14-04-2014, 14:57 #1
[EN] Android devices await Heartbleed fix
Millions of Android devices remain vulnerable to the Heartbleed bug a week after the flaw was made public.
By Leo Kelion
14 April 2014
Google announced last week that handsets and tablets running version 4.1.1 of its mobile operating system were at risk.
The search giant has since created a fix, but it has yet to be pushed out to many of the devices that cannot run higher versions of the OS.
It potentially places owners at risk of having sensitive data stolen.
In addition security firms warn that hundreds of apps available across multiple platforms still need to be fixed.
These include Blackberry's popular BBM instant messaging software for iOS and Android.
The Canadian firm has said that it will not issue a fix until Friday, but said there was only an "extremely small" risk of hackers exploiting the bug to steal its customers' data.
In the meantime the program remains available for download from Apple's App Store and Google Play.
News of the vulnerability with recent versions of the OpenSSL cryptographic software library was made public last Monday after researchers from Google and Codenomicon, a Finnish security firm, independently discovered the problem.
OpenSSL is used to digitally scramble data as it passes between a user's device and an online service in order to prevent others eavesdropping on the information.
It is used by many, but not all, sites that show a little padlock and use a web address beginning "https".
The researchers discovered that because of a coding mishap hackers could theoretically access 64 kilobytes of unencrypted data from the working memory of systems using vulnerable versions of OpenSSL.
Although that is a relatively small amount, the attackers can repeat the process to increase their haul.
Futhermore, 64K is enough to steal passwords and server certificate private keys - information that can be used to let malicious services masquerade as genuine ones.
Press reports initially focused on the risk of users visiting vulnerable websites, but attention is now switching to mobile.
Google's own statistics suggest that fewer than 10% of Android devices currently run version 4.1.1.
However, since close to one billion people currently use the OS that is still a significant number.
Some of those device owners can protect themselves by upgrading Android to a more recent version.
But several machines are unable to be upgraded higher than 4.1.1.
Customer websites indicate these include Sony's Xperia E and Xperia J handsets, HTC's One S, Huawei's Ascend Y300 and Asus's PadFone 2.
"Privacy and security are important to HTC and we are committed to helping safeguard our customers' devices and data," said the Taiwanese firm.
"We're currently working to implement the security patch issued by Google this week to the small number of older devices that are on Android 4.1.1."
Asus said its device was "expecting an update imminently". Sony and Huawei were unable to comment.
Google has now created a fix to address the problem. However, manufacturers still need to adapt it for their devices and this software will need to be tested by the various operators before they release it.
Users can check which edition of Android they are running by going to the "about phone" or "about tablet" option in their Settings app.
Alternatively several free apps have been released that can scan phones and tablets to say if they are vulnerable.
Lookout - a security firm behind one of the products - explained how hackers might take advantage of a vulnerable handset.
"Someone could build a malicious website or advert designed to steal data from your memory," Thomas Labarthe, the firm's European managing director, told the BBC.
"If you happen to be browsing it and have other tabs open in your browser, it could take data from a banking site - for example.
"No-one could steal a whole document - they can only take 64K of data - but that's still enough to steal your credentials."
Another security firm, Trend Micro, has focused on the issue of vulnerable apps.
These can affect any mobile operating system because the problem is caused by the servers that send data to the apps not having been updated to the latest version of OpenSSL.
Trend Micro said it was currently aware of 6,000 such risky apps, including shopping and bank-related services. That is 1,000 fewer than its figure for Friday - suggesting some server operators are addressing the problem.
But it acknowledged that it was hard for members of the public to know which of the hundreds of thousands on offer were safe to use.
"Some of these are services that were set up and then forgotten about," said senior malware researcher David Sancho.
"There's no way from using an app you can know if it's good or bad.
"So, for the moment, the best thing to do is use the ones from the major vendors that we know have been patched... but for the minor ones that have said nothing, be wary."
14-04-2014, 15:01 #2
Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed bug)
Wednesday, April 9, 2014 9:58 AM
Posted by Matthew O'Connor, Product Manager
You may have heard of “Heartbleed,” a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption. We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, App Engine, AdWords, DoubleClick, Maps, Maps Engine and Earth. Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this -- and encourage others to report them -- so that that we can fix software flaws before they are exploited.
If you are a Google Cloud Platform or Google Search Appliance customer, or don’t use the latest version of Android, here is what you need to know:
We are currently patching Cloud SQL, with the patch rolling out to all instances today and tomorrow. In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances. Please find instructions here.
Google Compute Engine
Customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL. Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library. Please find instructions here.
Google Search Appliance (GSA)
Engineers are working on a patch. The GSA team is finalizing their analysis and will post an update for customers within 24 hours via the Google Enterprise Support Portal.
All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners).
We will continue working closely with the security research and open source communities, as doing so is one of the best ways we know to keep our users safe.
Apr 12: Updated to add Google AdWords, DoubleClick, Maps, Maps Engine and Earth to the list of Google services that were patched early, but inadvertently left out at the time of original posting.
Última edição por 5ms; 14-04-2014 às 15:08.
14-04-2014, 15:03 #3
Blackberry plans Heartbleed patches as mobile threat scrutinized
By Jim Finkle
BOSTON Mon Apr 14, 2014 3:17am BST
(Reuters) - BlackBerry Ltd said it plans to release security updates for messaging software for Android and iOS devices by Friday to address vulnerabilities in programs related to the "Heartbleed" security threat.
Security experts initially told companies to focus on securing vulnerable websites, but have since warned about threats to technology used in data centers and on mobile devices running Google Inc's Android software and Apple Inc's iOS software.
Scott Totzke, BlackBerry senior vice president, told Reuters on Sunday that while the bulk of BlackBerry products do not use the vulnerable software, the company does need to update two widely used products: Secure Work Space corporate email and BBM messaging program for Android and iOS.
He said they are vulnerable to attacks by hackers if they gain access to those apps through either WiFi connections or carrier networks.
Still, he said, "The level of risk here is extremely small," because BlackBerry's security technology would make it difficult for a hacker to succeed in gaining data through an attack.
"It's a very complex attack that has to be timed in a very small window," he said, adding that it was safe to continue using those apps before an update is issued.
Michael Shaulov, chief executive of Lacoon Mobile Security, said he suspects that apps that compete with BlackBerry in an area known as mobile device management are also susceptible to attack because they, too, typically use OpenSSL code.
He said mobile app developers have time to figure out which products are vulnerable and fix them.
"It will take the hackers a couple of weeks or even a month to move from 'proof of concept' to being able to exploit devices," said Shaulov.
Technology firms and the U.S. government are taking the threat extremely seriously. Federal officials warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the Heartbleed bug.
Companies including Cisco Systems Inc, Hewlett-Packard Co, International Business Machines Corp, Intel Corp, Juniper Networks Inc, Oracle Corp Red Hat Inc have warned customers they may be at risk. Some updates are out, while others, like BlackBerry, are rushing to get them ready.
(Reporting by Jim Finkle; Editing by Leslie Adler)
Última edição por 5ms; 14-04-2014 às 15:06.
14-04-2014, 16:47 #4
Isso porque o Google "descobriu" o bug e tinha dito que Android não era afetado.
Afinal, 100 milhões rodando Android vulnerável é bobagem. São todos da Samsung.