Category Archives: Security

Google Android 6 stage update process

So I bought a new HTC Nexus One (brown with US warranty) last week and it came with a custom Vodafone UK ROM with Android Kernel Version: 2.16.405.1 CL223106 release-keys.  Unfortunately, this particular firmware prohibits any OTA updates or even manual updates and it was a nightmare trying to track down the problem.  Luckily I fell upon this user comment on Amazon’s website which led me to this page explaining the upgrade process which calls for a 5 stage process to get to Android version 2.3.3 which allows you to run the 2.3.4 update.

So to summarize, the upgrade process goes something like this where each stage took about 5-30 minutes (depending on download time).

  • Downgrade to 2.2 build FRG33 using passimg.zip method
  • Upgrade to 2.2.1 build FRG83
  • Upgrade to 2.2.1 build FRG83D
  • Upgrade to 2.2.2 build FRG83G
  • Upgrade to 2.3.3 build GRI40
  • Upgrade to 2.3.4 (Google announcement here)

With an upgrade procedure this onerous, no wonder so few devices are running newer versions of the Android Operating System.  The result is that there is an immense level of Android fragmentation leaving 99% of the devices vulnerable to a serious security flaw in the ClientLogin API.  ClientLogin was apparently designed without any encryption such that AuthTokens are transmitted in the clear.

The market share for non-vulnerable versions of Android OS might be a little better than 1% now but not much better according to Google’s statistics.

Image credit: Google

Temporary workaround for Windows SMBv2 zero-day

The Windows SMBv2 zero-day vulnerability (disclosed vulnerability with no software fix) appears to be more dangerous than initially thought.  The vulnerability does not affect the Release to Manufacturing (RTM) version of Windows 7 or Windows Server 2008 R2, but it does affects Windows Vista and Windows Server 2008.  The danger is no longer just a system crash or reboot, it can lead to a full system compromise.

In the absence of a patch, Microsoft released some instructions for disabling SMBv2.  For your convenience, I’ve packaged two REG files that you can download that enable and disable SMBv2 in Windows Vista and Windows Server 2008.  So until a software patch is available, you need to disable SMBv2 double clicking the disable-SMBv2.reg file and then rebooting.  The workaround does not break your ability to serve files, but it does reduce your SMB file serving speeds down to Windows XP and Windows Server 2003 levels which would result in a moderate decrease in performance.  When the patch becomes available and you have applied the patch, just run the enable-SMBv2.reg file and reboot.

Voting machines hacked, votes stolen in POC attack

Researches at the University of California, San Diego, have used a new programming technique to hack a voting machine. What is really scary about this attack, is that the researchers did not need the source code or other unlikely insider information to do it. All they needed was the information that someone would have by having possession of a voting machine. The electronic voting movement makes a lot of sense as a principal; it would hopefully eliminate a lot of waste, improve accuracy, speed up result, and reduce or eliminate controversy. Unfortunately, electronic votes represent one of the top, say, five juciest targets for a hacker imaginable (right next to pwning a bank, a nuclear missile silo, a nuclear power plant, and the Hubble Space Telescope, I’m guessing). In my opinion, the world of computer science has not invented the hack proof system (other than one that is powered off), so I beleive that we are not ready for electronic voting.

J.Ja

Temporary fix for unauthorized WordPress password reset

There is a serious exploit against WordPress out in the wild that allows an attacker to reset your password.  It works on every version of WordPress and there is no official patch yet which is pretty scary.  There is a temporary workaround and it appears that WordPress.com has already applied this workaround.  This workaround can be found here and I have already applied it to my site and you should too if you are running WordPress.

Basically, all you need to do is replace some text in your wp-login.php file.  Just go in there and change:

if ( empty( $key ) )

to

if ( empty( $key ) || is_array( $key ) )

Now if someone tries to reset your password using this exploit, they will get slapped down with the message “Sorry, that key does not appear to be valid.”  Now that’s music to my ears.

I have verified that this solution works by testing the exploit on my own site.  Without this modification, I can nuke my admin password.  My mail function was broken and the system wouldn’t even send me a new password via email, and I had to reset the password from my backup.  With this modification, the exploit doesn’t work.

Update 8/12/2009 – WordPress.org has released WordPress 2.8.4.  I think that patch only adds the modification above, but it might include other patches too.  I hate these full upgrades, because you gotta backup first and hope nothing breaks or resets.  I hate these full upgrades, because you have to backup first and hope nothing breaks or resets.  I may skip this upgrade since I did the manual fix which is easier.

I hate these full upgrades, because you gotta backup first and hope nothing breaks or re

90% of you run an insecure version of flash

Adobe Flash bugLast Friday, a new version of Adobe Flash came out which patched the most recent critical flaws in Flash Player. Yet because the update process isn’t automatic, most of you have not updated your Flash Player in your web browser. The fact that Adobe makes the manual update process a pain to use and forces you to install yet another download manager and tries to get you to install yet another browser toolbar doesn’t help. The end result is that most of your computers are vulnerable to websites that display malicious flash content.

Read the rest at DigitalSociety.org

Mozilla patches SSL, Microsoft CryptoAPI still exposed

Firefox logoMozilla has patched a very critical flaw in Firefox that allows attackers to pose as a legitimate Firefox update server and implant harmful code into a victim’s computer. Firefox 3.0.13 and 3.5.2 are no longer vulnerable to this attack and the update should automatically run. It would be prudent to check it manually under the Firefox “Help” menu and open the “About” window.

See the full story at DigitalSociety.org »

Apple keyboards hacked and possessed

Apple keyboard hacked and possessedIf the bad news about all the new critical iPhone and Mac OS X vulnerabilities announced at BlackHat 2009 weren’t bad enough, there now appears to be a new vulnerability in Apple’s hardware.  This type of a hack h0wever isn’t something where you can go into an Apple store and have an Apple “genius” exorcise because once the Apple keyboard is infected and locked; there is no practical way of undoing the damage.

Read the rest and see my video interview with the researcher at DigitalSociety.org