For shame, Google. The G1 has barely even launched, and it’s already faced with its first major breach. An exploit has been discovered by an independent security expert which could potentially allow hackers to hijack the web browser on the G1, allowing them access to users’ passwords, cookies and text messages.
The exploit was discovered by Charlie Miller of Independent Security Evaluators, who first noticed the hole in the Android SDK. He bought an early G1 off a T-Mobile employee on eBay, confirmed that the exploit worked on the real deal, and reported the problem to Google two days before the G1 launched.
The exploit takes advantage of a buffer overrun flaw in one of Androids 80 open-source components. Android uses an out-of-date version of the component, newer versions have addressed the flaw. To protect G1 early-adopters, Miller hasn’t publicized which of the 80 components is the one with the weakness.
Google’s response? “We are working with T-Mobile to include a fix for the browser exploit, which will soon be delivered over the air to all devices, and have addressed this in the Android open-source platform.”
Redmond usually releases security patches once a month, on Patch Tuesday, but Microsoft's security experts are worried enough about a newly reported vulnerability in the Server service to post an "out-of-band" security update, MS08-067, yesterday for all versions of Windows from Windows 2000 SP4 through Windows Server 2008 and Windows 7 pre-beta. Microsoft hasn't issued a security update between Patch Tuesday releases since April 2007, so this is a significant security issue.
Although all supported versions of Windows are vulnerable, Windows 2000 SP4, Windows XP, and Windows Server 2003 versions are especially vulnerable to this flaw, which can permit remote code execution via a specially crafted RFC request.
To find out what makes this vulnerability so critical, and to learn how to get the update, join us after the jump.
And now, a whole new way for your privacy to be invaded. Computer scientists at the EPFL in Switzerland have developed a way to eavesdrop on what you type by detecting the electromagnetic radiation emitted with every keystroke, Engadget reports.
The group developed four techniques for listening in on keystrokes, and tested them on 11 keyboards, produced from 2001 to 2008 and including USB, PS/2 and laptop keyboards. Every one of the devices was vulnerable to at least one of the methods. Some of the techniques are effective from as far away as 65 feet, and through walls.
Martin Vuagnoux, one of the scientists responsible, has posted twovideos demonstrating the vulnerability on Vimeo. The first of the two videos shows a meter-long wire being used as an antenna to detect the emissions of a keyboard several feet away. A program successfully decodes the message “trust no one” from these emissions. The second video shows an antenna that looks a bit like a pair of gigantic egg beaters eavesdropping on a keyboard from one room over.
The technique is pretty cool to see in motion (if a bit scary) so check out those videos and hit the jump to give us your thoughts.
I know it, you know it, almost everybody that reads Maximum PC knows it - but that doesn't mean that your family, your co-workers, or your bosses know it. What's it? Simply this: Microsoft never - repeat never - sends out security updates via email.
The email, ironically enough, claims that "Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users." And, it's signed "Steve Lipner, Directory of Security Assurance, Microsoft Corp."
Well, at least the bad guys got Steve's name right. However, he's actually senior director of security engineering strategy in Microsoft’s Trustworthy Computing Group, according to a recent interview.
The message (minus the Trojan, of course), is available at the Microsoft Malware Protection Center blog, where you can see for yourself the classic hallmarks of a fake message: a shaky command of the English language, sentence construction that's so stiff it belongs on a Victorian-era calling card, and off-the-wall sentiments that show it was adapted from a different con job document: "We apologize for any inconvenience this back order may be causing you." Back order? Whaat? I didn't order any malware!
Already getting calls from frantic family, friends, or co-workers wondering why their PCs have slowed to a crawl or become infested by popups? Join us after the jump for solutions.
When it comes time to shop for a videocard, most people are concerned about the pixel pushing power and how well a new GPU can handle Crysis. Yet others are more concerned with a videocard's ability to fit into a home theater PC setup, both physically and functionally. Some GPUs are even sought after for their ability to fold proteins, but apparently there's another use emerging, one with malicious intent.
According to Global Secure Systems, a Russian firm used Nvidia GPUs to break through WPA and WPA2 encryption. Assuming the report is accurate, the implications are nothing less than frightening, as GSS claims the brute force attack managed to accelerate WiFi 'password recovery' times by up to 10,000 percent.
"This breakthrough in brute force decryption of WiFi signals by Elcomsoft confirms our observations that firms can no longer rely on standards-based security to protect their data," noted David Hobson, managing director of GSS. "As a result, we now advise clients using WiFi in their offices to move on up to a VPM encryption system as well."
But even moving to a VPN may not be enough, as many VPNs use AES encryption just like WPA2. And by throwing videocards into the mix (it remains unclear which specific Nvidia GPUs were utilized), accessibility quickly becomes a growing concern.
Does this latest attack concern you? Hit the jump and post your thoughts.
October's Patch Tuesday's bigger than normal, with 11 security bulletins (four critical, six important, and one moderate) affecting the following desktop operating systems and applications:
Internet Explorer 5.01, 6, and 7 on Windows 2000 SP4, Windows XP, and Windows Vista get patched to stop a remote code execution threat
Windows XP SP2 and SP3 and Windows XP Professional x64 and XP Professional x64 SP2 will be patched to stop elevation of privilege attacks
Windows 2000 SP4 through Windows Vista SP1 will also be as updated needed to prevent remote code execution
Microsoft Excel 2000 SP3, Excel 2002, Excel 2003 SP2/SP3, and Excel 2007/2007 SP1 will be updated against a critical vulnerability, as will Excel Viewer 2003/2003 SP3, Excel Viewer, and MS Office Compatibility Pack and Compatibility Pack's SP1.
What else is coming down the chute starting Tuesday?
Windows Vista Media Center gets a pair of updates (one for the TV Pack, and one for everyone), as well as the usual updates to the Malicious Software Removal Tool, Windows Mail Junk Email Filter and Customer/Windows Vista Experience Improvement Program.
However, the biggest news is the premiere of the Microsoft Active Protections Program and Exploitability Index we told you about in August. Hopefully, these programs will aid the never-ending battle against the bad guys in cyberspace.
Those kooky hackers, what will they think of next? The latest fad sweeping the underground community involves a new type of attack (new in how it's being used, anyway) dubbed 'clickjacking,' whereby surfers click on seemingly harmless websites only to end up unknowingly forfeiting control of their webcam and microphone.
So far, clickjacking has been confirmed to affect Adobe's Flash player and for every major browser, such as Firefox, Internet Explorer, Opera, Safari, and yes, it affects Google's Chrome browser too.
"It is a very serious problem," said Giorgio Maone, author of the NoScript Firefox extension. "Clickjacking is a very simple attack to build, and now that the details are out, any script kid can try it successfully. There's no estimate to the number of trap sites."
Maone went on to warn that clickjacking is impervious to signature-based scanning. Adobe has recognized the threat as being "critical" and is instructing users on how to turn off Flash access to webcams and microphones. But is it a cure all? According to Robert Hansen, CEO of SecTheory, Flash clickjacking represents but a single variant of what could turn out to be a widespread threat, and that the only real fix will be in changing existing web standards, not the individual applications themselves.
Find out how the latest version of NoScript helps Firefox users fight back against clickjacking after the jump.
Panda Security has released its quarterly report for the third quarter and in it the security vendor notes a sharp rise in the amount of adware. According to Panda, adware accounted for 22.03 percent of adware in Q2, but that number has jumped to 37.49 percent in Q3, which is more than a third of all infections. Panda attributes the trend to the amount of fake antivirus programs in the wild.
The report also puts social networking in the spotlight, the popularity of which has made them particularly prone to cyber attacks. Of the social networking sites, Panda notes that MySpace has been both the first victim and most frequently targeted by hackers.
"Attacks on social networks are not new phenomenon; the first recorded incident occurred in 2005," the report says. "However, attacks have increased ad diversified just as the number of users has grown. These attacks aren't focused exclusively on distributing malware, but also involve phishing, identity theft, or propagation of spam."
Believe it or not, there are security options out there other than AVG. McAfee, being one of them (surely you've run across McAfee on an OEM rig or two), announced plans to acquire network security vendor Secure Computing for around $465 million. The move, according to McAfee, is intended to beef up the company's network security portfolio.
"Today's announcement of this pending acquisition is a natural extension of McAfee's security-only focus," Dave DeWalt, CEO and president of McAfee, said in a statement. "We expect the pending combination of McAfee and Secure Computing will create an annual projected combined revenue of just under $500 million in the network security segment of our SRM (security risk management) portfolio."
Before the acquisition can go through, it must first pass regulatory approvals and get the green light from Secure Computing's stockholders, all of which is expected to be finalized by the end of the year.
Windows Live has come a long way since it was first introduced as a Microsoft brand in 2006. The first wave bolted Hotmail, Messenger, and Spaces into a single download. In last year's second wave, tools like SkyDrive, Events, Photo Gallery, LiveWriter, Calendar, and Family Safety joined the family, along with support for mobile devices. This week, Microsoft rolled out its third wave, adding a new member to the Windows Live family (Movie Maker) and new features to several existing programs (Messenger, Photo Gallery, Writer, Toolbar, and more). We've already told you about the new features in Hotmail, so join us after the jump to find out what's new and improved.