my apartment complex's pool. I've broken countless critical features on my phones as a result of this clumsiness, the smashing of a phone against the car keys in my pocket, and the general wear-and-tear of a semi-busy lifestyle. In college, I had a flip-phone that was anything but, the exterior having been beaten up and bruised enough to transform the phone's external screen into a strobe light of-sorts whenever anyone called. Awesome for parties; useless for caller ID.
I've never lost my phone, though. And every day I board a train to head to work, sit in a taxicab, or go about my business without really paying much attention to where I last put my dialing device, I wonder: Is this it? Will today be the day that some unscrupulous person gets a hold of my iPhone and, by proxy, my entire online life?
In some ways, someone already has.
This isn't some kind of "won't somebody think of the children" scare tactic. It's a simple reality: You're hearing a lot about the wonders of cloud computing at this year's CES. And while that has different applications for the enterprise level than consumer, the practical reality of it for most PC users (and laptop users especially cough-cough-Chrome OS-cough) is that you're taking the data that would otherwise reside on a system within your control and placing it in the hands of another entity.
Cloud applications can be super-useful when you let others run the services that improve your geeky life. Your data, however, is your own--the more consumers coalesce their computing lives into access points, the more this data becomes ripe for abuse... or worse.
As if there weren't already enough infected websites floating around in cyberspace, security researchers are warning of a new mass injection attack that has already compromised more than 130,000 Internet destinations since the attacks first began in late November.
Researchers say the nasty code is a rogue IFrame being used to exploit visitors and inject their PCs with a banking trojan.
"The injected IFrame loads the first stage of malicious content from 318x.com. A series of IFrames and code redirections (invisible to the user) then ensues, culminating in a rather curious methoed for managing the final payload," explains mary Landesman, serior security researcher at Web security company ScanSafe, now part of Cisco.
Landesman says the redirects are used to determine the potential victim's web browser, Flash Player version, and other details. Using that information, only exploits relevant to that person's setup are used.
Two security researchers on Saturday have warned that if you use cPanel to administer your website or certain Linksys or Netgear routers, you're leaving yourself open to web-based attacks that could potentially take control of your systems.
The attacks are based on CSRF, or cross-site request forgery, which can be exploited simply by surfing to the 'wrong' website, say Russ McRee of HolisticInfoSec.org and Mike Bailey of Skeptikal.org.
"CSRF is bad stuff," Bailey said at the Defcon hacker conference in Las Vegas. "It's a very under-appreciated vulnerability, and it's all over the place. Because it usually gets rated as a pretty minimal issue, it almost never gets fixed, and that means we have these kinds of holes all over."
When visiting a malicous website while logged in to the program, the attack is able to trick cPanel into carrying out sensitive commands by duping the device into thinking they came from the victim. And it doesn't look like this will be fixed anytime soon.
"The response I got from cPanel was we can't fix this because it's a feature," Bailey said. "Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this."
You knew it would happen sooner or later, we're just a little surprised it took this long for hackers to release a botnet running on mobile phones. According to Symantec, a piece of malicious software called Sexy Space may be the first documented case.
Like most botnets, Sexy Space relies on quite a bit of user interaction to be effective. Those who ultimately become a zombie in the botnet first receive a text message saying "A very sexy girl, Try it now!" Inside the message is a link that must be clicked, which then asks the potential victim to download software. The software then scours through the user's contact list and sends an SMS with the same message to each person.
Symantec says that this particular botnet is being controlled by a central server, but it remains unclear whether or not the phones respond to remote commands.
We're undoubtedly preaching to the choir on this one, but be wary of any rogue text messages, especially when they ask you to click a link and download software.