From Paul's Security Weekly
- Google Patches Critical Encryption Bug Impacting Pixel, Nexus Phones - Threatpost reports: Google patched a critical encryption bug found on its Pixel, Pixel 2 and Nexus phones this week along with delivering 49 other fixes, part of its December Pixel / Nexus Security Bulletin. Five of the patches relate to vulnerabilities rated high. One of the patches (CVE-2017-13167) is for an elevation of privilege vulnerability and four others could open the door for a denial of service attack, according to Google. The only critical patch (CVE-2017-14907) is tied to a bug in “Qualcomm closed-source components” that weakens the cryptographic strength of handsets while it derives a disk encryption key, Google stated.
- Vulnerability Found in Two Keyless Entry Locks - Threatpost also reporting: Researchers at Dell Secureworks are warning a vulnerability in two keyless entry products could allow local attackers to lock and unlock doors and create illegitimate RFID badges by sending unauthenticated requests to affected devices. Impacted are two AMAG Technology Symmetry IP-based access door controllers used in keyless door models EN-1DBC and EN-2DBC. Researchers say if the devices are deployed with default configurations, attackers could abuse the systems by sending unauthenticated requests to door controllers via serial communication over TCP/IP.
- Android Flaw Poisons Signed Apps with Malicious Code - Among the four dozen vulnerabilities Google patched this week was a fix for a bug that allowed attackers to inject malicious code into Android apps without affecting an app’s signature verification certificate. The technique allows an attacker to circumvent device anti-malware protection and escalate privileges on targeted device with a signed app that appears to be from a trusted publisher, according to researchers.
- Apple HomeKit Flaw Left Smart Gadgets Vulnerable - Not much in the way of details here, well, it is Apple and it is a security issue, so what more could you expect? Yep, that was a dig. In any case there is a vulnerability (though referenced as a "flaw" or a "bug", but its a vulnerability folks) in Apple HomeKit. Apple states: "The fix temporarily disables remote access to shared users, which will be restored in a software update early next week," This fix occurred on Apple servers, so no need to patch. However, Apple claims this vulnerability is diffcult to exploit, whatever that means in this context, wait, we don't really have much context, so, thanks Apple (I think).
- Researcher Discovers Hidden Keylogger in HP Keyboard Driver - Users of a number of different HP laptops are being urged to update drivers after security researcher Michael Myng revealed a potential keylogger risk with the integrated Synaptics Touchpad driver. I mean, cool that there is a built-in keystroke logger, which I am sure HP is saying was there for "debugging" purposes. Why you would leave that in is interesting, however attackers can always just install their own keystroke loggers, so this is nothing to really write home about.
- Google Researcher Releases iOS ExploitCould Enable iOS 11 Jailbreak - As promised last week, Google's Project Zero researcher Ian Beer now publicly disclosed an exploit that works on almost all 64-bit Apple devices running iOS 11.1.2 or earlier, which can be used to build an iOS jailbreak, allowing users to run apps from non-Apple sources. On Monday morning, Beer shared the details on the exploit, dubbed "tfp0," which leveraged double-free memory corruption vulnerabilities in the kernel, the core of the operating system. Here, "tfp0" stands for "task for pid 0" or the kernel task port—which gives users full control over the core of the operating system. - And here I thought Jailbreaking was so 5 years ago. I suppose this is interesting, jailbreaking iOS really just means get an Android phone or tablet if you want that level of control.
- Collection of 1.4 Billion Plain-Text Leaked Passwords Found Circulating Online - That's a whole ton, 41GB to be exact, of passwords: The collective database contains plain text credentials leaked from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in. Time to change your passwords, again, and maybe throw in some 2fa.