Security
Android application security
Recent reports of a misbehaving Android application have rekindled concerns about the security of Android-based mobile phones. Because applications can be made available in the Android Market by anyone, without any review, it would seem to be an excellent target for malware purveyors. The Android security model is meant to sandbox applications, but some applications need more capabilities—to get them, they ask the user. While it appears that the application in question, MemoryUp, was actually innocent of what is was accused of doing, the incident highlights potential problems with Android security.
Unlike the iPhone App Store, Android applications are not vetted before being placed into the Android Market. In addition, for now, Android applications must be distributed for free, though that is set to change sometime later this year. Given the problems with Apple's inconsistent and anti-competitive decisions on iPhone applications, Google's openness has some benefits. But it also has some pitfalls.
Applications are required to be signed with a developer's private key, which should provide some measure of accountability. Given that it only takes a Google account and $25 to get into the developers program, it may not be very difficult for a malicious developer to get an "anonymous" (or largely untraceable) key. But there is a larger issue as well. The security model leaves it up to users to, essentially, guess whether they should allow an application to have additional privileges.
As David "Lefty" Schlesinger points
out in his blog, the security model in many ways faults the
user: "I've commented in a variety of places about the problems with
Android's security model, and how it essentially made any security problem
the users' fault by asking them to approve what the application says it
wants to do--in broad terms--on installation, without any policy component
behind it at all.
" While it appears that MemoryUp neither asked
for, nor received, any extra privileges, it is something that actual
malware—or, worse in some ways, applications that live in the gray
area between malware and benign-ware—developers will not hesitate to
exploit.
If an application needs network access to do its job, it will presumably be granted that access by the user at install time. But, there is nothing stopping that application from using that access in ways the user might never approve. Combining network access with access to personal data, leaves the user wide open to sharing that data in ways they might not expect—or approve of. In some ways, that is no different than Android's automatic syncing of contact information to Gmail, which ensures that Google has access to that info. Undoubtedly Google's privacy policy prohibits them doing anything overt with that information, but it is, or should be, worrisome.
Mobile phones are rather sophisticated computing devices these days, with multiple connectivity choices, and lots more storage than even desktop machines had just a few years ago. Along with that sophistication goes the security risk. We have yet to train users to make sensible security decisions on their desktop machines—though it seems like it might be getting slowly better—do we truly expect them to make good decisions when "HotPhoneApp" asks for more access than it truly deserves?
For Linux desktops and servers, distributors generally play the role of application examiners. In many ways, they are the first line of defense against malware. It is understandable why Google might not want to play that role, but users should keep it in mind when installing Android applications.
Brief items
Linux also affected by hole in Ralink's Wi-fi driver (heise online)
Ralink Wi-fi drivers have a flaw that may lead to arbitrary code execution on Linux boxes, as reported by heise online. "The flaw discovered in Ralink's Wi-fi drivers for Windows last weekend also affects the Linux drivers as already suspected. Attackers can exploit the hole to crash a computer remotely or possibly even inject and execute arbitrary code. Debian has released new packages for the rt2400, rt2500 and rt2570 models, but the packages need to be compiled by the user for the time being." Other distributions are undoubtedly vulnerable as well.
Drive-By 'War Cloning' Attack Hacks Electronic Passports, Driver's Licenses (DarkReading)
DarkReading takes a look at RFID snooping and cloning of identification cards from a distance. The article is based on research by Chris Paget that will be presented at SchmooCon, which starts on February 6. "Unlike previous RFID hacks that have been conducted within inches of the targeted ID, Paget's hack can scan RFID tags from 20 feet away. 'This is a vicinity versus proximity read,' he says. 'The passport card is a real radio broadcast, so there's no real limit to the read range. It's conceivable that these things can be tracked from 100 meters -- a couple of miles.'"
New vulnerabilities
audiofile: arbitrary code execution
| Package(s): | audiofile | CVE #(s): | CVE-2008-5824 | ||||||||||||||||
| Created: | February 2, 2009 | Updated: | March 16, 2010 | ||||||||||||||||
| Description: | From the SUSE advisory: A heap-overflow in libaudiofile was fixed. The overflow existsed in the WAV processing code and can be exploited to execute arbitrary code. (CVE-2008-5824) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
boinc-client: incorrect use of OpenSSL API
| Package(s): | boinc-client | CVE #(s): | CVE-2009-0126 | ||||||||||||||||
| Created: | February 2, 2009 | Updated: | February 9, 2009 | ||||||||||||||||
| Description: | From the SUSE advisory: The boinc-client was missing return value checks for openssl function calls. (CVE-2009-0126) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2009-0352 CVE-2009-0353 CVE-2009-0354 CVE-2009-0355 CVE-2009-0356 CVE-2009-0357 CVE-2009-0358 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 4, 2009 | Updated: | July 13, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Several vulnerabilities have been fixed by the Firefox 3.0.6 release; see the release notes for details. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
glpi: SQL injection
| Package(s): | glpi | CVE #(s): | |||||
| Created: | February 4, 2009 | Updated: | February 4, 2009 | ||||
| Description: | GLPI prior to version 0.71.4 suffers from an unspecified SQL injection vulnerability. | ||||||
| Alerts: |
| ||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2008-5713 | ||||||||||||
| Created: | January 29, 2009 | Updated: | May 7, 2009 | ||||||||||||
| Description: | From the Ubuntu advisory: It was discovered that in certain situations the network scheduler did not correctly handle very large levels of traffic. A local attacker could produce a high volume of UDP traffic resulting in a system hang, leading to a denial of service. Ubuntu 8.04 was not affected. (CVE-2008-5713) | ||||||||||||||
| Alerts: |
| ||||||||||||||
libpng: memory overwrite
| Package(s): | libpng | CVE #(s): | CVE-2008-5907 | ||||||||||||||||||||||||
| Created: | February 2, 2009 | Updated: | March 23, 2009 | ||||||||||||||||||||||||
| Description: | From the SUSE advisory: This update of libpng fixes the function png_check_keyword() that allowed setting arbitrary bytes in the process memory to 0. (CVE-2008-5907) | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
linux: denial of service
| Package(s): | linux | CVE #(s): | CVE-2008-5395 | ||||||||||||
| Created: | January 30, 2009 | Updated: | May 7, 2009 | ||||||||||||
| Description: | The kernel has a denial of service vulnerability. From the national vulnerability database entry: The parisc_show_stack function in arch/parisc/kernel/traps.c in the Linux kernel before 2.6.28-rc7 on PA-RISC allows local users to cause a denial of service (system crash) via vectors associated with an attempt to unwind a stack that contains userspace addresses. | ||||||||||||||
| Alerts: |
| ||||||||||||||
moin: cross-site scripting
| Package(s): | moin | CVE #(s): | CVE-2009-0260 CVE-2009-0312 | ||||||||||||||||||||||||||||
| Created: | January 29, 2009 | Updated: | June 18, 2009 | ||||||||||||||||||||||||||||
| Description: | From the Debian advisory: It was discovered that the AttachFile action in moin, a python clone of WikiWiki, is prone to cross-site scripting attacks (CVE-2009-0260). Another cross-site scripting vulnerability was discovered in the antispam feature (CVE-2009-0312). | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
phpMyAdmin: cross-site request forgery
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2008-5621 CVE-2008-5622 | ||||||||||||||||||||
| Created: | February 2, 2009 | Updated: | March 25, 2009 | ||||||||||||||||||||
| Description: | From the CVE entries: CVE-2008-5621: Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to perform unauthorized actions as the administrator via a link or IMG tag to tbl_structure.php with a modified table parameter. NOTE: this can be leveraged to conduct SQL injection attacks and execute arbitrary code. CVE-2008-5622: Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allow remote attackers to conduct SQL injection attacks via unknown vectors related to the table parameter, a different vector than CVE-2008-5621. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
rt2400: arbitrary code execution
| Package(s): | rt2400 | CVE #(s): | CVE-2009-0282 | ||||||||||||||||
| Created: | January 29, 2009 | Updated: | July 13, 2009 | ||||||||||||||||
| Description: | From the Debian advisory: It was discovered that an integer overflow in the "Probe Request" packet parser of the Ralinktech wireless drivers might lead to remote denial of service or the execution of arbitrary code. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
sudo: privilege escalation
| Package(s): | sudo | CVE #(s): | CVE-2009-0034 | ||||||||||||||||||||||||||||||||
| Created: | January 30, 2009 | Updated: | January 24, 2011 | ||||||||||||||||||||||||||||||||
| Description: | sudo has a privilege escalation vulnerability. From the rPath alert: In previous versions of sudo, in a non-default configuration which allows users in certain groups to run commands as other non-root users, it is possible for non-root users to inappropriately gain root privileges. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
xdg-utils: arbitrary code execution
| Package(s): | xdg-utils | CVE #(s): | CVE-2009-0068 | ||||
| Created: | February 3, 2009 | Updated: | February 4, 2009 | ||||
| Description: | From the CVE entry: Interaction error in xdg-open allows remote attackers to execute arbitrary code by sending a file with a dangerous MIME type but using a safe type that Firefox sends to xdg-open, which causes xdg-open to process the dangerous file type through automatic type detection, as demonstrated by overwriting the .desktop file. | ||||||
| Alerts: |
| ||||||
xrdp: arbitrary code execution
| Package(s): | xrdp | CVE #(s): | CVE-2008-5902 CVE-2008-5903 CVE-2008-5904 | ||||
| Created: | February 2, 2009 | Updated: | February 4, 2009 | ||||
| Description: | From the SUSE advisory: This update fixes multiple buffer overflows that can be exploited remotely to execute arbitrary code. (CVE-2008-5902, CVE-2008-5903, CVE-2008-5904) | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>