Major Android vulnerability leaves billions of devices open to attack
This week saw some serious Android vulnerabilities hit the headlines; according to various reports these affect 95% of Android devices, allowing them to be hacked simply be receiving an MMS message. The six vulnerabilities are said to be the worst Android vulnerabilities ever uncovered.
The issue was reported in April this year and apparently Google have sent out patches to all their partners. The problem is that many manufacturers don’t seem to have passed on these fixes to their consumers. As estimated 1 billion devices may be affected, only those running a version from before 2.2 are safe.
The bugs themselves are remote code execution bugs leveraging the Android ‘Stagefright’ media playback tool and the permissions gained allow theft of data, access to SD cards and even recording of audio and video. Exploits could also be further developed to escalate permissions.
As yet, none of the manufacturers seem to have released fixes so keep an eye out and make sure to update when they do!
Web service secure? What about your database?
Almost 600TB of MongoDB database is reportedly lying exposed due to a vulnerability first reported back in 2012. John Matherly of Shodan recently made a lengthy post about the poor security of various databases and specifically MongoDB. The cause is apparently the use of unpatched, out-of-date versions which fail to bind to the localhost.
This specific security issue was apparently reported back in 2012 but apparently took two years before it was fixed and many people are still running outdated versions, keeping the bug alive and kicking.
The majority of the MongoDB databases which are publicly exposed are running on cloud platforms such as Amazon AWS, Linode and Digital Ocean which by the very nature of cloud hosting is less secure than those hosted in data centres, exposing the information to the entire world wide web rather just a few malicious users. Shodan’s blog post and MongoDB themselves urged users to make sure they have updated to the latest version, particularly advisable now the issue has received media attention.
Latest WordPress update released
The latest version of WordPress is out so time for all users to update, especially considering it includes a fix for a Cross-site Scripting vulnerability. The flaw allows users with Contributor or Author roles to add JavaScript to the site, which can cause all sorts of damage including infecting visitors with malware or stealing their cookies.
There are a number of sites which allow visitors or members to contribute to their online communities so in these cases the flaw is particularly dangerous, it takes just one malicious user to exploit the flaw and start an attack, usually one which enrolls visitors into a botnet to be used for DDoS attacks. Often, this occurs just hours after a vulnerability is published. So do make sure you update your WordPress as soon as possible or check that this has occurred automatically, as it should update without manual intervention.
Steam gaming platform vulnerability fixed
Recently, popular gaming platform Steam suffered a breach, which gave attackers access to a small number of user accounts. The problem stemmed from the ‘forgotten password’ feature, whereby users were able to reset their password without using a code sent to them by email. This meant anyone could potentially hijack accounts.
Valve, who run the platform recommend all users change their passwords but report that the bug has now been fixed.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
