Information Security News
One of the more recent discoveries resulting from the breach two weeks ago of malware-as-a-service provider Hacking Team is sure to interest Android enthusiasts. To wit, it's the source code to a fully featured malware suite that had the ability to infect devices even when they were running newer versions of the Google-developed mobile operating system.
The leak of the code base for RCSAndroid—short for Remote Control System Android—is a mixed blessing. On the one hand, it provides the blueprints to a sophisticated, real-world surveillance program that can help Google and others better defend the Android platform against malware attacks. On the other, it provides even unskilled hackers with all the raw materials they need to deploy what's arguably one of the world's more advanced Android surveillance suites.
"The RCSAndroid code can be considered one of the most professionally developed and sophisticated Android malware [titles] ever exposed," researchers from security firm Trend Micro wrote in a recently published blog post. "The leak of its code provides cybercriminals with a new weaponized resource for enhancing their surveillance operations."
by Dan Goodin
Researchers at an HP security division have publicly detailed four code-execution vulnerabilities that can be used to hijack end-user smartphones running the latest versions of Microsoft's Internet Explorer browser.
The disclosures earlier this week came more than six months after researchers from HP-owned TippingPoint first privately reported the bugs to Microsoft security engineers. According to the advisories published here, here, here, and here, Microsoft officials acknowledged the bugs and in each case asked for an extension beyond the four months TippingPoint officials normally wait before publicly disclosing vulnerabilities. All four of the extensions expired Sunday, leading to the public disclosure of the bugs.
It remains unclear why Microsoft hasn't issued fixes. TippingPoint alerted Microsoft to three of the vulnerabilities in January and one of them last November. A Microsoft spokesman told Ars he was looking in to the matter.
For those of us that are in patching world the last few weeks has not been fun. It seemed like there was a new critical issue almost every other day and almost certainly just after you finished the previous round of patching. I guess that is what happens when a hacking firm is breached.
Well unfortunately Im here to add to your woes. BK wrote in (thanks) to remind me that on the same day that Microsoft patched a critical issue,ZDI released four vulnerabilities that, whilst based on their CVSS score may not quite reach critical (in Microsoft world), will likely result in a patch for most systems (including Windows phone). " target="_blank">http://www.zerodayinitiative.
In this case all four were discovered in-house, disclosed to the vendor over 120 days ago and as of release unlikely to have an exploit associated with it. That is however likely to change.
Mark H(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.