Recently IBM researchers detected a security vulnerability in Android’s Browser which can be exploited by a non-privileged application in order to inject JavaScript code into the context of any domain.This vulnerability has the same implications as global XSS, albeit from an installed application rather than another website.
Android 2.3.5 and 3.2 have been released, which incorporate a fix for this bug. Patches are available for Android 2.2.* and will be released at a later date. The complete advisory can be found here. The browser holds sensitive information such as cookies, cache and history, and injected JavaScript could make it possible to extract that information, indirectly breaking the Android sandbox architecture. The attack exploits flaws in how the browser reacts to calls to view web pages from other applications.
IBM demonstrates the proof of concept for Android Cross Application scripting
Operation Shady RAT - Biggest Cyber Attacks in history uncovered
When the history of 2011 is written, it may well be remembered as the Year of the Hacks. McAfee publish a new report that it says is one of the most comprehensive analysis ever revealed of victim profiles from a five-year long targeted operation by a specific actor dubbed Operation Shady RAT.
McAfee released a 14-page report that details the largest coordinated cyber attack recorded to date. This particular attack, possibly orchestrated by China, broke into 72 organizations over the course of five years.The targets include the US, Canada, Taiwan, India, South Korea, and Vietnam. The attack also hit the UN, the International Olympic Committee, the World Anti-doping agency, defense contractors, tech companies and more. Most attacks lasted less than a month, but some, like that on the UN Secretariat, lasted for almost two years.
McAfee say learned of the extent of the hacking campaign in March this year, when its researchers discovered logs of the attacks while reviewing the contents of a 'command and control' server directing some of the attacks, which they had discovered in 2009 as part of an investigation into security breaches at defense companies. 
When the history of 2011 is written, it may well be remembered as the Year of the Hacks. McAfee publish a new report that it says is one of the most comprehensive analysis ever revealed of victim profiles from a five-year long targeted operation by a specific actor dubbed Operation Shady RAT.
McAfee released a 14-page report that details the largest coordinated cyber attack recorded to date. This particular attack, possibly orchestrated by China, broke into 72 organizations over the course of five years.The targets include the US, Canada, Taiwan, India, South Korea, and Vietnam. The attack also hit the UN, the International Olympic Committee, the World Anti-doping agency, defense contractors, tech companies and more. Most attacks lasted less than a month, but some, like that on the UN Secretariat, lasted for almost two years.
The name they gave the attacks, Operation Shady RAT, refers to the acronym for 'remote access tool,' a type of software that allows users to to access computer networks. They say that it is possible that further attacks from the same source may still be going undetected. While McAfee have not suggested who may be behind the attacks, other security experts have suggested that China is the likeliest candidate.
This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing.
Zero-day flaw in WordPress image utility allows to upload files and execute codes
Mark Maunder, CEO of Seattle-based technology firm Feedjit, discovered the flaw after his own blog was hacked to load advertising content. He ended up tracing the issue back to TimThumb, which he uses on his blog. Hackers are exploiting a zero-day vulnerability affecting TimThumb, a free image resizing utility widely used on the blogging platform WordPress.
Vulnerability in brief :
An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory. I haven’t audited the rest of the code, so this may or may not fix all vulnerabilities. Also recursively grep your WordPress directory and subdirs for the base64_decode function and look out for long encoded strings to check if you’ve been compromised.
The utility, a PHP script employed for image cropping, zooming and resizing web images, “is inherently insecure because it relies on being able to write files into a directory that is accessible by people visiting your website,” Maunder said. “That's never a good idea.”
An attacker could upload files and execute code on an affected site without the owner's permission. The latest version of the utility, TimThumb 1.33, is affected by the issue. Its developer, Ben Gillbanks, is working on a fix after his own site also was hacked using the same method.
He provided instructions for disabling the utility's ability to load images from external sites, which is one way to resolve the issue.
- SSH into your web server. You can use “putty” if you use windows and you’ll need to know your username and password.
- cd into your wordpress installation directory. That is going to vary according to which host you’re using or how you’ve installed it.
- You need to find every copy of timthumb.php on your system. Use the following command without double quotes: ” find . -name ‘timthumb.php’ “
- It will show you a list of where timthumb.php is located. You may want to repeat this command using “thumb.php” as some users have reported that’s what it’s called on their systems.
- Edit timthumb.php using a text editor like pico, nano or (if you know what you’re doing) vim. You would type (without double quotes) ” nano directory/that/tim/thumb/is/in/timthumb.php ” for example.
- Go down to line 27 where it starts $allowedSites = array (
- Change it to remove all the sites listed like “blogger.com” and “flickr.com”. Once you’re done the line should look like this from $allowedSites to the semi-colon:
- $allowedSites = array();
- Note the empty parentheses.
- The next line should be blank and the following line will probably say “STOP MODIFYING HERE”
- That’s it. Save the file and you’re done.
CA security finds Android Trojan which records phone calls
A new Android Trojan is capable of recording phone conversations, according to a CA security researcher. The trojan is triggered when the Android device places or receives a phone call. It saves the audio file and related information to the phone's microSD card, and includes a configuration file with information on a remote server and settings used by the trojan.
The malware also "drops a 'configuration' file that contains key information about the remote server and the parameters," CA security researcher Dinesh Venkatesan writes in a blog, perhaps suggesting that the recorded calls can be uploaded to a server maintained by an attacker.
According to the post, the trojan presents itself as an "Android System Message" that requires users to press an "Install" button for it to insert itself in the phone. Once installed, the trojan records all incoming and outgoing calls to a directory on the microSD card as .amr files, as well as information about the call, including its duration, in a text file.
Venkatesan tested the Trojan in "a controlled environment with two mobile emulators running along with simulated Internet services," and posted screenshots with the results. It appears the Trojan can only be installed if the Android device owner clicks the "install" button on a message that looks strikingly similar to the installation screens of legitimate applications.
Via: HNN
No comments:
Post a Comment