Posts with tag security exploit

Somebody plug that hole before we drown

Newly published iOS 7 security flaw leaves your email attachments unencrypted

Apple’s mobile platform is under fire once again today, this time after a new revelation has revealed that iOS 7 leaves users’ email attachments unencrypted, potentially allowing enterprising hackers to grab any files sent and received by an iPhone, iPad, or iPod touch running iOS 7.0.4 or newer. The new flaw was revealed today by security researcher Andreas Kurtz and published by ZDNet.

security-flaw-email-attachmentsThe screenshot above shows that to access an attachment, all anyone needs to do is navigate to the “Mail” folder hidden inside an iPhone, where the attachments sit ready for anyone to open. Apple has responded to the discovery of the security issue by confirming that the issue does exist, however the company has yet to confirm when it will be patched. Apple regularly issues security updates to their platforms and one can expect that this pretty significant issue will be fixed well ebfore the introduction of iOS 8, which is expected at this year’s WWDC developer conference.

Via: MacRumors
Source: ZDNet

Google, get on this

New security issue crashes Nexus smartphones with a simple SMS

android-deadIf you’ve got either a Nexus 4 or a new Nexus 5 running either Android 4.0 to Android 4.4, you best be weary of any odd SMS messages for a time. According to PC World, a glitch exists in the two latest versions of Android that allows attackers to rapid send 30 “flash” messages to Nexus devices, which causes a system crash that forces a hard reboot.

The issue stems from the fact that Android doesn’t notify users with an audio tone when being sent a flash SMS message, which allows these messages to build up leading to an overflow of sorts, and therefore a crash. Google is said to be aware of the device and has been working n a fix for some time now, however PC Magazine has only just reported the issue.

Source: PC Magazine

The labels will not be pleased

Security hole lets users download pre-release albums from iTunes for free

Screen Shot 2013-05-17 at 2.08.14 PM

A new security hole discovered today allows users to download any pre-release album streaming from iTunes entirely free of charge. Though we won’t get let you in on a step by step tutorial on how to pull this off here, we will say that the security hole is incredibly easy to pull off, requiring nothing but iTunes and a free application to snoop on HTTP requests.

The resulting file is a high quality, 256 kbps, DRM free file of the entire album, equipped with nothing but an iTunes FairPlay wrapper to stop people from playing this on anything other than i-devices. Anyone who pulls this off will be able to put the album on any Mac or Windows PC running iTunes, as well as an iPod, iPhone, or AppleTV.

Remember – doing this is most definitely illegal (or at the very least, a major breech in your agreement with Apple), and takes away any profits an artist might have otherwise made on a purchase – so we’re definitely not suggesting you all go out and try this out for yourselves. Musicians are incredibly gracious allowing users to stream their entire albums for free days and weeks before the actual release, so we wouldn’t want to take advantage of their good will, would we?

Source: 9to5Mac

Tested on a Samsung Galaxy Note II

Security flaw allows users to bypass Android lock screen

Uhhoh, Android users – it looks like Apple isn’t the only one with a vulnerable lock screen. A Samsung Galaxy Note II owner by the name of Terence Eden has just uncovered a fairly serious exploit with his beloved smartphone that allows users to bypass the Android lock screen entirely in a method very similar to the infamous iOS lock screen exploit introduced in iOS 6.1.

The security flaw is very easy to reproduce – simply make an emergency call and immediately click the home button on your smartphone. The home screen will only be available for a quick second or two, but that is plenty of time for an unwanted guest to launch applications to gather information. Terence says that the flaw is reproducible on all means of protection on his device, including “Pattern Lock, PIN, Password, and Face Unlock”.

Though only tested on a Samsung device, there is nothing to suggest that other Android 4.1.2 devices are exempt from the glitch. Apple was fairly quick with releasing an update that fixed their lock screen flaw, however given Google’s inability to directly push updates to Android devices, it’s unlikely that this flaw will ever be resolved on all devices currently running Android 4.1.2 as OEMs are notoriously bad at updating devices with the latest fixes and features.

Source: Terence Eden

Microsoft discovers major security exploit for Vista and 7, wants you to kill your Windows Gadgets

Once upon a time, there was an upcoming release of Windows that spent much of 2003 “just around the corner “. This future release was to be a minor update, with one of the primary end-user features touted being a new extension to the native explorer.exe shell, the Windows Sidebar. That release was called Windows Longhorn, which became Windows Vista.

Windows Vista did indeed come with a Sidebar, but not the exact one Microsoft had originally envisioned – instead of being an extension to the explorer.exe shell, the Sidebar was now a separate application that ran mini web-based applications called gadgets. Gadgets continued to be apart of Windows Vista and Windows 7, but were planned to see an untimely, yet not unexpected death with Windows 8.

However, it looks the end of Windows Gadgets might be here before expected. Microsoft has just issued an advisory recommending users disable Windows Sidebar and it’s gadgets due to a recently discovered security hole. More specifically, Microsoft is warning that “an attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user.” In other words, a rogue gadget could essentially be enough to give a hacker access to your entire PC. Uhhoh.

It’s not yet clear if Microsoft is planning to patch this exploit, but we’d imagine that Microsoft will simply continue to recommend users either disable their gadgets or upgrade to Windows 8.

Windows Sidebar, we hardly knew thee.

Via: BetaArchive
Source: Microsoft Security TechCenter