[IS&T Security-FYI] SFYI Newsletter, July 18, 2011

Mon Jul 18 15:00:02 EDT 2011

In this issue:

1. Apple Patches iOS Security Hole

2. BrowserID: New Sign-In System from Mozilla

3. ZeuS Variant Targets Android Smartphones

---------------------------------------------

1. Apple Patches iOS Security Hole

---------------------------------------------

Apple released iOS 4.3.4 (4.2.9 for those on Verizon) last week to fix a zero-day vulnerability in the software's PDF-reading capabilities. It is available as a free download to iPhone, iPod Touch and iPad users.

A description of the update says it "fixes (a) security vulnerability associated with viewing malicious PDF files." That's the same one used by JailbreakMe.com, a site that allows users to jailbreak their phones without using a computer or any special software, giving the owners a way to install third-party software and make low-level system changes.

The zero-day PDF vulnerability could be used to not only jailbreak a device, but also install malicious applications.

Read the story in the news:

<http://news.cnet.com/8301-27076_3-20079846-248/apple-delivers-ios-4.3.4-to-patch-pdf-security-hole/>

------------------------------------------------------------

2. BrowserID: New Sign-In System from Mozilla

------------------------------------------------------------

Last week Mozilla announced the launch of a prototype of BrowserID, a new sign-in system, for community review. It answers the tough question many web developers face: how do users sign in? The classic way: an email address with a confirmation step demands a user's time and requires them to remember yet another password. BrowserID is designed to be easier to use, secure, cross-browser supported, decentralized, and respects user privacy.

The system is still highly experimental, and Mozilla would love to get feedback from their users. They have provided a quick tutorial and demo site.

You can find out more here:

<http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in>

and here:

<https://browserid.org/>

-----------------------------------------------------------

3. ZeuS Variant Targets Android Smartphones

-----------------------------------------------------------

Anti-virus vendors have detected a variant of the ZeuS Trojan horse program that can infect Android smartphones. The malware in this case is a variant of Zitmo, which stands for "Zeus in the mobile;" it pretends to be an online banking security application called Rapport, which is the name of a legitimate application from Trusteer.

Previous variants of the ZeuS online banking Trojan targeted Symbian, Blackberry and Windows Mobile devices. The Android variant does not require any digital certificates and is injected by manual download of an alleged security extension from Trusteer. Once installed, the Trojan masquerades as an online banking activation app. In the background, it listens to all incoming SMS messages and forwards them to a remote web server. That's a security risk, as some banks now send, via SMS, mTANs (mobile transaction authentication numbers), which is banking-speak for one-time passwords for authenticating transactions.

Criminals need to persuade users to download and install the app. The application gets pushed by malware after it has infected the user's PC, but not until the user visits a banking website. The risk is relatively small, as not all banks use mTANs and relatively few people use smartphones for banking transactions.

Read the full story in the news:

<http://www.informationweek.com/news/231001685>

=====

Acknowledgements: I want to thank Mike and Ben for their efforts last week in putting together the newsletter while I was on vacation.

====================================================================

Read all Security FYI Newsletter articles online at http://securityfyi.wordpress.com/.

====================================================================

Monique Yeaton

IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20110718/9ff46a14/attachment.htm