Notcompatible Android Security Buzz:
This week a new malware package for Android managed to spark the internet intrest in the security of the Android mobile computing platform. The new malware, dubbed “Notcompatible” is limited in scope and vector — it is installed via user interaction and can only be installed on those phones which the user has enabled the ability to install packages from 3rd-party sources.
The notable part of Notcompatible isn’t really the malware itself, but how it spreads to it’s victims through the use of a technique called drive-by downloading. Drive-by download techniques involve the infection or poisoning of a website through delivery of malicious advertisement or website compromise. Once compromised, malware is sent to users that browse to that website in the attempt to infect them. Typically this is done to infect traditional computing platforms such as Windows, but with the growing popularity and trend of browsing the web from smartphones, the addition of an Android-based vector was only a matter of time.
Critical PHP Bug Discloses Your Source Code
Source code disclosures are among some of the worst exploits that can happen to an organization, especially since passwords for databases and other programs are usually among the code in PHP programs. Disclosure of the source code to these programs could lead to serious compromise. An explanation of the vulnerability follows:
PHP in a CGI setup will accept flags on GET requests and return different results based on the flags. The flag that discloses source code to the requested page is -s and is appended the the GET request for a page as follows:
If the target is set up using a PHP-cgi environment running a PHP version lower than PHP 5.3.12 then the target site is vulnerable.
It is recommended that those affected by this bug update to the most recent version of PHP. A fair number of sites could be affected by this bug, which has been around since 2004 and was only recently discovered and (accidentally) released to the public.
Hack Attack! New Group Makes Name Hacking NASA, Airforce
A new hacking group has made a bit of a splash after they hacked several governmental and private institutions this week. A quick read of the twitter accounts mentioned on the Pastebin post (URL below) confirms that the breaches occurred as the result of database intrusions. A review of the password choices reveals that a brute-force password-guessing attack may have been used as well to gain access to some of the systems.
While database attacks are common, the attackers seemed to have gained access to a number of targets including the Airforce and the Bahrain Ministry of Defense. The latter is somewhat surprising, given that Anonymous has been taking every opportunity to shame the Bahraini Government for its continued human rights abuses. This indicates that the group is probably not at all affiliated with Anonymous.
Microsoft Boots Chinese Company from Vulnerability Sharing Club
Microsoft announced that Hangzhou DPTech Technologies Co., Ltd would be removed from their vulnerability sharing program following the leak of a proof-of-concept for a serious vulnerability in the Windows operating system. This is the second time that Microsoft has had to remove a Chinese company from the program, and the leak marked the third occasion that a vulnerability from the program had been shared to a chinese-language website.
While the risk of sharing high-impact vulnerabilities with private (and international) companies is a risk for Microsoft and its customers, Microsoft still believes that there are more benefits to keeping the program than scrapping it, since the sharing program allows corporations to protect users and customers in advance of an official patch.