Enlarge (credit: portal gda)

A commercial malware scanner used by businesses has recently detected an outbreak of malware that came preinstalled on more than three dozen Android devices.

An assortment of malware was found on 38 Android devices belonging to two unidentified companies. This is according to a blog post published Friday by Check Point Software Technologies, maker of a mobile threat prevention app. The malicious apps weren't part of the official ROM firmware supplied by the phone manufacturers but were added later somewhere along the supply chain. In six of the cases, the malware was installed to the ROM using system privileges, a technique that requires the firmware to be completely reinstalled for the phone to be disinfected.

"This finding proves that, even if a user is extremely careful, never clicks a malicious link, or downloads a fishy app, he can still be infected by malware without even knowing it," Check Point Mobile Threat Researcher Daniel Padon told Ars. "This should be a concern for all mobile users."

Read 6 remaining paragraphs | Comments

 
[security bulletin] HPESBGN03707 rev.1 - HPE ConvergedSystem 700 2.0 VMware Kit, Remote Increase of Privilege
 
[security bulletin] HPESBHF03716 rev.1 - HPE Intelligent Management Center (IMC) PLAT, Remote Authentication Bypass
 
Google Pixel Qualcomm Bootloader CVE-2017-0455 Information Disclosure Vulnerability
 
Google Android MediaTek Driver CVE-2017-0529 Information Disclosure Vulnerability
 
[security bulletin] HPESBUX03706 rev.1 - HP-UX NTP service running ntpd, Multiple Vulnerabilities
 
[security bulletin] HPESBHF03711 rev.1 - HPE 2620 Series Network Switches, Remote Cross Site Request Forgery (CSRF)
 
Google Android MediaTek APK CVE-2017-0522 Privilege Escalation Vulnerability
 
Google Nexus Qualcomm Input Hardware Driver CVE-2017-0516 Privilege Escalation Vulnerability
 
Google Nexus Qualcomm ADSPRPC Driver CVE-2017-0457 Privilege Escalation Vulnerability
 
Google Android Mediaserver CVE-2017-0495 Information Disclosure Vulnerability
 
Google Android Setup Wizard CVE-2017-0498 Denial of Service Vulnerability
 
Google Android System UI CVE-2017-0492 Remote Privilege Escalation Vulnerability
 
Google Android Location Manager CVE-2017-0489 Remote Privilege Escalation Vulnerability
 
Google Android Wi-Fi CVE-2017-0490 Privilege Escalation Vulnerability
 
Google Android Setup Wizard CVE-2017-0496 Denial of Service Vulnerability
 
Google Android Package Manager CVE-2017-0491 Privilege Escalation Vulnerability
 
Tiki Wiki CMS CVE-2016-10143 Arbitrary File Disclosure Vulnerability
 
WordPress Mail Masta Plugin Multiple SQL Injection Vulnerabilities
 
F-Secure Anti-Virus CVE-2017-6466 Remote Code Execution Vulnerability
 
R Programming Language CVE-2016-8714 Buffer Overflow Vulnerability
 
WordPress DTracker Plugin Multiple SQL Injection Vulnerabilities
 
Multiple Cloud Foundry Products CVE-2017-4960 Denial of Service Vulnerability
 
Unisys ClearPath MCP CVE-2017-5872 Denial of Service Vulnerability
 
gdk-pixbuf Integer Overflow and Denial of Service Vulnerabilities
 
Pidgin CVE 2017-2640 Out of Bounds Write Security Vulnerability
 
Linux Kernel 'x86/mm/gup.c' Local Security Bypass Vulnerability
 
HP LoadRunner and Performance Center CVE-2017-5789 Remote Heap Buffer Overflow Vulnerability
 
CVE-2016-10143: Vulnerability to read arbitrary files in "Tiki Wiki"
 
Schneider Electric ClearSCADA CVE-2017-6021 Remote Denial of Service Vulnerability
 
Google Chrome Prior to 57.0.2987.98 Multiple Security Vulnerabilities
 

IP location, GeoIP or Geolocalization are terms used to describe techniques to assign geographic locations toIP addresses. Databases are built and maintained to link the following detailstoIP addresses:

  • Country
  • Region width:799px" />

    If this looks very aggressive, in some cases, it can be useful if you want to protect online services used only by local people (from your country). If you dont make business with China, you should not receive connections from Chinese IP addresses. This sounds legit. However, this control may have nasty effects. The IPv4 address space being fully assigned[1], organisations which need more IP addresses are looking to buy some subnets from other organisations which have unused allocations. A newbusiness is born!

    One of our readers, based in the US,contacted us about an issue with a /19 subnet they bought from an ISP in another country. They started to allocate IP addresses from this /19 to their customers and some of them were not able to connect to 3rd-party websites. After some investigations, the affected websites used IP location databases to restrict access from trusted countries (note the quotes!). Their IP location databases being too old, the IP addresses were still referenced asassigned to their old country and width:599px" />

    Even if databases are constantly updated (the update rate may also depend on your subscription -free or paying), its the responsibility of the end-user or the security solution provider to implement a process to automatically update databases. It padding:5px 10px"> [email protected]:/# geoiplookup -v 8.8.8.8 GeoIP Country Edition: GEO-106FREE 20170307 Build 1 Copyright (c) 2017 MaxMind GeoIP City Edition, Rev 1: GEO-533LITE 20151201 Build 1 Copyright (c) 2015 MaxMind Inc All Rights Reserved GeoIP ASNum Edition: GEO-117 20170306 Build 1 Copyright (c) 2017 MaxMind Inc All Rights Reser GeoIP Country V6 Edition: GEO-106FREE 20170307 Build 1 Copy GeoIP ASNum V6 Edition: GEO-117 20170306 Build 1 Copyright (c) 2017 MaxMind Inc All Rights Re GeoIP City Edition V6, Rev 1: GEO-536LITE 20151201 Build 1 Copyright (c) 2015 MaxMind Inc All Rights Reserved

    I checked the new IP addresses of our readers against several online services and all of them reported an accurate location (USA). Conclusion: the blocking service was for sure using an outdated version of an IP location database. The only solution is to contact them to report the problem and ask them to upgrade.

    Personally, I wont recommend blocking traffic based on IP location. Why? The Internet has no border and you never know from where your visitors will reach you. The following Tweet width:400px" />

    [1]https://blog.apnic.net/wp-content/uploads/2016/01/afig1.jpg
    [2]https://www.maxmind.com/en/geoip2-city-database-accuracy

    Xavier Mertens (@xme)
    ISC Handler - Freelance Security Consultant
    PGP Key

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
[SECURITY] [DSA 3805-1] firefox-esr security update
 
Internet Storm Center Infocon Status