Latest news
A bug in the way some Android-running HTC smartphones handle requests for password allows some applications to send the user's Wi-Fi network username, password and SSID information to a remote server, researcher Bret Jordan warned on Wednesday."There is an issue in certain HTC builds of Android that can expose the user's 802.1X password to any program with the 'android.permission.ACCESS_WIFI_STATE' permission. When paired with the 'android.permission.INTERNET' permission, an app could easily send user names and passwords to a remote server for collection," he explained. "In addition, if the SSID is an identifiable SSID ('Sample University' or 'Enterprise XYZ'), this issue exposes enterprise-privileged credentials in a manner that allows targeted exploitation."
He discovered the flaw last September, has notified HTC, Google, key government agencies and CERT about it immediately, and has shared with the companies what the details of the vulnerability. HTC has confirmed on Tuesday the existence of the flaw.
In the meantime, they worked on a patch, and updates that solve the issue have been released for the affected devices: Desire HD (versions FRG83D and GRI40), Glacier (FRG83), Droid Incredible (FRF91), Thunderbolt 4G (FRG83D), Sensation Z710e (GRI40), Sensation 4G (GRI40), Desire S (GRI40), EVO 3D (GRI40) and the EVO 4G (GRI40).
Users who haven't already received the fix are advised to visit the aforementioned page and update their devices themselves.
"Google has also done a code scan of every application currently in the Android Market and there are no applications currently exploiting this vulnerability." reassured Jordan.
Spotlight
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
