Android Vulnerability Allows App Hijacking

A serious Android vulnerability, set to be disclosed at the Blackhat conference, has now been publicly disclosed. The vulnerability allows attackers to inject malicious code into legitimate apps without invalidating the digital signature.

Android applications must be digitally signed. This allows one to ensure the code within the app has not been tampered with and also assures the code was provided by the official publisher. Furthermore, Android utilizes an app-level permission system where each app must declare and receive permission to perform sensitive tasks. Digital signing prevents apps and their accompanying permissions from being hijacked.

This serious Android vulnerability allows an attacker to hide code within a legitimate application and use existing permissions to perform sensitive functions through those apps. Details of the vulnerability can now be found online and are extremely simple to implement.

Injecting malicious code into legitimate apps has been a common tactic by malicious app creators for some time. However, they previously needed to change both the application and publisher name and also sign any Trojanized app with their own digital signature. Someone who examined the app details could instantly realize the application was not created by the legitimate publisher. Now that attackers no longer need to change these digital signature details, they can freely hijack legitimate applications and even an astute person could not tell the application had been repackaged with malicious code.

We have added detection logic for the vulnerable condition to our backend Norton Mobile Insight systems and, out of four million applications, have not yet discovered malicious usage of the vulnerability. We have discovered a number of apps that unintentionally exploit the vulnerable condition, however. These apps are all built using a common popular build tool chain, which may have a bug resulting in malformed APK files. Unfortunately, this vulnerability affects 99 percent of Android devices, and usually patches take some time to be deployed by handset manufacturers and carriers, if at all.

If a malicious app is discovered exploiting this vulnerability, users will be able to protect themselves by installing Norton Mobile Security. Once installed, Norton Mobile Security will also regularly update itself to add more robust protection against this and future vulnerabilities.

Thanks to Bluebox Security who discovered the vulnerability.

Google patches critical Android threat as working exploit is unleashed

A security researcher has published working exploit code that allows attackers to surreptitiously turn legitimate apps running on Google's Android mobile operating system into malicious trojans. Around the same time, Google said it released a patch that helps protect users from abuse.

As previously reported, the weakness involves the way legitimate Android applications are cryptographically signed to ensure they haven't been modified by parties other than the trusted developer. Researchers at security startup Bluebox provided high-level details of the vulnerability last week, but omitted technical details most people would need to reproduce the attack. That didn't stop developers of CyanogenMod, an alternative Android firmware version, from piecing together the available details into this bug report that identifies the conditions necessary for exploiting the vulnerability. The report also incorporates the fix from Google into the CyanogenMod code.

Working from that description, Pau Oliva Fora, senior mobile security engineer at viaForensics, published proof-of-concept code that allows anyone with a moderate level of skill to modify an existing Android app without changing the cryptographic signature that's supposed to certify it hasn't been tampered with. The 32-line exploit demonstrates the ease in exploiting the vulnerability and the consequences the flaw might have for people who install and update apps from third-party sources.

Read 6 remaining paragraphs | Comments

    


Microsoft Patch Tuesday – July 2013

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of 36 vulnerabilities. 24 of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the July releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Jul

The following is a breakdown of the issues being addressed this month:

  1. MS13-052 Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561)

    TrueType Font Parsing Vulnerability (CVE-2013-3129) MS Rating: Critical

    A remote code execution vulnerability exists in the way that affected components handle specially crafted TrueType font files. The vulnerability could allow a remote code execution if a user opens a specially crafted TrueType font file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.

    Array Access Violation Vulnerability (CVE-2013-3131) MS Rating: Critical

    A remote code execution vulnerability exists in the way the .NET Framework handles multidimensional arrays of small structures.

    Delegate Reflection Bypass Vulnerability (CVE-2013-3132) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the .NET Framework validates the permissions of certain objects performing reflection. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

    Anonymous Method Injection Vulnerability (CVE-2013-3133) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the .NET Framework validates permissions for objects involved with reflection.

    Array Allocation Vulnerability (CVE-2013-3134) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the .NET Framework allocates arrays of small structures.

    Delegate Serialization Vulnerability (CVE-2013-3171) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the .NET Framework validates permissions for delegate objects during serialization.

    Null Pointer Vulnerability (CVE-2013-3178) MS Rating: Important

    A remote code execution vulnerability exists in the way Silverlight handles a null pointer.

  2. MS13-053 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)

    Win32k Memory Allocation Vulnerability (CVE-2013-1300) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

    Win32k Dereference Vulnerability (CVE-2013-1340) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

    Win32k Vulnerability (CVE-2013-1345) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

    TrueType Font Parsing Vulnerability (CVE-2013-3129) MS Rating: Critical

    A remote code execution vulnerability exists in the way that affected components handle specially crafted TrueType font files. The vulnerability could allow a remote code execution if a user opens a specially crafted TrueType font file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.

    Win32k Use After Free Vulnerability (CVE-2013-3167) MS Rating: Important

    An information disclosure vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

    Win32k Buffer Overflow Vulnerability (CVE-2013-3172) MS Rating: Moderate

    A denial of service vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

    Win32k Buffer Overwrite Vulnerability (CVE-2013-3173) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

    Win32k Read AV Vulnerability (CVE-2013-3660) MS Rating: Critical

    An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

  3. MS13-054 Vulnerability in GDI+ Could Allow Remote Code Execution (2848295)

    TrueType Font Parsing Vulnerability (CVE-2013-3129) MS Rating: Critical

    A vulnerability exists in the way that affected Windows components and other affected software handle specially crafted TrueType font files. The vulnerability could allow a remote code execution if a user opens a specially crafted TrueType font file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.

  4. MS13-055 Cumulative Security Update for Internet Explorer (2846071)

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3115) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3143) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3144) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3145) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3146) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3147) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3148) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3149) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3150) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3151) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3152) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3153) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3161) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3162) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3163) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3164) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Shift JIS Character Encoding Vulnerability (CVE-2013-3166) MS Rating: Important

    A cross-site-scripting (XSS) vulnerability exists in Internet Explorer that could allow an attacker to gain access to information in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted webpage that could allow an information disclosure if a user viewed the webpage. An attacker who successfully exploited this vulnerability could view content from another domain or Internet Explorer zone.

  5. MS13-056 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2845187)

    DirectShow Arbitrary Memory Overwrite Vulnerability (CVE-2013-3174) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Microsoft DirectShow parses GIF image files. This vulnerability could allow a remote code execution if a user opened a specially crafted GIF file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  6. MS13-057 Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution (2847883)

    WMV Video Decoder Remote Code Execution Vulnerability (CVE-2013-3127) MS Rating: Critical

    A remote code execution vulnerability exists in the way Windows Media Format Runtime handles certain media files. This vulnerability could allow an attacker to execute arbitrary code if the attacker convinces a user to open a specially crafted media file. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.

  7. MS13-058 Vulnerability in Windows Defender Could Allow Elevation of Privilege (2847927)

    Microsoft Windows 7 Defender Improper Pathname Vulnerability (CVE-2013-3154) MS Rating: Important

    This is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take complete control of the system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. An attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.

More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Smooth-Sec – IDS/IPS (Intrusion Detection/Prevention System) In A Box

We haven’t written about Smooth-Sec for a while since we first heard about it at v1 in March 2011. For those who are not familiar, Smooth-Sec is a fully-ready IDS & IPS (Intrusion Detection & Prevention System) Linux distribution based on Debian 7 (wheezy), available for 32 and 64 bit architecture. The distribution includes the...

Read the full post at darknet.org.uk