Adobe Reader Security Issue Found

McAfee has discovered a vulnerability in Adobe’s Reader program that allows people to track the usage of a PDF file.

“Recently, we detected some unusual PDF samples,” McAfee’s Haifei Li said in a blog post. “After some investigation, we successfully identified that the samples are exploiting an unpatched security issue in every version of Adobe Reader.”

The affected versions of Adobe Reader also include the latest “sandboxed” Reader XI (11.0.2).

McAfee said that the issue is not a “serious problem” because it doesn’t enable code execution, however it does permit the sender to see when and where a PDF file has been opened.

This vulnerability could only be dangerous if hackers exploited it to collect sensitive information such as IP address, internet service provider (ISP), or even the victim’s computing routine to eventually launch an advanced persistent threat (APT).

McAfee said that it is unsure who is exploiting this issue or why, but have found the PDFs to be delivered by an “email tracking service” provider.

The vulnerability works when a specific PDF JavaScript API is called with the first parameter having a UNC-located resource.

“Adobe Reader will access that UNC resource. However, this action is normally blocked and creates a warning dialog,” Li said. “The danger is that if the second parameter is provided with a special value, it changes the API’s behavior. In this situation, if the UNC resource exists, we see the warning dialog.

“However, if the UNC resource does not exist, the warning dialog will not appear even though the TCP traffic has already gone.”

McAfee said that it has reported the issue to Adobe and is waiting for their confirmation and a future patch. Adobe wasn’t immediately available for comment at the time of writing.

“In addition, our analysis suggests that more information could be collected by calling various PDF Javascript APIs. For example, the document’s location on the system could be obtained by calling the Javascript “this.path” value,” Li added.

Source

Is Android Safer Than iOS?

The general consensus is that iOS apps tend to be somewhat safer than their Android counterparts. Apple goes to great lengths to have apps vetted and as a result far fewer iOS apps end up with malware or security issues.

However, a new report fresh out of Appthority claims iOS apps have their fair share of issues and in some respects then can pose an even greater security risk than Android apps. The report covered the top 50 apps from the Apple App Store and Google Play and found that iOS apps exhibited riskier behaviour.

“The majority of iOS apps track for location (60%), share data with advertising or analytics networks (60%) and have access to the user’s contact list (54%). A small percentage of iOS apps also had access to the user’s calendar (14%),” the report found.

However, Android fans shouldn’t be too happy since their platform is not far behind. Half of them share data with ad networks or analytics companies, while 42 percent tracked location. Slightly better, but nothing to be proud about.
One of the most worrying findings is that both Android and iOS apps don’t do much to prevent personal data from leaking from our devices. Not a single iOS app analyzed in the study used encryption to send and receive data, and neither did 92 percent of Android apps.

So while it might seem that Android is a somewhat better platform for users with privacy concerns, both Google and Apple are pants at that sort of thing.

Source

Is NFC Catching On?

Near Field Communication (NFC) is steadily gaining adoption in the U.S. for sharing data and music among smartphones, but the technology faces years of slow growth as a replacement for physical wallets.

NFC will take a minimum of three more years to grab hold as a technology that enables so-called mobile wallets as a replacement for credit cards and cash in the U.S., according to a consensus of five analysts. And by “grab hold,” these analysts mean being used by only 10% of mobile phone users to make digital purchases.

Gartner analyst Avivah Litan predicts that NFC payments will hit the 10% threshold in 2015, compared to the process of SMS (texting) payments that is expected to represent 50% of mobile payment volume globally in that same year. “We’re still on the edge when it comes to NFC innovation,” Litan says. “It will take a decade before it’s mainstream across the globe.”

Dozens of new smartphones that run Android, BlackBerry and Windows, and that include an NFC chip, launched last year. But Apple notably did not put NFC in its new iPhone 5 when the phone launched in September. That move “surely had a significant detrimental impact on industry adoption of NFC,” Litan says, given Apple’s influence in the mobile market.

Apple justified the move by saying that consumers already could use its Passbook app, which shows barcodes on the display, instead of NFC. The barcodes contain information that can be scanned by optical readers to let users board planes and redeem movie tickets — tasks that Apple notes are “the kinds of things consumers need today.”

Some have criticized Apple for omitting NFC from the iPhone 5, which has led to a widespread reassessment of NFC’s immediate future, especially in the U.S.

Source…

Skype Confirms Glitch

Skype, a division of Microsoft, confirmed on Monday that a bug in its software has led to instant messages being shared with unintended parties.

The company said it will provide an update to fix the problem in “the next few days.”

According to user reports, the unintended recipients have been connected to just one of the two users who exchanging messages. The problem could have harmful consequences. For example, two co-workers using Skype to exchange IMs (instant messages) could, as a result of the problem, share the message with another contact in one user’s address book — potentially a third co-worker being unfavorably described in their IM exchange.

According to Skype, the problem only arises in “rare circumstances.”

The issue first came to light last week in Skype’s user forums. It seems to stem from the update issued by the voice, video and text messaging service in June.

Source…

Remote Access Tools Threatens Smartphones

Malware tools that allow attackers to gain complete remote control of smartphones have become a major threat to owners around the world, security researchers say.

In a demonstration at the RSA Conference 2012 here Wednesday, former McAfee executives George Kurtz and Dmitri Alperovitch, who recently founded security firm CrowdStrike, installed a remote access tool on an Android 2.2-powered smartphone by taking advantage of an unpatched flaw in WebKit, the default browser in the OS.

The researchers showed an overflow audience how the malware can be delivered on a smartphone via an innocuous looking SMS message and then be used to intercept and record phone conversations, capture video, steal text messages, track dialed numbers and pinpoint a user’s physical location.

The tools used in the attack were obtained from easily available underground sources, Kurtz said. The WebKit bug, for instance, was one of 20 tools purchased from hackers for a collective $1,400.

The remote access Trojan used in the attack was a modified version of Nickispy a well-known Chinese malware tool.

Learning how to exploit the WebKit vulnerability and to modify the Trojan for the attack, was harder than expected, said Kurtz. He estimated that CrowdStrike spent about $14,000 in all to develop the attack.

But the key issue is that similar attacks are possible against any smartphone, not just those running Android, he said.

WebKit for instance, is widely used as a default browser in other mobile operating systems including Apple’s iOS and the BlackBerry Tablet OS. WebKit is also is used in Apple’s Safari and Google’s Chrome browsers.

Several mobile remote access Trojans are already openly available from companies pitching them as tools that can be used to surreptitiously keep tabs on others.

Source…

Hackers Attempt To Access AT&T Mobile

AT&T Inc, the No. 2 U.S. wireless carrier, said it is investigating an “organized and systemic attempt” to access mobile customers’ information but that it did not believe any accounts were breached.

The company, which had 100 million subscribers at the end of the third quarter, said it is advising less than 1 percent of its wireless customers that there was an attempt to obtain information about their accounts.

It said that the parties involved appeared to have used “auto script” technology to see if AT&T telephone numbers were linked to online AT&T accounts.

Spokesman Mark Siegel said AT&T’s “investigation is ongoing to determine the source or intent of the attempt to gather this information.”

.

Source…

Want A $19/Month Mobile Plan?

A new wireless operator is gearing up to launch next week with plans offering unlimited data, voice and texting for $19 a month and no contract.

Republic Wireless, a division of Bandwith.com, will provide the service through Voice over IP using the nearest available Wi-Fi hotspot starting Tuesday, Nov. 8, a spokesman confirmed via email.

When a wireless phone user is traveling, the service will be provided through traditional cellular connections, initially over the Sprint network.

One important catch: Republic will require that its users have a new Android-based smartphone equipped with hardware and software that supports automatic switching from Wi-Fi to cellular. The device must have single phone number that works on both networks.

Republic hasn’t disclosed further details on phones the network will support. The company said more details will be made available on the launch date.

Republic calls its Wi-Fi and cellular mixture “Hybrid Calling,” a strategy it said reduces the costs for network services and makes the $19 flat monthly “membership” rate possible.

Republic estimates that smartphone users are within reach of Wi-Fi over 60% of the time, said the spokesman, Kevin LaHaise.

Source….

Is Motorola Mobility A Patent Pimp Too?

Motorola Mobility has received $228m in patent licensing deals.

Motorola Mobility, which is in the process of being bought by Google, confirmed in its accounts that in June 2010 the firm signed a licensing deal with an unnamed company for which Motorola would receive $175m and future royalties. Those future royalties stacked up to an impressive $228m in just the nine months leading up to 2 October 2010.

Google’s attempt to buy Motorola’s handset division was generally regarded as a move to acquire the firm’s considerable patent portfolio. Motorola’s handset division is widely credited with being one of the major contributors to the development of mobile phones and while the firm’s smartphones might not be as fashionable as devices from Apple, HTC or Samsung, it clearly has patents that can bring home the bacon.

Although Motorola did not disclose the name of the other party in its licensing deal, there is a better than average chance that it is Research in Motion. The two firms came to a “long-term, intellectual property cross-licensing arrangement involving the parties receiving cross-licenses of various patent rights” in June 2010.

Source…

RIM’s Troubles May Not Be Over

Law firms in the United States and Canada are considering possible consumer lawsuits against Research In Motion Ltd for last week’s BlackBerry outages, which for three days crippled email and messaging for tens of millions of users around the world.

Consumer lawyers say they are investigating whether customers have common claims against the BlackBerry manufacturer and might be able to band together in a single lawsuit.

While the outage did not rise to the level of seriousness comparable to a dangerous medication or tainted food, it inconvenienced and angered customers. Frustrated BlackBerry users, turning to blogs, message boards, Twitter and Facebook, complained about losing important emails and missing meetings last week.

Law firms are considering breach-of-contract or consumer-fraud claims, attorneys said.

A breach-of-contract claim could argue the company failed in its obligations to provide service and could include carriers for BlackBerry service as additional defendants, said attorneys exploring litigation against RIM.

Source…

Motorola Being Dragged Into Patent Lawsuit

Intellectual Ventures has set its sights on Motorola with a new lawsuit alleging that the mobile device maker has infringed on six of their patents.

The patents cover a variety of technologies related to text messaging, docking stations and pushing software out to devices.

Intellectual Ventures, which owns 35,000 patents, said it approached Motorola in January about licensing patents, including several named in the case, according to the lawsuit. Motorola refused to license the patents, Intellectual Ventures said.

Motorola, which is the subject of several other patent lawsuits, declined to comment on the dispute.

The suit names a number of Motorola products as infringing, including the Atrix, Photon 4G, Milestone, Triumph and Brute i680.

Though Intellectual Ventures said it first approached Motorola in January, records at the U.S. Patent and Trademark Office show that all but one of the patents were transferred to the company in July and September.

It’s up to patent holders to file documents showing transfer of ownership with the patent office, so the discrepancy of timing probably means only that the company was slow in doing its paperwork, said David Mixon, a patent attorney with Bradley Arant Boult Cummings LLP.

While patent lawsuits have become commonplace in the mobile industry, this one has a unique twist. Google, which recently announced plans to acquire Motorola, is an investor in Intellectual Ventures, patent expert Florian Mueller noted in a blog post Thursday.

The source

« Previous Page — Next Page »