The theoretically super-secure Blackphone had a very serious bug in its SilentText chat app, security researcher Mark Dowd revealed Wednesday after informing the phone’s makers. The vulnerability in Silent Text, which is also available for other devices from Blackphone backer Silent Circle, made it possible for attackers to decrypt messages, take over Silent Circle accounts, gather contacts and location data, and basically take over the phone. The flaw was patched before Dowd went public, and Silent Circle has expressed its gratitude. Probably not the best publicity for the firm as it criticizes other apps for their excessive permission demands on Data Privacy Day, though.
A serious vulnerability in a key Linux library could let attackers take complete control of systems, such as servers, that are based on the open-source operating system. Those running Linux systems are advised to download a patch for their distribution immediately.
Qualys researchers discovered the “Ghost” vulnerability – named for the fact that it can be triggered by “gethostbyname” DNS resolution functions – during a recent code audit.
In a Tuesday blog post and video they said they had “developed a proof-of-concept in which we send a specially created e-mail to a mail server and can get a remote shell to the Linux machine,” though they won’t release this exploit until they see around half of the Linux servers out there have been patched appropriately.
The researchers said the buffer overflow flaw in the GNU C (“glibc”) library had been around since 2000 and had actually been fixed in 2013 (only versions before 2.18 are affected). However, it wasn’t recognized as a security threat at the time, so many long-term-support versions of Linux distros are still affected.
Distros that are known to be affected include: Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, and Ubuntu 12.04. Patches for these distros are now available to download, and doing so would be a very good idea. End-of-life distros are obviously also affected, but you shouldn’t be using those anyway.
It’s impossible to tell whether the vulnerability has been exploited, though Trend Micro has noted, “with only four or eight bytes as the initial exploit vector, gaining further access is highly dependent on application design and memory usage.” Also, as Robert Graham at Errata Security has pointed out, the gethostbyname() function is obsolete and people should rather be using the IPv6-friendly getaddrinfo() function instead.
This article was updated at 2.15am PT to include Trend Micro’s observation.
Apple has pushed an automatic update to Macs for the first time, in order to fix a critical vulnerability in the network time protocol (NTP), which is used to synchronize computers’ clocks.
The company typically uses its software update mechanism to issue security updates, with users consciously being involved in the process, but this one was extraordinarily urgent, and led [company]Apple[/company] to use an automatic update mechanism that it developed a couple years back but had not used until Monday.
Apple spokesman Bill Evans told Reuters that the firm wanted to protect customers as quickly as possible – and indeed, when it was first released on Monday ahead of the automated push, the update was unusually entitled: “Install this update as soon as possible.”
The flaw was discovered by [company]Google[/company] researchers and flagged up by the U.S. government on Friday – it doesn’t just affect Macs, but also systems all the way up to industrial control systems, and the government needed to warn those running critical infrastructure. According to that warning:
These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available…
A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the [NTP daemon] process.
Evans told Reuters that Apple was not aware of any exploitations of the flaw in Macs. The update, which doesn’t require a restart, was released for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1.
This article was updated a couple minutes after initial publication to change the word “forces” in the headline to “leads” — it occurred to me that “forces” sounded unnecessarily harsh, given that the company is trying to protect its users from a vulnerability that wasn’t of its own making.
The “WinShock” vulnerability has been around and exploitable for the better part of two decades. While there’s no evidence that it has been exploited, it can let attackers take over the victim’s PC.
Major service and software providers are taking or have taken steps to limit the fallout of the bug, which affects vast swathes of internet infrastructure and probably many devices, too.
Experts are saying the flaw, which affects the bash shell used across many Unix-based systems including Mac OS X and variants of Linux, is more serious than the Heartbleed flaw earlier this year.
The vulnerability is of particular concern for those with old Android devices that no longer receive firmware updates. However, Google says the Play Store remains a safe place from which to download apps.
While not as severe as April’s heart-stopping Heartbleed vulnerability, this flaw could for example allow people operating fake Wi-Fi hotspots to intercept, decrypt and manipulate supposedly secure traffic being passed between a user and a web service.
Researchers have discovered a serious flaw known as Heartbleed that affects the security software that runs on about two-thirds of the servers on the internet and could expose user data, including passwords. Here’s what you need to know about it
The vulnerability could allow data theft or the hijacking of a handset and it affects almost all Android devices. However, those sticking to the Play Store should be able to stay safe.