Tag: vulnerability

Categories
Mobile Syrup

Samsung, Pixel devices vulnerable to exploits that expose calls and texts

Google’s ‘Project Zero,’ an in-house team of cybersecurity experts and analysts, warned in a new blog post of 18 different potential exploits in some phones using Samsung’s Exynos modems. That includes devices from Samsung, Vivo and Google’s own Pixel line (more on the specific devices below).

Project Zero warns that the exploits are severe and should be treated as zero-day vulnerabilities — the term ‘zero-day’ refers to recently-discovered exploits that software makers and manufacturers have zero days to fix. The exploits could allow malicious actors to compromise a device just by knowing the associated phone number, and the device’s owner wouldn’t notice a thing.

Specifically, four of the 18 exploits could allow a malicious actor to gain access to the data coming in and out of a device’s modem using just the phone number. That data includes things like phone calls and text messages. Particularly concerning is that this could be done remotely, while some of the other vulnerabilities would require local access to a device.

Project Zero recommends that people with affected devices install upcoming security updates as soon as possible to protect themselves from the vulnerability, though when those updates will arrive varies by manufacturer. Google included a patch for some of the flaws in its March 2023 security update for Pixel phones, for example. Impacted devices include:

  • Samsung phones including the Galaxy S22 series, the Galaxy M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04
  • Vivo phones including the S16, S15, S6, X70, X60 and X30
  • Google Pixel 6 and 7 series
  • Wearables using the Exynos W920 chipset
  • Vehicles that use the Exynos Auto T5123 chipset

Those with an affected device will want to take a few steps to mitigate risks until patches arrive. Project Zero advises people to turn off Wi-Fi calling and Voice-over-LTE (VoLTE) — you should be able to find both of these in the Settings menu under Network & internet > SIMs, though the exact location may vary from device to device.

Project Zero reported the exploits to manufacturers in late 2022 and early 2024, but the team withheld publication for four other vulnerabilities due to the ongoing severity.

Source: Project Zero Via: CNET

Categories
Mobile Syrup

Samsung, LG, other Android devices vulnerable to malware after security leak

Google publicly disclosed a major security leak impacting devices from Samsung, LG, Xiaomi and more. The leak enabled the creation of ‘trusted’ malware apps that can gain access to the entire Android operating system.

Shared by Googler Łukasz Siewierski (via 9to5Google), Google’s Android Partner Vulnerability Initiative (APVI) revealed the details, which you can view here. The main issue is that multiple Android manufacturers had their platform signing keys leaked. Those keys ensure that the version of Android running on your device is legitimate and created by the manufacturer. However, those keys can also be used to sign individual apps, which Android trusts by design.

However, a malicious actor with those signing keys could abuse that trust to give malware full, system-level permissions on an affected device since that device would see the official, signed key and, by default, trust the app. Since some manufacturers use these keys to sign relatively common apps — for example, 9to5 points to Samsung’s Bixby, which is signed with the company’s key on at least some phones — attackers could add malware to a trusted app, sign it with the same key, and then Android would trust it. Worse, this malicious version of the app could come from various sources — the Play Store, Samsung’s Galaxy Store, or be sideloaded.

Google didn’t say which devices or manufacturers were affected in its disclosure. However, the company did include hashes of example malware files, which were uploaded to VirusTotal. 9to5 notes that VirusTotal reveals the names of some of the affected companies, which include Samsung, LG, MediaTek, Szroco (which makes ‘Onn’ tablets for Walmart), and Revoview. There are more keys as well, but they have not been identified.

In the disclosure, Google recommends that manufacturers change their platform signing keys from the ones that leaked. It also urged all manufacturers to reduce how often they use those keys to avoid potential security issues. Moreover, Google said that Samsung and other affected companies took “remediation measures to minimize the user impact” of the security leaks after the issue was first reported in May 2022.

However, 9to5Google notes that Samsung used its vulnerable platform signing key in several Android app updates within just the last few days, based on details from APKMirror. It also remains unclear which Android devices, if any, are still vulnerable.

Moreover, while Google notes the exploit was first reported in May 2022, VirusTotal first scanned some of the malware examples as early as 2016. It remains unclear whether the leak and associated exploits were actively used against anyone in that time.

Google said in a statement to 9to5 that there are several systems in place to protect people from these kinds of security vulnerabilities, such as Play Protect. The company also said that “there is no indication that this malware is or was on the Google Play Store.”

To protect themselves, Android users should make sure their devices are up-to-date and avoid sideloading apps.

Source: Google, Łukasz Siewierski Via: 9to5Google

Categories
Mobile Syrup

Zoom rolls out fix for Mac app security flaw

Source: https://www.shutterstock.com/image-photo/london-uk-april-2nd-2020-popular-1691467153

Zoom has pushed out version 5.11.5 of its Mac app, which includes an important security fix for a relatively recent security flaw.

Security researcher and founder of the non-profit Objective-See Foundation Patrick Wardle uncovered the Zoom security flaw and presented it at last week’s Def Con hacking conference. Per The Verge, the exploit leverages the Zoom installer, which requires special user permissions to run. Wardle discovered that it was possible to ‘trick’ Zoom into installing a malicious program by adding Zoom’s cryptographic signature to the package.

Once installed, attackers can use the malicious program to gain more access to a user’s system, potentially to modify, delete, or even add files to the device.

As spotted by MacRumors, Zoom addressed the issue in its August 13th security bulletin, noting that version 5.11.5 of Zoom for Mac fixes the flaw and is now available.

In a tweet, Wardle congratulated Zoom on the quick fixing, noting that it looks like the installer now “invokes lchown to update the permissions of the update” package to prevent malicious apps from sneaking in.

As such, you’ll likely want to grab the latest Zoom update right away to make sure you are protected against the exploit. You can update Zoom by opening the app and clicking the name in the menu bar, then ‘Check for updates.’ If one’s available, you’ll need to click ‘Update’ to start the process.

Header image credit: Shutterstock

Source: Zoom Via: MacRumors, The Verge

Categories
Mobile Syrup

Google Chrome patch fixes severe zero-day vulnerability

Google released a new update to its Chrome browser for Windows with a fix for a severe zero-day vulnerability, the fourth such patch for Chrome this year.

The flaw impacts Chrome’s WebRTC (Web Real-Time Communications) component and was first reported by Jan Vojtesek from the Avast Threat Intelligence team on July 1st. Zero-day refers to vulnerabilities that are disclosed but not yet patched, while WebRTC is an open-source project and powers browser-based video call tools.

On July 4th, Google published a security advisory (via Bleeping Computer) noting that it was aware of exploits for the vulnerability that exist in the wild. Chrome version 103.0.5060.114 is rolling out globally to the stable desktop channel — Chrome users should make sure to update right away. Google says it’ll take a matter of days or weeks to hit its entire userbase.

To update, click Chrome’s menu button > Help > About Google Chrome. The browser should alert users if there’s an update available and provide an option to install and restart the browser. Make sure to check the version number to make sure you’re updating to the version of Chrome with the patch (version 103.0.5060.114).

It’s worth noting that Chrome auto-checks for new updates and installs them automatically on the next launch.

Bleeping Computer notes that Google didn’t share technical details about the vulnerability, despite it being a zero-day. Google’s security advisory notes that the company may restrict access to bug details “until a majority of users are updated with a fix.” Likely, Google will release the technical details once users have had time to install the update.

Moreover, Bleeping Computer notes that Chrome has previously patched three zero-day vulnerabilities this year in April, March, and February.

Source: Google Via: Bleeping Computer

Categories
Mobile Syrup

Samsung Phone app security flaw could allow hackers to reset your phone

LONDON, UK – FEBRUARY 20, 2020: Samsung tech brand leterring logo in Harrods shopping mall.

Samsung phones with software dating back to Android 9 are vulnerable to a newly discovered security flaw that could allow hackers to reset phones, make phone calls, install apps, and more.

Mobile security and privacy company Kryptowire uncovered the flaw and reported it to Samsung earlier this year.

Android Police notes that Samsung delivered a patch for the flaw with the February 2022 security update. The update has already arrived on almost all recent Samsung phones, including down to the Galaxy S9. In other words, make sure your Samsung phone is fully updated to protect yourself from the security flaw.

According to details from Kryptowire, the security vulnerability exists within Samsung’s pre-installed phone app. The app ships on all Samsung handsets, although apparently the a Galaxy S8 running Android 8 wasn’t vulnerable to the attack — Kryptowire says that this requires more investigation, however.

Moreover, Kyrptowire was able to confirm the Galaxy S21 Ultra, Galaxy S10+, and Galaxy A10e were impacted but specified the list wasn’t exhaustive. Instead, it’s intended to show that “a range of Android versions, models, and builds are verified to be vulnerable.”

Samsung’s phone app has privileged access to some underlying system features. Due to the flaw, it’s possible for other apps to hijack those privileges. Kryptowire says that apps that manage to hijack those privileges and take advantage of the flaw can factory reset your phone, make phone calls, install and uninstall apps, undermine HTTPS connections to websites, and more — Kryptowire says those are just limited examples of the potential.

Once again, the best thing Samsung phone owners can do is make sure they’re updated to the most recent software. The February 2022 security patch includes a fix for this flaw.

Image credit: Shutterstock

Source: Kryptowire Via: Android Police

Categories
Mobile Syrup

Dirty Pipe exploit could let someone take over your phone, fix is on the way

There’s a new Linux vulnerability out there that could give attackers full of control of your Android smartphone.

However, the exploit goes beyond just Android phones — it potentially impacts anything running Linux, including Android phones, Chromebooks, smart home devices, and more.

Although it sounds dire, it’s worth keeping in mind that most people don’t need to panic. For one, the issue has already been patched (although the fix may not have reached your devices yet). The exploit also only impacts some newer Android phones, such as the Pixel 6 series and the Galaxy S22 series (more on that below, along with a way to check if your device is affected).

The exploit, dubbed ‘Dirty Pipe,’ impacts the Linux kernel. The kernel is the core of an operating system and typically acts as an interface between apps and hardware. Because of that, any app that can read files on your device can potentially use the exploit to mess around with files, run malicious code, or gain administrator privileges. Ultimately, attackers could use the exploit to take over a device.

Max Kellermann discovered Dirty Pipe, but also found a way to fix it and already submitted the fix to the Linux kernel project. Additionally, Dirty Pipe was reported to Google’s Android Security team, who introduced the fix to the Android source code. Similarly, the Chrome OS team seems to have a patch poised to roll out in a mid-cycle update to Chrome OS 99. In other words, the Dirty Pipe fix is ready, it just might not have hit your phone or laptop yet.

How to check if my phone/laptop is at risk

Thankfully, checking whether your device could be exploited using Dirty Pipe is fairly easy. We’ve included instructions below:

  • Android: Open Settings > About phone > Android version > Look for Kernel version. If the number is 5.8 or higher, your device is potentially at risk.
  • Chrome OS: Open a new tab > Type ‘chrome://system’ in the address bar > Scroll to ‘uname’ > Look for the ‘Linux localhost’ text and check if the number is higher than 5.8.

In both cases, the number represents the Linux kernel version. Dirty Pipe was introduced in Linux kernel version 5.8 back in 2020, but the exploit wasn’t found until recently. If your device has kernel version 5.8 or higher, it’s potentially at risk for Dirty Pipe (unless you’ve received a patch for it already).

Most Android phones use an older version of the Linux kernel and likely won’t be impacted. However, as mentioned above, the Pixel 6 series and the Galaxy S22 series are impacted. 9to5Google noted that Android devices that launched with Android 12 have a chance of being impacted.

How to protect yourself from Dirty Pipe

Although there are no known instances of attackers using Dirty Pipe to gain control of phones or computers yet, it’s likely only a matter of time before it starts to happen. The best thing you can do to protect yourself is to make sure your devices are up to date.

As mentioned up top, there are already Android and Chrome OS patches, but they haven’t rolled out yet. Hopefully, they roll out soon — keep an eye out for new security patches and make sure to install them right away.

In the meantime, 9to5 suggests only running apps that you trust on your device. Moreover, it may be a good idea to avoid installing new apps until the patch is made available.

Source: Max Kellermann Via: 9to5Google

Categories
Mobile Syrup

Bug affecting Safari on macOS, all iOS browsers, could reveal browsing history

Apple prepared a fix for a WebKit bug that could reveal users’ recent browsing history and possibly their identity. However, it’s not clear when the tech giant will release updates with the fix.

According to MacRumors, a WebKit commit (typically refers to a revision made to code) on GitHub fixes a bug. However, Apple has not said when users could expect macOS, iOS or iPadOS updates to arrive with the fix. A January 14th blog post from FingerprintJS noted that the bug was reported to Apple on November 28th, 2021.

MacRumors previously reported about the bug on January 16th, which involves a JavaScript API called IndexedDB, a commonly-used tool for storing data on people’s computers. Specifically, the bug exists in the way WebKit — the open-source engine powering Apple’s Safari browser — implemented IndexedDB.

In short, the bug allows any website that uses IndexedDB to access the names of IndexedDB databases generated by other websites. Put another way, a website can access a list of other websites you’ve visited (even from different tabs or windows) if they’ve stored data using this API. Typically, browsers apply same-origin policy to IndexedDB to prevent sites from accessing anything outside of their own IndexedDB database.

Moreover, sometimes websites include unique user-specific identifiers in IndexedDB database names. MacRumors pointed to YouTube as an example, which creates databases that include users’ authenticated Google User ID in the name. Malicious actors could use this identifier to fetch personal information about users through Google APIs, such as their profile picture or name.

The WebKit bug affects Safari on macOS Monterey, iOS 15 and iPadOS 15. On iOS and iPadOS, Apple also forces third-party browsers to use the WebKit engine — that means browsers like Chrome and Edge running on iOS/iPadOS 15 are also affected. However, the bug doesn’t affect older versions of macOS, or iOS and iPadOS 14.

Ultimately, that means iOS and iPadOS users can’t really do anything to protect themselves from the bug beyond installing the software patch whenever Apple makes it available. For macOS users, however, switching to another browser would work.

Those interested in learning more about the bug should check out a deep-dive on it from FingerprintJS.

Source: MacRumors, (2), FingerprintJS

Categories
Mobile Syrup

Apple’s iOS/iPadOS 15.2.1 update fixes HomeKit flaw that crashed devices

Apple rolled out iOS and iPadOS 15.2.1 on Wednesday. The minor update brings several bug fixes, including a patch for a denial-of-service vulnerability found in HomeKit.

Trevor Spiniolas discovered the vulnerability and published details about it on January 1st. At the time, Spiniolas accused Apple of being slow to respond to his initial disclosure, which he made in August 2021. The bug affects iOS and iPadOS versions as far back as 14.7 and possibly earlier versions too — iPhone and iPad owners should update their devices to avoid the bug.

The vulnerability, if exploited, would lead to HomeKit devices with really long names crashing iPhones and iPads. HomeKit is an API used for connecting smart home gadgets to iOS devices, and it backs up device names to iCloud. That means users hit with the problem would experience it again if they re-connected that same iCloud account.

Apple published a security notice for the iOS 15.2.1 update — it only lists the HomeKit issue and notes the following fix: “A resource exhaustion issue was addressed with improved input validation.”

However, there are other items in the 15.2.1 update. According to The Verge, the patch also fixes a bug that impacted the performance of third-party CarPlay apps and a bug that stopped the Messages app from loading certain photos sent through iCloud.

To download the update, open the Settings app on your iPhone or iPad > Tap ‘General’ > Tap ‘Software Update.’

Source: Apple Via: The Verge

Categories
Mobile Syrup

Apple patched iCloud against massive Log4Shell vulnerability

Late last week, details emerged about a wide-reaching security vulnerability that affected tons of online services and apps, including Apple’s iCloud service. However, the iPhone-maker has reportedly already patched the flaw.

As a refresher, the vulnerability, dubbed ‘Log4Shell,’ impacts an open-source logging library called ‘log4j’ that’s widely used in online services to log events, errors, activities and more. The Log4Shell flaw effectively allowed an attacker to gain access to and execute remote code on servers running log4j simply by getting the logging system to log a specific string of characters.

Due to the wide use of log4j, several major online services are (or were) vulnerable to Log4Shell. Minecraft was among the first platforms impacted by Log4Shell, which saw attackers post chat messages with the specific string to attack servers. A Minecraft patch released Friday fixed the vulnerability.

Other services impacted by Log4Shell included Steam, Twitter, Amazon, Tesla and more. Apple’s iCloud was on the list, but Apple reportedly patched the service on December 11th.

According to The Eclectic Light Company, a blog about Macs and paintings (via Macworld and 9to5Mac), researchers were able to demonstrate the Log4Shell vulnerability when connecting to iCloud through the web on December 9th and 10th. However, the process no longer worked on December 11th.

Ultimately, it appears Apple patched the security flaw in iCloud rather quickly. That’s good news for any iCloud users out there and should be par for the course with large tech companies. There’s also a log4j patch available that helps mitigate the security vulnerability, which should help with patching vulnerable services.

Unfortunately, thanks to the wide-ranging impact of Log4Shell, it will likely take time for all vulnerable services to issue patches.

Source: The Eclectic Light Company Via: Macworld, 9to5Mac

Categories
Mobile Syrup

Apple patched iCloud against massive Log4Shell vulnerability

Late last week, details emerged about a wide-reaching security vulnerability that affected tons of online services and apps, including Apple’s iCloud service. However, the iPhone-maker has reportedly already patched the flaw.

As a refresher, the vulnerability, dubbed ‘Log4Shell,’ impacts an open-source logging library called ‘log4j’ that’s widely used in online services to log events, errors, activities and more. The Log4Shell flaw effectively allowed an attacker to gain access to and execute remote code on servers running log4j simply by getting the logging system to log a specific string of characters.

Due to the wide use of log4j, several major online services are (or were) vulnerable to Log4Shell. Minecraft was among the first platforms impacted by Log4Shell, which saw attackers post chat messages with the specific string to attack servers. A Minecraft patch released Friday fixed the vulnerability.

Other services impacted by Log4Shell included Steam, Twitter, Amazon, Tesla and more. Apple’s iCloud was on the list, but Apple reportedly patched the service on December 11th.

According to The Eclectic Light Company, a blog about Macs and paintings (via Macworld and 9to5Mac), researchers were able to demonstrate the Log4Shell vulnerability when connecting to iCloud through the web on December 9th and 10th. However, the process no longer worked on December 11th.

Ultimately, it appears Apple patched the security flaw in iCloud rather quickly. That’s good news for any iCloud users out there and should be par for the course with large tech companies. There’s also a log4j patch available that helps mitigate the security vulnerability, which should help with patching vulnerable services.

Unfortunately, thanks to the wide-ranging impact of Log4Shell, it will likely take time for all vulnerable services to issue patches.

Source: The Eclectic Light Company Via: Macworld, 9to5Mac