NEWS - September 20, 2012

With the release of iOS 6.0, Apple not only delivers several new features to the mobile operating system but also closes an impressive number of security vulnerabilities. The major update deals with a list of almost 200 CVE items, some of which each apply to several vulnerabilities.

The problems grant hackers almost free reign: they range from a hole that lets attackers circumvent the passcode on the lock screen, to the ability to fake text message sender information, and to code injection through specially prepared web sites or media files. For many of the exploits, Apple provides short one or two sentence explanations of their outcomes.

However, Apple does not provide information about one important vulnerability, even though it is actually quite dangerous. Caused by an error in the way the operating system parses some configuration files, the hole allows attackers to pretend an important system update is available for the user's device. This update appears to be signed by Apple or the user's mobile carrier, when in fact it is completely fake. If the user installs the so-called "update", the malicious configuration file is able to change critical system settings.

Continued : http://www.h-online.com/security/news/item/Apple-closes-numerous-security-holes-with-iOS-6-1713012.html

See Vulnerabilities & Fixes : Apple iOS Multiple Vulnerabilities

Security firm Sophos has been had to issue an embarrassing apology after the company's antivirus program suddenly started classifying every and any software update - including the company's own - as 'Shh/Updater-B' malware.

The issue became apparent on Wednesday morning when the firm's support forums were deluged with reports from customers that the software was generating large numbers of false positives for legitimate programs including Java, Adobe Reader, Microsoft and Google. [Screenshot]

"I've just started seeing this reported from all of my workstations; scads of emails. The Sophos tech support number is giving a 'fast busy' signal, as everyone calls to ask wtf?," wrote one annoyed admin.

"We had roughly 40% "infection" rate here in about a ten minute span of time... a few hundred machines...," added another.

The company's support forum reports eventually ran to several dozen pages of comments on the same theme: large numbers of malware reports with no easy way to stop them coming.

False positives hit all antivirus programs from time to time but in this case it appears that because the program was also quarantining its own remote update many users were unable to rectify the problem.

Continued : http://news.techworld.com/security/3382507/sophos-antivirus-glitch-causes-false-positive-chaos/

From Sophos: Shh/Updater-B false positive by Sophos anti-virus products

A financial services industry group warned U.S. banks, brokerages and insurers on Wednesday to be on heightened alert for cyber attacks after Bank of America and JPMorgan Chase experienced unexplained outages on their public websites.

The Financial Services Information Sharing and Analysis Center, which is widely known as FS-ISAC, raised the cyber threat level to "high" from "elevated" in an advisory to members, citing "recent credible intelligence regarding the potential" for cyber attacks as its reason for the move.

The problems with the websites at the two banks came after an unidentified person posted a statement on the Internet threatening to attack Bank of America and the New York Stock Exchange as a "first step" in a campaign against U.S. companies. The posting said the attacks would continue until the film that had stirred up anti-U.S. protests across the Middle East was "erased" from the Internet.

It was not possible to identify the person who posted the statement. Nor was it clear if the threat had anything to do with the issues at either of the two banks.

Dan Holden, director of security research at Arbor Networks, said that several U.S. banks were under assault by a distributed denial of service (DDoS) campaign. He declined to identify them by name.

Continued : http://money.msn.com/business-news/article.aspx?feed=OBR&date=20120919&id=15576876

Ryan Naraine @ the Kaspersky Lab Weblog:

As part of my job monitoring security threats and trends for Kaspersky Lab's global research team, I'm exposed to a healthy dose of paranoia from white hat researchers who find it trivial to hack into modern operating systems and platforms.

After a few days of hanging out in the hallways with exploit writers, I find myself clutching my laptop to my chest a little tighter and constantly peeking at my mobile phone to make sure nothing out of the ordinary is happening.

None of this paranoia is misplaced. Just pay attention to the lessons from the Pwn2Own challenges organized by the CanSecWest / EuSecWest folks (shout-out to Dragos Ruiu for putting together top-notch events) and you get a real-world understanding of why it's near impossible to keep away a motivated adversary.

This week, I had the opportunity to interview the hacking teams that used zero-day vulnerabilities and clever exploitation techniques to compromise fully patched iPhone 4S and Android 4.0.4 (Samsung S3) and the big message from these hackers was simple: Do not use your mobile device for *anything* of value, especially for work e-mail or the transfer of sensitive business documents.

For many, this is not practical advice. After all, your mobile device is seen as an extension of the computer and there is a legitimate need to access work e-mail on iPhone/iPad, Android and BlackBerry smart phones. However, whether you are a businessman, a celebrity or the average consumer, it's important to start wrapping your mind around the idea of separating work from play on mobile devices.

Continued : http://www.securelist.com/en/blog/208193841/EuSecWest_2012_That_thing_in_your_pocket

Related: Mobile Pwn2Own: iPhone 4S hacked by Dutch team

"Oracle's software update for the flaw doesn't protect all versions of the database"

A researcher tomorrow will demonstrate a proof-of-concept attack that lets outside attackers and malicious insiders surreptitiously crack passwords for Oracle databases with a basic brute-force attack.

Esteban Martinez Fayo, a researcher with AppSec Inc., will show at the Ekoparty security conference in Buenas Aires, Argentina, an attack exploiting cryptographic flaws he discovered in Oracle's database authentication protocol. It lets an attacker without any database credentials brute-force hack the password hash of any database user so he then can get to the data.

Martinez Fayo and his team first reported the bugs to Oracle in May 2010. Oracle fixed it in mid-2011 via the 11.2.0.3 patch set, issuing a new version of the protocol. "But they never fixed the current version, so the current 11.1 and 11.2 versions are still vulnerable," Martinez Fayo says, and Oracle has no plans to fix the flaws for version 11.1.

That leaves those database users at risk of what Martinez Fayo says is a fairly simple -- yet potentially devastating -- attack against the so-called stealth password cracking vulnerability. "It's pretty simple. The attacker just needs to know a valid username in the database, and the database name. That's it," he says.

Continued : http://www.darkreading.com/authentication/167901072/security/application-security/240007643/attack-easily-cracks-oracle-database-passwords.html