LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SecurityAndroid application securityRecent reports of a misbehaving Android application have rekindled concerns about the security of Android-based mobile phones. Because applications can be made available in the Android Market by anyone, without any review, it would seem to be an excellent target for malware purveyors. The Android security model is meant to sandbox applications, but some applications need more capabilities—to get them, they ask the user. While it appears that the application in question, MemoryUp, was actually innocent of what is was accused of doing, the incident highlights potential problems with Android security. Unlike the iPhone App Store, Android applications are not vetted before being placed into the Android Market. In addition, for now, Android applications must be distributed for free, though that is set to change sometime later this year. Given the problems with Apple's inconsistent and anti-competitive decisions on iPhone applications, Google's openness has some benefits. But it also has some pitfalls. Applications are required to be signed with a developer's private key, which should provide some measure of accountability. Given that it only takes a Google account and $25 to get into the developers program, it may not be very difficult for a malicious developer to get an "anonymous" (or largely untraceable) key. But there is a larger issue as well. The security model leaves it up to users to, essentially, guess whether they should allow an application to have additional privileges. As David "Lefty" Schlesinger points out in his blog, the security model in many ways faults the user: "I've commented in a variety of places about the problems with Android's security model, and how it essentially made any security problem the users' fault by asking them to approve what the application says it wants to do--in broad terms--on installation, without any policy component behind it at all." While it appears that MemoryUp neither asked for, nor received, any extra privileges, it is something that actual malware—or, worse in some ways, applications that live in the gray area between malware and benign-ware—developers will not hesitate to exploit. If an application needs network access to do its job, it will presumably be granted that access by the user at install time. But, there is nothing stopping that application from using that access in ways the user might never approve. Combining network access with access to personal data, leaves the user wide open to sharing that data in ways they might not expect—or approve of. In some ways, that is no different than Android's automatic syncing of contact information to Gmail, which ensures that Google has access to that info. Undoubtedly Google's privacy policy prohibits them doing anything overt with that information, but it is, or should be, worrisome. Mobile phones are rather sophisticated computing devices these days, with multiple connectivity choices, and lots more storage than even desktop machines had just a few years ago. Along with that sophistication goes the security risk. We have yet to train users to make sensible security decisions on their desktop machines—though it seems like it might be getting slowly better—do we truly expect them to make good decisions when "HotPhoneApp" asks for more access than it truly deserves? For Linux desktops and servers, distributors generally play the role of application examiners. In many ways, they are the first line of defense against malware. It is understandable why Google might not want to play that role, but users should keep it in mind when installing Android applications.
Brief items Linux also affected by hole in Ralink's Wi-fi driver (heise online)Ralink Wi-fi drivers have a flaw that may lead to arbitrary code execution on Linux boxes, as reported by heise online. "The flaw discovered in Ralink's Wi-fi drivers for Windows last weekend also affects the Linux drivers as already suspected. Attackers can exploit the hole to crash a computer remotely or possibly even inject and execute arbitrary code. Debian has released new packages for the rt2400, rt2500 and rt2570 models, but the packages need to be compiled by the user for the time being." Other distributions are undoubtedly vulnerable as well.
Drive-By 'War Cloning' Attack Hacks Electronic Passports, Driver's Licenses (DarkReading)DarkReading takes a look at RFID snooping and cloning of identification cards from a distance. The article is based on research by Chris Paget that will be presented at SchmooCon, which starts on February 6. "Unlike previous RFID hacks that have been conducted within inches of the targeted ID, Paget's hack can scan RFID tags from 20 feet away. 'This is a vicinity versus proximity read,' he says. 'The passport card is a real radio broadcast, so there's no real limit to the read range. It's conceivable that these things can be tracked from 100 meters -- a couple of miles.'"
New vulnerabilities audiofile: arbitrary code execution
boinc-client: incorrect use of OpenSSL API
firefox: multiple vulnerabilities
glpi: SQL injection
kernel: denial of service
libpng: memory overwrite
linux: denial of service
moin: cross-site scripting
phpMyAdmin: cross-site request forgery
rt2400: arbitrary code execution
sudo: privilege escalation
xdg-utils: arbitrary code execution
xrdp: arbitrary code execution
Page editor: Jake Edge |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||