So I bought a new HTC Nexus One (brown with US warranty) last week and it came with a custom Vodafone UK ROM with Android Kernel Version: 2.16.405.1 CL223106 release-keys. Unfortunately, this particular firmware prohibits any OTA updates or even manual updates and it was a nightmare trying to track down the problem. Luckily I fell upon this user comment on Amazon’s website which led me to this page explaining the upgrade process which calls for a 5 stage process to get to Android version 2.3.3 which allows you to run the 2.3.4 update.
So to summarize, the upgrade process goes something like this where each stage took about 5-30 minutes (depending on download time).
- Downgrade to 2.2 build FRG33 using passimg.zip method
- Upgrade to 2.2.1 build FRG83
- Upgrade to 2.2.1 build FRG83D
- Upgrade to 2.2.2 build FRG83G
- Upgrade to 2.3.3 build GRI40
- Upgrade to 2.3.4 (Google announcement here)
With an upgrade procedure this onerous, no wonder so few devices are running newer versions of the Android Operating System. The result is that there is an immense level of Android fragmentation leaving 99% of the devices vulnerable to a serious security flaw in the ClientLogin API. ClientLogin was apparently designed without any encryption such that AuthTokens are transmitted in the clear.
The market share for non-vulnerable versions of Android OS might be a little better than 1% now but not much better according to Google’s statistics.
Image credit: Google
Online services security report card
Now that the problem of user account “sidejacking” can no longer be ignored, I’ve created an online services report card that highlights which websites protect your account and which don’t.
I thought you’d get a laugh out of this one:
http://www.microsoft.com/technet/security/advisory/954157.mspx
Somehow, Microsoft hasn’t released a security bulletin for this, and they aren’t calling it a “critical” security problem, or classifying the patch as being security related in the update system, even though it is obviously a security problem!
J.Ja
Comcast has announced that they will begin to test a new monitoring system called Comcast Constant Guard that looks for botnets on their network. Infected customers will get a “service notice” that pops up messages on the subscriber’s web browser telling them they are infected with resources (mostly preventative solutions) to help clean the computer.
Read the rest at Digital Society.
The Windows SMBv2 zero-day vulnerability (disclosed vulnerability with no software fix) appears to be more dangerous than initially thought. The vulnerability does not affect the Release to Manufacturing (RTM) version of Windows 7 or Windows Server 2008 R2, but it does affects Windows Vista and Windows Server 2008. The danger is no longer just a system crash or reboot, it can lead to a full system compromise.
In the absence of a patch, Microsoft released some instructions for disabling SMBv2. For your convenience, I’ve packaged two REG files that you can download that enable and disable SMBv2 in Windows Vista and Windows Server 2008. So until a software patch is available, you need to disable SMBv2 double clicking the disable-SMBv2.reg file and then rebooting. The workaround does not break your ability to serve files, but it does reduce your SMB file serving speeds down to Windows XP and Windows Server 2003 levels which would result in a moderate decrease in performance. When the patch becomes available and you have applied the patch, just run the enable-SMBv2.reg file and reboot.
Researches at the University of California, San Diego, have used a new programming technique to hack a voting machine. What is really scary about this attack, is that the researchers did not need the source code or other unlikely insider information to do it. All they needed was the information that someone would have by having possession of a voting machine. The electronic voting movement makes a lot of sense as a principal; it would hopefully eliminate a lot of waste, improve accuracy, speed up result, and reduce or eliminate controversy. Unfortunately, electronic votes represent one of the top, say, five juciest targets for a hacker imaginable (right next to pwning a bank, a nuclear missile silo, a nuclear power plant, and the Hubble Space Telescope, I’m guessing). In my opinion, the world of computer science has not invented the hack proof system (other than one that is powered off), so I beleive that we are not ready for electronic voting.
J.Ja
There is a serious exploit against WordPress out in the wild that allows an attacker to reset your password. It works on every version of WordPress and there is no official patch yet which is pretty scary. There is a temporary workaround and it appears that WordPress.com has already applied this workaround. This workaround can be found here and I have already applied it to my site and you should too if you are running WordPress.
Basically, all you need to do is replace some text in your wp-login.php file. Just go in there and change:
if ( empty( $key ) )
to
if ( empty( $key ) || is_array( $key ) )
Now if someone tries to reset your password using this exploit, they will get slapped down with the message “Sorry, that key does not appear to be valid.” Now that’s music to my ears.
I have verified that this solution works by testing the exploit on my own site. Without this modification, I can nuke my admin password. My mail function was broken and the system wouldn’t even send me a new password via email, and I had to reset the password from my backup. With this modification, the exploit doesn’t work.
Update 8/12/2009 – WordPress.org has released WordPress 2.8.4. I think that patch only adds the modification above, but it might include other patches too. I hate these full upgrades, because you gotta backup first and hope nothing breaks or resets. I hate these full upgrades, because you have to backup first and hope nothing breaks or resets. I may skip this upgrade since I did the manual fix which is easier.
I hate these full upgrades, because you gotta backup first and hope nothing breaks or re
Last Friday, a new version of Adobe Flash came out which patched the most recent critical flaws in Flash Player. Yet because the update process isn’t automatic, most of you have not updated your Flash Player in your web browser. The fact that Adobe makes the manual update process a pain to use and forces you to install yet another download manager and tries to get you to install yet another browser toolbar doesn’t help. The end result is that most of your computers are vulnerable to websites that display malicious flash content.
Read the rest at DigitalSociety.org
Mozilla has patched a very critical flaw in Firefox that allows attackers to pose as a legitimate Firefox update server and implant harmful code into a victim’s computer. Firefox 3.0.13 and 3.5.2 are no longer vulnerable to this attack and the update should automatically run. It would be prudent to check it manually under the Firefox “Help” menu and open the “About” window.
See the full story at DigitalSociety.org »
If the bad news about all the new critical iPhone and Mac OS X vulnerabilities announced at BlackHat 2009 weren’t bad enough, there now appears to be a new vulnerability in Apple’s hardware. This type of a hack h0wever isn’t something where you can go into an Apple store and have an Apple “genius” exorcise because once the Apple keyboard is infected and locked; there is no practical way of undoing the damage.
Read the rest and see my video interview with the researcher at DigitalSociety.org