New products of the week 11.14.16
Microsoft says you’ll have to wait another week for Windows zero-day patch
The Russian-linked Fancy Bear group (also known as Strontium, APT28, Sednit or Sofacy) have been linked to targeted attacks.
Two critical bugs and more malicious apps make for a bad week for Android
(credit: Ron Amadeo)
It was a bad week for millions of Android phone users. Two critical vulnerabilities were disclosed but remain unpatched in a large percentage of devices, while, separately, malicious apps were downloaded as many as 2.5 million times from Google’s official Play Marketplace.
The vulnerabilities, which are similar in severity to the Stagefright family of bugs disclosed last year, have been fixed in updates Google began distributing Tuesday. A large percentage of Android phones, however, aren’t eligible to receive the fixes. Even those that do qualify don’t receive them immediately (the September updates are currently not available as over-the-air downloads for either of the Nexus 5X devices in my household). That gives attackers crude blueprints for exploiting vulnerabilities that remain unpatched on millions of devices.
“Extremely serious bug”
The first vulnerability was disclosed by Mark Brand, a researcher with Google’s Project Zero security team. Indexed as CVE 2016-3861, it allows attackers to execute malware or escalate local privileges on vulnerable phones. Brand warned that it’s “an extremely serious bug” because it can be exploited in a large variety of ways. He also said CVE 2016-3861 wasn’t particularly hard to detect, a finding that increases the chances that other researchers already knew about it. (In any event, Brand included proof-of-concept exploit code with his disclosure. A Google spokesman said the exploit was for research purposes, worked only on an undisclosed subset of Nexus devices, and “could not be used in real world attacks without substantial modification and even further research.”) Brand didn’t say exactly which Android version introduced the code-execution vulnerability, but he indicated that it’s present in at least several of the most recent releases.
Mac users vulnerable to state-sponsored Trident attack, fixed in iOS last week. Patch now
Remember the critical security holes that Apple patched in iOS last week after a human rights activist had his iPhone targeted in a seemingly state-sponsored attack?
Ahmed Mansoor received two suspicious SMS messages on his iPhone, directing him to websites containing a zero-day iOS exploit. Researchers connected the attack to Israeli-based firm NSO Group, and dubbed the vulnerabilities “Trident”.
Well, Apple has now quietly rolled-out a further security update revealing that the zero-day flaws are also present in Apple’s OS X desktop operating system, as well as the desktop version of their OS X Safari browser.
My advice to Apple users? Make sure that your Macs, MacBooks, iPhones and iPads are up-to-date.
On OS X the easiest way to update your computer is to open the App Store app on your Mac, then click Updates in the toolbar. If updates are available, click the Update buttons to download and install them.
On iOS go to Settings > General > Software Update.
You may not be a human rights activist, but the fact that it took Apple *days* to issue a fix for OS X users after patching the same vulnerabilities in iOS has opened an opportunity for others to potentially exploit them against desktop users.
In an ideal world, Apple would have patched its mobile and desktop operating systems at the same time.
What we don’t know is whether Apple didn’t know the vulnerability was also present in OS X when it issued the iOS fixes, or whether it made the difficult decision to urgently update iOS even though its equivalent OS X fixes weren’t yet ready.