Hasta La Gadget!

The art of smishing (SMS-Phishing) has been practiced for some time, but a discovery by the wizards at NC State University has uncovered a new vulnerability that could bring the aforesaid act back into the spotlight. Xuxian Jiang’s research team recently identified the hole and confirmed that it impacts Gingerbread, Ice Cream Sandwich and Jelly Bean. Put simply, if an Android user downloads an infected app, the attacking program can “make it appear that the user has received an SMS, or text, message from someone on the phone’s contact list or from trusted banks.” This fake message can solicit personal information, such as passwords for user accounts. The team isn’t going to disclose proof until Google patches it up, but the school has said that Google will be addressing it “in a future Android release.” For now, however, Jiang recommends additional caution when downloading and installing apps from unknown sources, while also suggesting that folks pay close attention to received SMS text messages.

Filed under: Cellphones, Software, Mobile, Google

Android ‘smishing’ vulnerability discovered by NCSU researchers; Google has a fix incoming originally appeared on Engadget on Fri, 02 Nov 2012 14:08:00 EDT. Please see our terms for use of feeds.

Permalink   |  NC State University (1), (2)  | Email this | Comments

Microsoft has just announced that it will be providing security patches for the Windows 8 IE10-specific version of Flash, despite the software giant initially suggesting it wouldn’t. The patch will be available “shortly,” and hints at a return to the update cycles of old. More significantly, as ZDNet points out, unless Microsoft coordinates these releases with Adobe, there could be a constant cycle of IE10 being vulnerable in the future. On a positive note, the fix should be released before Windows 8 goes prime time, but for those who jumped on board early, you might want to keep one eye locked on the update page, and get it when it lands.

Filed under: Software

Microsoft confirms Flash vulnerability fix for Internet Explorer 10 coming soon originally appeared on Engadget on Tue, 11 Sep 2012 11:27:00 EDT. Please see our terms for use of feeds.

Permalink   |  ZDNet  | Email this | Comments

If you’ve played Assassin’s Creed 2 (or other Ubisoft games), you may have installed more stealthy infiltration than you bargained for. Some snooping by Tavis Ormandy around Ubisoft’s UPlay looks to have have discovered that the service’s browser plugin, meant to launch locally-stored games from the web, doesn’t have a filter for what websites can use it — in other words, it may well be open season for any maliciously-coded page that wants direct access to the computer. Closing the purported, accidental backdoor exploit is thankfully as easy as disabling the plugin, but it could be another knock against the internet integration from a company that doesn’t have a great reputation for online security with its copy protection system. We’ve reached out to Ubisoft to confirm the flaw and learn what the solution may be, if it’s needed. For now, we’d definitely turn that plugin off and continue the adventures of Ezio Auditore da Firenze through a desktop shortcut instead.

Update: That was fast. As caught by Geek.com, the 2.0.4 update to UPlay limits the plugin to opening UPlay itself. Unless a would-be hacker can find a way to compromise the system just before you launch into Rayman Origins, it should be safe to play.

Filed under: Gaming, Software

Ubisoft UPlay may accidentally contain web plugin exploit, Ezio would not approve (update: fixed) originally appeared on Engadget on Mon, 30 Jul 2012 10:02:00 EDT. Please see our terms for use of feeds.

Permalink TechDirt  |  Seclists.org  | Email this | Comments