TweakTown NewsRefine News by Category:
Samsung will be issuing a fix for a bug that allows unfettered access to a locked Galaxy S3's files "shortly". Meanwhile, Lookout, the company behind the popular antivirus app of the same name, has already produced a fix that is currently available through the Google Play Store.
Lookout describes how their app protects devices from being exploited through this particular bug: "When Lookout detects the emergency contact dialer has been backgrounded, we preemptively bring it back to the forefront so that the rest of the phone cannot be accessed."
Lookout says they expect Samsung to be released shortly, though an official statement from Samsung has not been given. Lookout highly recommends updating to the latest patch whenever Samsung makes it available. You can read Lookout's full blog post about the issue here. To read more about the bug in the Galaxy S III, you can see our other coverage.
China has said that it is willing to cooperate with the US in an effort to curb future cyber-attacks allegedly coming from within its borders. The country said it is ready to open a "constructive dialogue" to help put a stop to internet related attacks.
In a report released by the Associated Press, a spokesperson for China's foreign ministry said that he condemned the recent attacks. "Cyberspace needs rules and cooperation, not wars. China is willing to have constructive dialogue and cooperation with the global community, including the United States."
The response from China comes after White House national security adviser Tom Donilon released a statement saying "China should take serious steps to investigate and put a stop to these activities," and asked the country to "engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace."
Both the US and China have been working diligently to resolve their issues for quite a while now. After a visit by the Chinese Defense Ministry to the White House last year, then-US Defense Secretary, Leon Panetta, said that it was "essential for our two nations to communicate effectively on a range of very challenging issues.. our goal is to establish a constructive relationship for the future." It appears that we may be well on the way to achieving that goal after today's news.
As part of Microsoft's Patch Tuesday, the Windows developer will be pushing out a total of seven updates for Internet Explorer, Silverlight, and Office. Four of the patches are marked "critical", which means that they allow an attacker to run malware on the PC just by the person visiting a web site.
One of the critical patches is destined to fix a security hole present in Internet Explorer 6 to Internet Explorer 10 across XP to Windows 8. The critical Office patch is an interesting one. Woflgang Kandek, CTO at security firm Qualys notes:
"It is puzzling to see such a high rating for this software that typically requires opening of an infected file in order for the attack to work. It will be interesting to see the attack vector for this vulnerability that warrants the 'critical' rating.
Like with all security updates, we recommend that you install these updates as soon as Microsoft makes them available.
At the Pwn2Own hacking competition currently running in Vancouver, Canada, two security researchers from MWR Labs have managed to exploit Google Chrome. As a result of this impressive feat, they have been awarded a $100,000 prize. The exploit relied on a bug in Chrome as well as a bug in the kernel of Windows 7.
By visiting a malicious webpage, users could be susceptible to the exploit, even if they are running fully patched software. The exploit allowed the researchers to run code in the sandboxed renderer process. They then utilized a kernel exploit in Windows 7, which granted them elevated privileges.
MWR Labs will not release details on the exploit until the vendors have a chance to patch the vulnerabilities. Chrome is generally seen as the most secure and was picked because of its wide use and perceived security.
In one of those "why would anyone ever think to try something like this" moments, researchers have discovered that freezing encrypted Android devices will allow them to gain access to previously encrypted data. The encryption scheme used by Android has been a "nightmare" for law enforcement, though it looks like this won't be the case for much longer.
Tilo Muller, Michael Spreitzenbarth and Felix Freiling, researchers at Erlangen's Friedrich-Alexander University, placed Android phones into a freezer until they were below -10C. For some reason, this allowed them to quickly connect and disconnect the battery, placing the phone into a vulnerable mode.
Once the phone was in this state, they could load custom software onto the device. Known as Forensic Recovery of Scrambled Telephones, or FROST for short, the software allowed the data to be copied off to a computer for analysis. Luckily for consumers, the group of researchers are now attempting to figure out a way to prevent this hack from working.
Coming on the heels of a bug that allows partial access to the Galaxy Note II, a new bug has been discovered that provides full access to a device locked with a pin, password, or gesture. The bug was posted on the Full Disclosure mailing list by Sean McMillian and makes use of a variation on the original bug.
ZDNet verified the bug on their Galaxy S III running Android 4.1.2 and note that "the issue is very small and difficult to replicate at first." McMillian's instructions are as follows:
- On the code entry screen, press Emergency Call
- Press Emergency Contacts
- Press the Home button once
- Just after pressing the Home button, press the power button quickly
- If successful, pressing the power button again will bring you to the S3's home screen.
It seems like it's not just Apple that is having security issues stemming from the emergency call function. Samsung has not yet commented on the bug and there is not a current estimate for how long it will take for a fix to be released.
Apple has released an update to Java 6 that patches a zero-day vulnerability discovered a few days ago. Mac OS X Lion and Mountain Lion users should download the Java for OS X 2013-002 update so that they aren't susceptible to the zero-day exploit that has been used in the wild. Mac OS X 10.6 Update 14 can be used for Snow Leopard users.
Oddly enough, Oracle delivers updates for Java 7, while Apple is tasked with keeping Java 6 updated.
In a release today, China's Defense Ministry unveiled new details about alleged cyber-attacks on its websites. The report points a finger at the US claiming that about two-thirds of the security breaches originated from the USA.
Chinese Defense Ministry spokesma, Geng Yansheng, said:
"The Defense Ministry and China Military Online websites have faced a serious threat from hacking attacks since they were established, and the number of hacks has risen steadily in recent years. According to the IP addresses, the Defense Ministry and China Military Online websites were, in 2012, hacked on average from overseas 144,000 times a month, of which attacks from the U.S. accounted for 62.9 percent."
China says that it received more than 144,000 cyber intrusions a month in 2012 and that the US government is responsible for the majority of said breaches. The report comes hot on the heels of a report last month from security firm Mandiant, which traced cyber-attacks on US media outlets back to China.
Another iOS 6.1 lockscreen vulnerability discovered, allows full access to contacts, pictures, and more
More and more bugs continue to be found in Apple's iOS 6.1 update. The latest to be found is another bug that allows people to bypass the lockscreen of a device secured with a pin. This exploit allows direct access to a device's contacts, pictures, videos, and more simply by executing a few easy steps.
The steps are similar to the previous lockscreen bug that was discovered and involves the same process of making a call to an emergency number. The process relies heavily on the earlier exploit, though this one allows hackers to pull data from the device directly through a USB cable, useful if you want to transfer large amounts of data (read: numerous pictures).
Apple has a fix for the first passcode bug already included in the iOS 6.1.3 beta 2 update, though it's not clear if that patch will fix this latest bug to be discovered.
It was only hours ago that Anonymous' Twitter account was hacked, and now it seems that the hacking collective have taken down, or at least infiltrated yet another federal government website.
The latest target is the US State Department, and on top of hacking the site itself, they were able to acquire personal data on hundreds of State department employees, posting it all online. The personal data includes private and work e-mails, phone numbers and addresses that Anonymous dumped on the ZeroBin website.
Anonymous have said that the hack on the US State Department is in retaliation for the arresting of members from LulzSec. Anonymous said within their data post to ZeroBin:
Our reasons for this attack are very simple. You've imprisoned or either censored our people. We will not tolerate things as such. You don't see us going around censoring everything that is inappropriate or we do not like. Basically, you tried to put an end to us and you got owned, there's nothing more you can say or do. You took away Topiary, Avunit, Neuron, Pwnsauce, lolspoon, Aaron Swartz shall we go on?