1 min
Android
Leaked Android Platform Certificates Create Risks for Users
A new report contains 10 different platform certificates and malware sample SHA256 sums where the malware sample had been signed by a platform certificate.
7 min
Vulnerability Management
SolarWinds SUNBURST Backdoor Supply Chain Attack: What You Need to Know
On Dec. 12, 2020, FireEye provided detailed information on a widespread attack campaign involving a backdoored component of the SolarWinds Orion platform.
9 min
Vulnerability Disclosure
Vulntober: Multiple Mobile Browser Address Bar Spoofing Vulnerabilities
Today, we're announcing a coordinated vulnerability disclosure on a set of address bar spoofing vulnerabilities that affect a number of mobile browsers.
4 min
InsightVM
How to Improve Vulnerability Patching Efficiency through Automation
In this blog, we discuss how automation can improve your security team's patching efficiency.
4 min
Android
Pokemon Go, Security, and Obsolescence
Pokemon Go started it.
The crusty old house cell phone, which we had years ago ported from a genuine
AT&T land line to a T-Mobile account, suddenly caught the attention of my middle
son.
> "Hey Dad, can I use that phone to catch Pokemon at the park?"
"Sure! Have fun, and don't come back until sundown!"
A few minutes later, he had hunted down his first Pikachu, which apparently
required running around the block in Texas summer heat a few times. Sweat-soaked
but proud, he happily presented hi
5 min
Vulnerability Management
Using the National Vunerability Database to Reveal Vulnerability Trends Over Time
This is a guest post by Ismail Guneydas. Ismail Guneydas is senior technical
leader with over ten years of experience in vulnerability management, digital
forensics, e-Crime investigations and teaching. Currently he is a senior
vulnerability manager at Kimberly-Clark and an adjunct faculty at Texas A&M. He
has M.S. in computer science and MBA degrees.
2015 is in the past, so now is as good a time as any to get some numbers
together from the year that was and analyze them. For this blog post,
2 min
Android
The Haves And Have-Nots in Device Security
Today's story
[http://arstechnica.com/tech-policy/2015/11/feds-explain-sort-of-why-they-really-want-data-on-seized-iphone-5s/]
about the ongoing issues law enforcement is running into with Apple's
encrypted-by-default design illustrates a major difference between the iPhone
and the Android security models. Encryption by default on older Apple devices
makes it impossible for anyone without the password to decrypt the phone. This,
in turn, becomes a problem for law enforcement, since it means tha
1 min
Android
Disclosure: Android Chrome Address Bar Spoofing (R7-2015-07)
Android Chrome Address Bar Spoofing (R7-2015-07)
Summary
Due to a problem in handling 204 "No Content" responses combined with a
window.open event, an attacker can cause the stock Chrome browser on Android to
render HTML pages in a misleading context. This effect was confirmed on an
Android device running Lollipop (5.0). An attacker could use this vulnerability
to convince a victim of a phishing e-mail, text, or link to enter private
credentials to an untrusted page controlled by the attacker.
2 min
Android
R7-2015-02: Google Play Store X-Frame-Options (XFO) Gaps Enable Android Remote Code Execution (RCE)
Vulnerability Summary
Due to a lack of complete coverage for X-Frame-Options
[https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options] (XFO)
support on Google's Play Store [https://play.google.com/] web application
domain, a malicious user can leverage either a Cross-Site Scripting (XSS)
vulnerability in a particular area of the Google Play Store web application, or
a Universal XSS (UXSS) targeting affected browsers, to remotely install and
launch the main intent of an arbitrary Play S
5 min
Exploits
Weekly Metasploit Update: Android WebView Exploit, Clipboard Monitor, and Mass Checks
Android WebView Exploit, 70% Devices Vulnerable
This week, the biggest news I think we have is the release this week of Joe
Vennix [https://twitter.com/joevennix] and Josh @jduck
[https://twitter.com/jduck] Drake's hot new/old Android WebView exploit. I've
been running it for the last day or so out on the Internet, with attractive
posters around the Rapid7 offices (as seen here) in an attempt to pwn something
good. I've popped a couple shells, I guess I didn't make my QR Code attractive
enough
1 min
Android
Federal Friday - 12.20.13 - Deck the Halls Edition
'Tis the season to be jolly! Happy Holidays everyone!
While it's amazing that Christmas is next week, it's not amazing how much
shopping I still need to do (shh, don't tell my wife).
Being that the season of gift giving is here it make sense to highlight a major
request on many a letter to Santa Claus. Mobile devices! The focus this year, as
in recent years, has been on the latest smartphones and tablets.There have been
a few article put out this week regarding some of the security capabilitie
4 min
Android
National Cyber Security Awareness Month: Keeping Mobile Devices Safe
To mark National Cyber Security Awareness Month, we're trying to help you
educate your users on security risks and how to protect themselves, and by
extension your organization. Every week in October we'll provide a short primer
email on a different topic relating to user risk. The idea is that you can copy
and paste it into an email and send it around your organization to promote
better security awareness among your users. The first post was on phishing
[/2013/10/02/national-cyber-security-awa