November Security News Roundup
In the following roundup of the latest security news, read how a team of researchers from North Carolina State University discovered security flaws in Google's Android OS and how seven popular open source applications and products contain vulnerabilities that hackers could potentially exploit.
New Study Details Security Flaws in Google’s Android OS
While Apple’s iOS7 may not be as popular with the crowd that likes to hack and tweak their phone’s software to their hearts’ content, the lockdown that the Cupertino-based titan puts on its phones does ensure a level of security not found in Google’s Android OS, as a recent study from North Carolina State University details.
Rachel Metz of MIT Technology Review reports on the new study and writes that “changes manufacturers made to the stock Android software were responsible for more than 60 percent of the security flaws uncovered in phones from different handset companies.” Metz got a chance to speak to one of the study’s authors, who said the university’s findings show that phone vendors, operating under “constant pressure to bring new software features to market,” end up letting security fall by the wayside.
From the MIT Technology Review story:
Overall, researchers determined that between 65 percent and 85 percent of the 177 security vulnerabilities on the Samsung, HTC, and LG smartphones originated from manufacturer customizations; 38 percent of the 16 weaknesses encountered on the Sony smartphones came from that source.
On a related front, the following Bloomberg News interview with Adam Ely, COO and cofounder of mobile security firm Bluebox, discusses how “a simple programming mistake within the Android operating system” could potentially be exploited by hackers in the roughly nine hundred million Android devices in the marketplace. Couple this information with the news that came out of North Carolina State University, and you have a very compromised mobile ecosystem.
Researchers Find Vulnerabilities in Seven Open Source Applications and Products
If you think that just because you work with open source software you are playing with code that is safe from malicious tampering, you might want to think again. According to a recent story from IDG News Service, a team from the security firm Rapid7 “recently found and reported vulnerabilities in seven popular open-source software applications."
Rapid7 discovered problems in the following six applications and products “that could allow remote-authenticated attackers to execute commands” in the services’ operating systems: Moodle, vTiger, Zabbiz, ISPConfig, OpenMediaVault, and NAS4Free. In addition, a vulnerability found in Openbravo ERP "could allow an attacker to read arbitrary files from the file system with the permissions of the user running the application."
From IDG News Service, via PCWorld:
In the process of disclosing the identified security issues to the relevant software projects, Rapid7 found that many of them did not follow common industry practices when it came to handling vulnerability reports and working with security researchers.