Apple's iOS 5.0.1 is out - should you upgrade?

Apple's latest iOS update is out.

The new version bumps iOS5 up to 5.0.1, and is Apple's first OTA update.

OTA stands for "over-the-air", and means that you can download and apply the update directly from your iDevice.
You no longer need to download the entire firmware file to your computer - including yet another copy of everything which hasn't changed in iOS - and push it to your device.
(OTA updating isn't yet mandatory. If you prefer to keep full copies of each iOS firmware distro, you can still use the download-and-install-with-iTunes method.)

According to Apple, the highlights of the 5.0.1 update are that it:
* fixes bugs affecting battery life,
* adds Multitasking Gestures for the original iPad,
* resolves bugs with Documents in the Cloud, and
* improves voice recognition for Australian users using dictation.

Strewth! That last one's a bonzer boost for blokes and sheilas everywhere! Gives an Aussie something worth lifting a tinnie to after the Baggy Green got such a big hiding from the South Africans in the cricket!

Importantly, 5.0.1 also fixes a number of security flaws, including a remote code execution (RCE) vulnerability involving font handling, found by Erling Ellingsen of Facebook. RCE means that a cybercriminal might be able to trick your device into running software without asking you, even if you're just browsing the internet.

Interestingly, Charlie Miller's recent and controversial App Store hole has also been patched. Miller showed how to write an innocent-looking App which, once approved by Apple, could fetch and run unapproved software.

Miller was unceremoniously banned from the Apple Developer scene for at least a year; there's no word from Apple, however, on whether he'll be readmitted now the hole is fixed.

Jailbreakers will be pleased to note that devices suitable for running a jailbroken iOS5 - a list which sadly still excludes the iPhone 4GS and the iPad 2 - can happily run a jailbroken iOS5.0.1.

If you are a jailbreaker, however, note that there is not yet any way to go back to iOS5.0 once you've moved on to 5.0.1.
That means that you'll never be able to use Charlie Miller's code-signing vulnerability for jailbreaking purposes in the future, for example if an iPad 2 jailbreak appears which relies on it.

And that leaves us with one question: should you update?
Some reports suggest that 5.0.1 brings with it a raft of new problems, and that the update might not, after all, fix your battery issues.

But these complaints are still anecdotal and unscientific, so if you trust Apple and you're not into jailbreaking, I'd suggest updating to 5.0.1 as soon as you conveniently can.

Ellingsen's and Miller's vulnerabilities may not have made it to Apple's highlights list, but each of these bugs on its own can be considered sufficiently important to warrant a prompt update.

Read More...

Free Android antivirus software is 'useless,' says testing firm

The malware scanners from minor players typically catch less than 10 percent of malicious software

Consumers and workers who install free Android antivirus scanners from relatively unknown developers are mostly wasting their time, an independent testing firm has found. "During our tests, we found out that the majority of free products are -- to make it short -- useless," says Andreas Marx, CEO of AV-Test. Of all the major mobile platforms, Android is at most risk for malware.

The German firm tested seven free antivirus applications for the Android platform and found that the best program detected only one-third of resident malware, and all others detected less than 6 percent. The best performer, Zoner Antivirus Free, detected 8 of 10 malicious programs during installation, while the other applications detected at most 1 of the 10 malicious programs, according to the firm's analysis (PDF).

The company tested Zrgiu's Antivirus Free, BluePoint Antivirus Free, GuardX Antivirus, Kinetoo Malware Scan, LabMSF Antivirus beta, Privateer Lite, and Zoner AntiVirus Free. Four of the free antivirus program did not detect any of the 172 resident malicious programs used as a test base; another detected only 2. The programs also had little success in detecting malware during installation, with three of the programs detecting no malware and three others detecting a single program. Zoner Antivirus Free was the only standout of the bunch, detecting 32 percent of resident malware and 80 percent of malware during installation.

The firm compared the results to antivirus offerings from established security firms F-Secure and Kaspersky, which detected more than 50 percent of resident malware and blocked all 10 malware samples during installation.

The company plans to widen the testing for its next report to include antivirus programs from commercial vendors as well.

 

Read More...

Android Malware Spreads Through QR Code

Last week, there was quite a buzz in the mobile-malware researchers community about a new Android malware. It came to light not because of its sophistication or complexity but due to the simple method that it uses to spread.

Most Android malware we have witnessed are repackaged malicious apps made available in black markets or third-party markets. This latest Android malware follows the same repacking path as its precursors. The only difference with this malware is that it uses quick response (QR) code to distribute the malicious link. We have already discussed in a recent blog that QR code can be used by attackers to spread malicious files.

A QR code is a type of matrix barcode to store information. These codes are increasingly found on product labels, billboards, and business cards. Why are QR codes so popular? The amount of data they hold. QR codes can carry 7,089 numeric characters or 4,296 alphanumeric characters and can store up to 2KB of data.

All one needs is a smart phone with a camera and QR reader application to scan these codes. The codes can direct users to websites or online videos, and send text messages and emails.

 

QR code points to McAfee.com

If you scan the QR code above with any QR code reader using your smart phone, it will redirect you to our site http://www.mcafee.com Attackers use these codes to redirect users to URLs that ask users to download malicious applications.

Malicious QR code

Analyzing the payload

Once users download a malicious application onto their mobile devices, they need to install it. This malicious app is the Trojanized Jimm application, which is a mobile ICQ client. The payload is nothing new, as we have already seen these behaviors in the past with other Android malware such as Android/FakePlayer.A and Android/HippoSMS.A. The latter sends SMS’s to premium numbers.

 

This malicious application requires the following user permissions:

User permission request by the application

Once installed, the malware sends an SMS to a premium number that charges users. The application has the following icon:

The application icon

We have also seen the JAR version of this application; it targets the J2ME mobile phones and sends SMS’s to premium numbers. When I installed the malicious .jar package in a test environment, it displayed the following message:

 

Installing the malicious application

It prompted me to select a country and then displayed the next message:

Finally the malware tries to send messages to premium numbers from the infected mobile. Because I was executing this application in a controlled environment, it told me I didn’t have a sufficient balance in my account to send the message. But I did confirm that it tried to send messages, as seen below:

In the recent blog about QR codes by my colleague Jimmy Shah, he suggested how to stay away from such attacks. Our advice has not changed: Use a mobile QR code-/barcode-scanning app that previews URLs, and avoid scanning suspicious codes.

McAfee products detect these malware in our latest DATs as Android/SMS.gen and J2ME/Jifake.a. Read More...

NoScript security tool released for Android, Maemo

The mobile version of the Firefox extension includes protection for cross-site scripting attacks and clickjacking

The developer of the widely used Firefox extension NoScript has released a version for the Android and Maemo operating systems.

NoScript is a security tool that can be used to block the execution of JavaScript, Java, Flash, and plugins by websites that are viewed as being potentially malicious. Many Web-based attacks on computers are initiated by JavaScript.

[ Learn how to manage iPads, iPhones, Androids, BlackBerrys, and other mobile devices in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter.

NoScript's developer, Giorgio Maone, wrote on his blog on Saturday that porting the application for Firefox on Android and Maemo was not easy, as it was a full rewrite of the extension, and "there's still a lot of work ahead."

The mobile version, called NoScript 3.0a8, includes protection against cross-site scripting attacks, in which a script drawn from another website is allowed to run that shouldn't. Cross-site scripting can allow an attacker to steal information or potentially cause other malicious code to run.

It also can block "clickjacking," another kind of attack where a user is tricked into clicking on certain parts of a Web page with hidden buttons that perform malicious actions. Those hidden buttons are delivered by an invisible iframe, which is a window that brings other content into the target website.

In 2008, researchers Robert Hansen and Jeremiah Grossman discovered a clickjacking attack involving Adobe Systems' Flash application that could give remote access to a victim's Web camera and microphone.

There are around 1,000 pieces of malware circulating for mobile devices, which pales in comparison to malware built for Windows desktop operating systems. But security analysts predict that mobile phones will increasingly be attacked for the sensitive data stored on the devices.

The NoScript mobile version shares many of the same functions as the desktop one. For example, users can built an "easy blacklist," where they select untrusted sites on which JavaScript and plugins should be blocked. Another option is the "classic whitelist," where sites that are trusted are added to a list that NoScript doesn't block.

Maone wrote that NoScript does not require the browser to be restarted after updates are installed, which "means that hot fixes for new security threats can be deployed in a more effective, timely, and convenient way." Read More...

Report: Smartphones will become a way to attack otherwise protected devices

Compromised smartphones will infect computers when they dock in much the same way malware gets onto laptops via thumb drives

Smartphones will become an increasing menace to network security that could drop malware onto protected devices when they dock to sync or plug into USB ports to charge, security experts say in a Georgia Tech report.

Compromised smartphones will infect computers they may plug into for otherwise legitimate reasons, much the same way malware such as Stuxnet found its way onto laptops via thumb drives, according to the "Emerging Cyber Threats Report 2012" (PDF) released at the Georgia Tech Cyber Security Summit 2011" today. It was presented by the Georgia Tech Information Security Center and Georgia Tech Research Institute. [ Stay ahead of advances in mobile technology with InfoWorld's Mobile Edge blog and Mobilize newsletter. ]

ONLINE SECURITY: Father of SSL says despite attacks it has lots of life left

The report warns that "mobile phones will be a new on-ramp to planting malware on more secure devices." The document cites an anonymous industry source saying that "... someone who just needs to charge his phone can introduce malware as soon as it's plugged into a computer within that location."

Other problems include the differences between laptop browsers and those used on smartphones. The latter display address bars fleetingly, leaving little time to observe the safety status of sites being visited, the report says. "If a user does click on a malicious link on a mobile browser," the report says, "it becomes easier to obfuscate the attack since the Web address bar is not visible."

Finding information about SSL certificates a site may be using may be difficult if the information is available through the browser at all, the researchers say.

Touch screens on smartphones may make users more susceptible to clicking on links that seem legitimate but mask malicious sites beneath them, which could lead to drive-by downloads of malware.

Patches and updates for smartphones are woefully infrequent, the report says. "While computers can be manually configured not to trust compromised certificates or can receive a software patch in a matter of days, it can take months to remediate the same threat on mobile devices -- leaving mobile users vulnerable in the meantime."

Meanwhile, the authors say that bot masters will find more ways to make money off their zombie machines beyond using them as spam or DDoS engines. For example, a downloader controlled by a bot master could infect machines with reconnaissance malware that profiles the user of the machine for marketing purposes. The information can be sold and resold until a legitimate business buys the information as part of a lead-generation effort, the report says.

Or alternatively, the zombies could be queried for personal technical details as a way to design a long-term stealthy attack to compromise data. Botnet operators will work more to create bot armies that they lease to others for whatever purpose they have in mind. "Infrastructure and information sharing will also occur more regularly between botnet operators and other malicious actors," the report says. Read More...

Russian security company adds BlackBerry password cracker

Elcomsoft says its software can extract a master device password from an encrypted BlackBerry memory card

A Russian security company has upgraded a phone-password cracking suite with the ability to figure out the master device password for Research in Motion's BlackBerry devices.

Elcomsoft said on Thursday that before it developed the product, it was believed that there was no way to figure out a device password on a BlackBerry smartphone. BlackBerry smartphones are configured to wipe all data on the phone if a password is typed incorrectly 10 times in a row, the company said.

[ Learn how to manage iPhones, Androids, BlackBerrys, and other smartphones in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter. ]

Elcomsoft said it figured a way around the problem using a BlackBerry's removable media card, but only if a user has configured their smartphone in a certain way. In order for Elcomsoft's software to be successful, a user must have enabled the feature to encrypt data on the media card.

The feature is disabled by default, but Elcomsoft said around 30 percent of BlackBerry users have it enabled for extra security.

The company's software can then analyze the encrypted media card and use a brute-force method to figure out a password, which involves trying millions of possible password combinations per second until one works.

Elcomsoft said it can recover a seven-character password in less than an hour if the password is all lower-case or all capital letters. The software does not need access to the actual BlackBerry device but just the encrypted media card.

The new feature is wrapped into Elcomsoft's Phone Password Breaker. It costs £79 ($123) for the home edition and £199 for the full-featured suite, which can also recover plain-text passwords used to access encrypted backup files for Apple's iPhone, iPad and iPod Touch devices. To crack those passwords, a user does need to have the Apple device in hand.

The BlackBerry password recovery feature is only available in the professional edition. Elcomsoft has published a chart comparing the two versions.
The backup files contain sensitive data including call logs, SMS archives, calendars, photos, email account settings, a person's Web browsing history and more.

Elcomsoft reserves some of its password-cracking software strictly to vetted law enforcement, such as its iOS Forensic Toolkit, which can extract passwords and decrypt a device's file system.

 

Read More...