Daily Archives: October 5, 2015

Google Android Stagefright 2.0 Updates Due To Rollout

Update: 10th January 2016:
Further updates addressing newer issues within libstagefright have been made available. Please see this more recent blog post for details.

Thank you.

Update: 17th November 2015:
Further updates addressing newer Stagefright issues have been made available. Please see this more recent blog post for details.

Thank you.


Update: 6th October 2015:
As scheduled Google has begun rolling out the fixes for the Stagefright 2.0 issue. The update named Build LMY48T addresses 30 CVEs (defined)(20x critical, 5x high, 3x moderate, 2x low severity) of which 15 were in libstagefright and 2 were in libutils (which were mentioned in my post below).

Full details are provided by Google in this Google Groups post. As mentioned in my post below, Sophos has provided a comprehensive list of tips to stay safe from these Stagefright 2.0 vulnerabilities.

Thank you.

Original Post:
Last week a new set of 2 security vulnerabilities affecting Google’s smartphone operating system Android were disclosed. The same security firm Zimperium that discovered the Stagefright vulnerabilities have found these new flaws and have called them Stagefright 2.0.

The first vulnerability assigned CVE-2015-6602 (CVE, defined) affects versions of Android since version 1.0 from the year 2008. The second vulnerability (not yet assigned a CVE number) is a method to trigger the first flaw in version 5.0 and later of Android.

Why Should These Issues Be Considered Important?
It is estimated that at least one of these new issues is present in approximately 1 billion Android devices. For newer devices remote code execution (where an attacker can remotely trigger code of their choice to carry out any action they choose) is possible using libstagefright within Android version 5.0 and later. For all other devices they may be impacted if 3rd party apps or mobile carrier bundled apps make use of the library libutils when processing specifically crafted MP3 (audio) and MP4 (video) files.

In addition there are 3 further means that these issues could be exploited by an attacker e.g. an attacker on the same network as your Android device could add the exploit to unencrypted traffic using a man-in-the-middle attack (MITM, defined). Moreover an attacker could simply have you visit a malicious website inadvertently using a phishing (defined) email containing a link or a compromised advertisement present on a website of their choice.

The final 2 methods of attack are much likely to occur in practice than the original Stagefright issue (since it relied on older MMS (defined) messages). E.g. a spear phishing (defined) campaign took place in August in an attempt to have users visit a fake Electronic Frontier Foundation site. While in January AOL’s advertising were delivering adverts that exploited the devices that viewed them.

How Can I Protect Myself From These Issues?
Since the disclosure of the original Stagefright issue matters have improved in terms of the speed to respond. A fix for this issue will begin to be made available to Google Nexus devices today. Other manufacturers such as Samsung and LG etc. should follow suit very soon.

Sophos has provided a comprehensive list of tips to stay safe from these Stagefright 2.0 vulnerabilities.

As mentioned by Symantec in this blog post, please ensure to only apply updates from your mobile carrier or device manufacturer.

In addition, Zimperium will be updating their Stagefright Detector app to check if your device is vulnerable to these newer Stagefright issues once updates resolving these issues are made available. This is useful since you can use that app to tell if your device has received the appropriate updates.

Please note that reviews for the Zimperium Stagefright detector app are mixed, thus you may wish to try other apps to check if your device is vulnerable.

Thank you.

100th Blog Post Published

I wanted to mark my 100th blog post by thanking my dedicated readers. This blog continues to receive increasing numbers of visitors with September setting a record (by a significant margin) for the numbers of visitors. I also wish to thank those who have contacted me with questions and words of encouragement, they are much appreciated!

I hope that my coverage of how to stay safe from the most recent security vulnerabilities and malware is of assistance to corporate staff, small business owners and consumers alike. It’s my pleasure to assist you all.

I believe that this blog has remained true to its goal of providing easy to understand and practical steps to improve your IT security. If you have any questions or suggestions for future posts or just want to say hi, please feel free to post a comment or contact me.

Here’s to the next 100 posts and beyond!

Thank you.

Popular WordPress Plugin Addresses Critical Security Issue

The website security firm Sucuri last week disclosed a critical issue in Jetpack, a plugin used by more than 1 million users of the WordPress content management system.

Why Should This Issue Be Considered Important?
Sucuri discovered a critical cross-site scripting (XSS) issue (defined) within the Jetpack plugin caused by how it validates the email address submitted via the contact form module within the plugin.

If an attacker were to use this vulnerability in addition to their knowledge of website hacking they could execute (run or carry out a set of steps) JavaScript (defined) code of their choice on your WordPress site. This could allow the attacker to add a backdoor (defined) to your website allowing them convenient access or conduct a watering hole attack (defined) (further examples of options open to the attacker are presented in Sucuri’s security advisory for this issue).

How Can I Protect Myself From This Issue?
Please update to JetPack version 3.7.1 or later (at the time of writing, version 3.7.2 is available). Instructions for updating WordPress plugins are provided here. Installation instructions for JetPack are provided here.

I hope that the above information is useful to you in securing your WordPress site from this flaw if you make use of the JetPack plugin.

Thank you.

SAP Releases Security Updates for HANA Database and Business Objects BI Platform

10 security issues were found by Onapsis security and reported to SAP earlier this year in SAP’s HANA database but were publicly announced earlier last week. This a database that is stored in RAM (computer memory) for very fast performance (although the database is periodically written to a hard disk for the purpose of recovery checkpoints)).

1 of the 2 most serious vulnerabilities within SAP HANA is remotely exploitable.

A further flaw was also discovered in SAP’s Business Objects BI Platform. This issue is caused by a buffer overflow (defined) which can be exploited by a remote attacker.

Why Should These Issues Be Considered Important?
The 2 high risks vulnerabilities could allow an attacker to execute commands of their choice on the victim SAP HANA system disclosing sensitive information and giving them the potential to alter the systems settings blocking legitimate users from accessing it.

The remaining 8 medium risk vulnerabilities provide an attacker with the ability to partially compromise a HANA system but the attacker would have to have already partially compromised the system in the first instance to use these flaws to their further advantage.

For the Business Objects BI Platform vulnerability if an attacker can successfully exploit the buffer overflow issue, they can cause a denial of service issue (defined) and/or provide the attacker with access to sensitive information within the system and allowing them the ability to modify this data.

How Can I Protect Myself From These Issues?
To address the flaws within SAP HANA it is recommended to refer to the security advisories mentioned in this Onapsis blog post. Those advisories contain the necessary links to obtain patches from SAP for these issues.

For the Business Objects BI Platform vulnerability, SAP recommends implementing/installing the patches discussed within SAP Security Note 2001108 This note is also mentioned within this Onapsis blog post. Please note that a SAP Marketplace account is required to access the contents of this Security Note. An account can be created from this page.

If you are in any doubt or would like further advice, please contact SAP Support for more information.

If any further information concerning the above vulnerabilities becomes available I will update this blog post as appropriate.

Thank you.

Unpatched WinRAR SFX Vulnerability Disclosed

Update: 7th October 2015:
Malwarebytes have carried out additional analysis of this issue and have issued updated guidance on how to protect against it.

Please follow their updated advice to keep your computing devices secure. I echo Malwarebytes’ apology with regard to this issue since the guidance posted by them and I was based on the information available at the time.

Please dis-regard my original post (which has now been removed).

Thank you.