The last thing you want to be told when buying a new car is that you shouldn't be driving it, and likewise, HTC G1 owners can't be geeked to learn that at least one security researcher is advising against using the Android-based phone's web browser.
Security researcher Charlie Miller says a vulnerability in Google Android makes it possible for hackers to remotely take control of the phone's web browser and other related processes. At that point, hackers could then gain access to saved information stored in the browser and spy on a user's online transactions, including encrypted ones.
Interestingly, Miller notified Google of the flaw back on January 21 and a patch was put forth, which the search company has given to T-Mobile. But as of this writing, T-Mobile has yet to deploy the fix.
"The Android Security Team responded by contacting PacketVideo, T-Mobile, and oCERT, a public Computer Emergency Response Team. PacketVideo developed a fix on February 5th, and they patched Open Source Android two days later," writes Rich Cannings, a Google Android security engineer. "oCERT assisted PacketVideo with coordinating the fix, and they published an advisory detailing this issue. We offered the patch to T-Mobile when it became available, and G1 users will be updated at T-Mobile’s discretion."
No word has been given on when T-Mobile expects to push out the patch.
Losing a single USB key from a nuclear weapons lab could be cause for concern, but what happens when 67 computers are unaccounted for, including 13 that were reported lost or stolen in the past year alone? What happens in this case is that officials claim no classified information has been lost. 0_o
The missing computers came to light after the watchdog group Project on Government Oversight released a memo dated February 3 from the Energy Department' National Nuclear Security Administration, which listed the missing PCs. According to Kevin Roark, a spokesman for Los Alamos, the lab has initiated a month-long inventory to try and account for the mysteriously missing machines, and while he admitted it's a cybersecurity issue due to personal information being stored, he maintains that none of the PCs hold any classified info.
"The magnitude of exposure and risk to the laboratory is at best unclear as little data on these losses has been collected or pursued given their treatment as property management issues," a security administration memo read.
Of the thirteen missing PCs within the past year, three were taken from a scientist's home in Santa Fe, New Mexico on January 16th. There's also a BlackBerry that has gone missing after being lost "in a sensitive foreign country."
As in previous surveys, respondents recognize that people are both an organization’s greatest asset as well as its weakest link. But security vigilance is even more important in hard economic times, when the increased stress levels can lead people to behave in atypical ways.
Ironically, the French had been warned as far back as October to harden their systems, but as we reported last month, millions of PCs hadn't yet been protected by installing KB958644. How bad was the infection, and how was it spread? Hit your afterburners and join us after the jump for details.
Whether you're using Windows and IE, managing Microsoft Exchange or SQL Server at work, or using Microsoft Office, this month's Patch Tuesday has a security update for you. All four security bulletins address Remote Code Execution vulnerabilities in recent and current service packs for each product listed:
IE 7: Windows XP, Windows Vista, Windows Server 2003
Microsoft Office: Visio 2002, 2003, 2007
SQL: SQL Server 2000 Desktop Engine on Windows 2000 and Windows Server 2003; Windows Internal Database (WYukon) on Windows Server 2003 and Windows Server 2008; SQL Server 2000 and SQL Server 2005
Exchange Server: Exchange 2000 Server, Exchange Server 2003, Exchange Server 2007
But Wait, There's More!
Other updates to be released tomorrow include:
Cumulative Update for Windows Vista Media Center (KB960544)
Cumulative Update for Windows Vista Media Center TVPack (KB958653)
Upgrade Rollup for ActiveX Killbits for Windows (KB960715)
February 2009 updates for Windows Mail Junk Email Filter (KB905866) and Windows Malicious Software Removal Tool (KB890830)
In case you missed the earlier stories, MaximumPC readers and many others have been concerned about how easy it was for malware to change UAC levels and subvert the new and allegedly improved User Account Control in Windows 7.
To find out what's changing - and who deserves the credit - join us after the jump.
Today, we live in a world of rapidly diminishing privacy. If you use your employer's email system, it is possible that every message you send or receive is logged and intercepted without your knowledge. This may have unintended or even disastrous consequences if an intercepted email message contains sensitive personal information. Unless your email goes through Secure Socket Layer (SSL) protected connections, your email is vulnerable to what is known in the IT security field as man-in-the-middle attacks, where an attacker can intercept your message as it flies to its intended recipient.
Email is sent in a format that is easily readable if an attacker can grab and reconstruct enough pieces (packets) from the data transmission with packet sniffing software. Technologies like deep packet inspection make it theoretically possible that any given message that goes over the internet can be sniffed and read by third parties who have the right software and know-how. (the feds, your ISP, etc.) While no one may have a real reason to spy on you, relying solely on security through obscurity has always been a poor policy to live by. Because of this, encryption is the only real option you can trust. We teach you how to put your emails in a lockbox before sending them off to their destinations.
So, what is it about Windows 7's UAC that makes it vulnerable? As Zhen puts it:
Windows is a platform that welcomes third-party code with open arms. A handful of these Microsoft-signed applications can also execute third-party code for various legitimate purposes. Since there is an inherent trust on everything Microsoft-signed, by design, the chain of trust inadvertently flows onto other third-party code as well. A phenomenon I’ve started calling “piggybacking”.
To demonstrate, one of the many Microsoft-signed applications that can be taken advantage of is “RUNDLL32.exe”. With a simple “proxy” executable that does nothing more than launch an elevated instance of "RUNDLL32 pointing to a malicious payload DLL, the code inside that DLL now inherits the administrative privileges from its parent process "RUNDLL32" without ever prompting for UAC or turning it off.
It sounds serious, but before you jump to conclusions, join us after the jump for Microsoft's response and a workaround.
When it comes to PC security, you already know the drill: Don't download unknown attachments, avoid clicking on suspicious links, log directly into your online accounts rather than follow a hyperlink, and so forth. These methods work well when dealing with virtual threats, but what happens when miscreants start meshing their malware tricks into the real world?
That's exactly what's going on in North Dakota, where some hybrid car owners have fell victim to fake parking citations left on the windshield. The citations read "PARKING VIOLATION. This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to ______," where the blank is filled in with a malicious website. Those who go the website are instructed to download a toolbar to view photos of the ticketed car, but it instead installs a Trojan along with a bogus security alert instructing victims to install a fake antivirus scanner.