Monday, 22 October 2012

Some Android apps have serious SSL vulnerabilities, researchers say

A team of researchers from two German universities has released a study asserting that many of the most popular free apps available through the Google Play store may be vulnerable to man-in-the-middle attacks -- seriously threatening user privacy.

RELATED: The 10 most common mobile security problems and how you can fight them

The researchers, from the Universities of Hannover and Marburg, studied the 13,500 most popular free apps on the Play store for SSL and TLS vulnerabilities. They found that 1,074 of the applications "contain SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks," according to a summary posted online.

Additionally, the scientists performed a manual audit of 100 apps for a more definitive look at potential security issues, finding that 41 were open to man-in-the-middle attacks because of SSL vulnerabilities. They said that the vulnerable apps could be exploited, allowing an attacker to steal highly sensitive usernames and passwords for Facebook, WordPress, Twitter, Google, Yahoo and even online banking accounts, among others.

Similar vulnerabilities, the team added, could be used to manipulate antivirus software on the phone, changing definitions to include benign apps or ensure that malicious ones are ignored.

"The cumulative install base of the apps with confirmed vulnerabilities against MITM attacks lies between 39.5 million and 185 million users, according to Google's Play Market. Actually Google's Play Market does not give a precise number of installs, instead giving a range. The actual number is likely to be larger, since alternative app markets for Android also contribute to the install base," the researchers wrote.

According to the H-Online, the team plans to make the code analysis tool it developed for the research public "in the near future."

Monday, 1 October 2012

Adobe Revokes Certificates Following Server Compromise

Adobe is in the process of revoking certain digital certificates after discovering two malicious utilities signed by valid Adobe certs. 

Adobe's senior director of security Brad Arkin, wrote in a blog post that attackers had compromised an Adobe build server (and not the certificates themselves) that was able to make code signing requests to Adobe's actual code signing service.

The breach occurred on July 10, so any certs signed with the impacted key from then until October 4 will be revoked, Arkin wrote.  

Adobe Downplays Impact
"This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications [Adobe Muse, Adobe Story AIR, and] that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms," he said. 

So far, Adobe has found only two malicious utilities, pwdump7 v7.1 and myGeeksmail.dll, bearing the certificates. Adobe told Securityweek that "the evidence indicates that the certificate was not used to sign widespread malware." 

The Story's Not Over, Security Experts Say
But although the current scope is small, some security experts warn that the impact could be huge.

Kaspersky's Roel Schouwenberg questioned why Adobe had backdated the cert revocation to July 10, when the two malicious files were signed two weeks later.

"Is Adobe 100 percent confident no other malicious files were signed?" he asked. "We should view this as along the same lines as the RSA attack."

Furthermore, he said, no one knows who the attackers are really targetting. "So far nothing suggests that Adobe was the real target."

F-Secure's Sean Sullivan agreed that although "there's definitely no need to panic at this point" about getting infected by a stolen Adobe signature, we shouldn't move on too quickly.

"Being the build server, it makes one wonder if any developer computers have been compromised to allow code to be injected into Adobe's apps. Injecting a backdoor into Adobe's apps would be so much more valuable than spoofing its cert," he said.

In a statement, Paul Zimski of Lumension said that with the right certificates an attacker "could theoretically impersonate a legitimate software update, and spread malware payloads through these mechanisms."

"The installed software is going to think its downloading a valid update, but it’s actually a false update signed with a fraudulent, but real certificate. I’m not saying that’s what was done here, but this is the Holy Grail of what could happen."

The issue now, Zimski said, is where the attackers are going next.

Similarly Wes Miller, research VP at Directions on Microsoft, said the fact that attackers now have code signing certificate for code "from one of the most pervasive companies on the planet, and one that is constantly patching" means it will take quite a bit of time for Adobe to revoke the certificates on a global level. And in the meantime, "how large of a threat vector does this pose"

Adobe posted the malicious utilities on the Microsoft Active Protection Program (MAPP) so security vendors could detect and block them. At the moment, using an up-to-date anti-virus is your best bet, Schouwenberg said. 

Source :