A take on the security news, week 35 2015

Mon 24 August 2015

A take on the security news, week 35 / 2015. I summarize some of the news that I considered noteworthy related to information security this week.
Predictable Android lockpattern, an enterprise iOS vulnerability, create javacsript exploits with minify and a critical Firefox update


Your Android lockpattern is predictable

Marte Løge, a graduate from NTNU have analyzed almost 4000 samples of Android lockpatterns as part of her thesis. One of the conclusions is that they are predictable and people tend to use easy memorable patterns, often shaped as a letter.

The advise is to use as many nodes as possible when creating the pattern, 8 or 9 if possible, and choose crossover patterns. And you should also disable "visible patterns" option in the security settings to prevent shouldersurfing.


Microsoft changes their policy about information on updates

Microsoft will explain only what they call "significant" updates to Windows 10. So when an update promote "improvements to enhance the functionality of Windows 10" we will not neccessary get any information about what this functionality is.



Quicksand iOS vulnerability

A sandbox violation vulnerability was discovered in iOS that let a MDM application reads the configuration for all other MDM applications (that is Managed Preferences). The correct behaviour is that an app only can read its own configuration file. This is a problem because many applications store sensitive data (username, password and other credentials) in plaintext.

The vulnerability has been patched in iOS 8.4.1, so the main advice is to upgrade if you can.


Backdooring javascript using minifying bugs

Yan has a interesting blogpost where she gives an example on how you can utilize bugs in a minifier to introduce "vulnerabilities" in the minified javascript (which is not present in the non-minified version of the script).



Android certifigate exploitation in the wild

The article provides a breakdown on how "Recordable Activator" leverages the certifigate exploit to capture your screencontent.

Recordable Activator is available on Google Play and the app bypasses Android permissions by misusing a flawed Teamviewer plugin to escalate priviliges.


Amazon no longer accepts Flash ads on Amazon.com

Maybe a natural move since browsers is starting to deny Flash by default. Flash ads has also been used to serve malware.

Amazon no longer accepts Flash ads on Amazon.com


Hardcoded default credentials i DSL routers

DSL routers from several manufacturers are found to have hardcoded credentials that let you access them via Telnet. If you have one of those vulnerable routers, see if you can disable Telnet, or if there is an update for the device.

Affected routers are models from Asus, Digicom, Observa Telecom, ZTE and more.


RTF document with embedded malware

By using several exploits attackers can use RTF to deliver a complete RAT (remote access tool). The RAT then communicates via encrypted channels.

The attack is bypassing ASLR by tricking the system to load older version of libraries that are compiled without the /DYNAMICBASE flag turned on.


Grsecurity pulls their stable branch

Due to intellectual property problems grsecurity announce that their stable branch will only be available for sponsors. Grsecurity blame unnamed embeddedsystem vendors for not playing by the rules, breaking the GPL licensing of their code.



Firefox update 40.0.3

Mozilla patch Firefox due to two serious flaws.

The first is rated critical and can potentially be exploited to execute arbitrary code with the privileges of the attacked Firefox user.

The second is rated high-severity and an attacker could exploit this vulnerability to get users to install a rogue add-on by tricking them into thinking that the program is from a trusted source.