HTC is the latest smartphone maker to acknowledge a vulnerability in their software that allows a user’s Wi-Fi password and SSID to to be stolen by a malicious application runnning on the phone according to Bret Jordan’s blog that first revealed the issue.

Thankfully, HTC has rolled out an update to several phones. Some phones, however, will need to be manually updated. HTC promises more details on the update next week according to PC Mag.

Chris Hessing and Bret Jordan were the first to report the vulnerability to CERT. The CERT Web site describes the vulnerability as such:

Any Android application on an affected HTC build with the android.permission.ACCESS_WIFI_STATE permission can use the .toString() member of theWifiConfiguration class to view all 802.1X credentials and SSID information. If the same application also has the android.permission.INTERNETpermission then that application can harvest the credentials and exfiltrate them to a server on the Internet.

The vulnerability affects only a certain number of HTC phones including the Desire HD, Glacier, Droid Incredible, Thunderbolt 4G, Sensation Z710e, Sensation 4G, Desire S, EVO 3D and EVO 4G. The MyTouch 3G and Nexus One are not affected.

If your phone is one of those listed above, you can download an update starting next week from the HTC help page.

HTC just can’t seem to catch a break. We reported last December that HTC had many of their phones banned from being sold in the U.S. after a successful patent lawsuit from Apple. HTC had to remove the offending feature from all of their phones.

Once again, these kind of problems will always come up with smartphones as they move towards being more computer-like. People will attempt to exploit their weaknesses while manufacturers will attempt to patch them as they come up. Just remember to be smart and safe with your smartphones by not storing a lot of personal information, like Wi-Fi passwords, on them.

So the latest security bug in Firefox as reported by PC World seems more urgent than most. We all understand that nothing is truly secure on the Internet but we also like to think that there are not glaring vulnerabilities in the tools we use on a daily basis. As the PC World article states:

The attack code, written by security researcher Guido Landi was published on several security sites Wednesday, sending Firefox developers scrambling to patch the issue. Until the flaw is patched, this code could be modified by attackers and used to sneak unauthorized software onto a Firefox user’s machine.

Mozilla’s Director of Security Engineering is calling this a critical issue and a fix is scheduled to be rolled out with a version update at the start of next week. These developers are calling this fix and the release of this update a “high priority firedrill security update”. Not sure about you but that kind of language sounds a little creepy.

No operating system that runs Firefox is spared on this one either including Mac OS and Linux users. Essentially the bug allows someone to plant a “drive-by download” of software by tricking a user into viewing an XML file that starts the process. This was also a public release of the hack so it makes it even more uncommon.

The PC World article doesn’t wrap up with any words to make us feel any more secure though.

While the public release of browser attack code doesn’t happen all that often, security researchers don’t seem to have much trouble finding bugs in browser software. Last week, two hackers at the CanSecWest security conference dug up four separate bugs in the Firefox, IE and Safari browsers.

Maybe these things seem bigger in light of the bad economy because these types of concerns are every day events on the Internet. When times get bad, however, crime goes up historically and now there are more avenues for a new breed of criminal using technology to carry out their plans. Something tells me this may get a lot worse before it gets better.

Comments

Administrators for Apple systems running DNS will see a patch among the items arriving in a newly-released security update for their OS X operating system. The widely discussed cache poisoning flaw could cause a nameserver to return forged information to a system requesting it.

Numerous major vendors met earlier in the year to discuss the problem with DNS. On July 8, Microsoft, Cisco, and others released a patch to address what has been described as the most serious flaw ever seen online.

Exploit code quickly became available once a security researcher, Halvar Flake, speculated on the nature of the flaw. A security firm briefed on the flaw confirmed the hypothesis with a blog post they published and subsequently withdrew, unfortunately not before many witnessed that confirmation.

If exploited, a cracked nameserver could redirect requests for websites to any site of the attacker’s choosing. Couple that with a well-forged financial site, and the criminal owns an easy way to steal personal information with no indication to the victim about the event.

The BIND nameserver is turned off by default in OS X, limiting the scope of the vulnerability on the platform. But considering the deep roots OS X has in Unix-type operating systems, it seems strange the company took so long to follow the rest of the industry in patching DNS.

Users of Adobe’s Reader and Acrobat products will want to perform an update or upgrade today, depending on the software version they have in place. A JavaScript vulnerability received a Critical rating from Adobe, meriting immediate attention.

“This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system,” Adobe said in its security bulletin. “This update resolves an input validation issue in a JavaScript method that could potentially lead to remote code execution.”

People on versions up to 8.1.2 of Reader and Acrobat may update their products with a security fix, currently available for download. Adobe recommended users of Acrobat and Reader 7 update those products to version 7.1.0.

SecurityFocus noted the Information Security Team of the Johns Hopkins University Applied Physics Laboratory picked up on the problem with Acrobat and Reader. Vulnerable Adobe products fail to adequately sanitize user input to prevent exploitation.

Such sanitization issues have plagued websites all over the Internet. Their ease of exploitation makes them a favorite avenue of attack for malicious types, a problem exacerbated by failure to detect and update vulnerable products before exploits hit.

Those who have work in the technology world for a few years likely share a similar view on adopting new products. The dot-zero release of software usually requires some type of fix or update, leading to an incremental release being necessary.

Unfortunately that’s going to prove true for Mozilla. Their quest for a world record in downloads in a 24-hour period looks secure. The browser does not share that same security.

TippingPoint splashed cold water on the Firefox debut, as it disclosed the existence of a critical flaw in the new version of Firefox, as well as Firefox 2. If exploited, the flaw would permit remote execution of arbitrary code.

“We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after,” said TippingPoint. They cited past, positive experience with Mozilla addressing security issues and expects this one to receive swift attention and resolution.

Though no details about the flaw will be made available until a patch has been released, TippingPoint did say the exploit would require user interaction, as is typical in browser flaws. Internet users should use the usual caution when confronted with an unfamiliar link, especially in email spam.

The day known as Patch Tuesday rides again on May 13th, when Microsoft issues whatever current patches they have ready to address flaws in the components of their widely used operating system and other programs.

An Advance Bulletin for this month’s edition cited three upcoming Critical fixes to be released next Tuesday. Along with Word, Microsoft Publisher, and the Jet database engine receiving Critical updates, Microsoft’s various security programs have a Moderate-rated flaw that could result in a denial of service condition.

Critical flaws pose the most headaches for system administrators. If exploited, this class of vulnerabilities could leave a system open to remote code execution. Since such code execution likely would be malicious, admins tend to want these holes closed as fast as possible.

It’s even more important today to apply patches as quickly as possible after they have been released. Criminals see the same bulletins and some try to create exploits against those flaws, in the hopes of hitting a vulnerable system before it has a patch applied to closed the hole.

The time frame for exploit creation gets smaller and smaller. With profit being a huge motivation for co-opting a system, to possibly steal valuable login credentials to various websites, the existing patch model used by Microsoft and other software companies may need to change to ensure the security of their products and their customers.

Microsoft cited limited, targeted attacks affecting the vulnerability in Jet Database Engine, saying the exploits are not widespread. Users of Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, Bill Sisk said on the Microsoft Security Response Center blog.

“Our initial investigation has shown that this vulnerability affects customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007 and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1,” said Sisk.

In the formal advisory about the Jet issue, Microsoft noted the attack requires user interaction:

Current attacks require customers to take multiple steps in order to be successful; we believe the risk to be limited.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a specially crafted Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.

An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s site.

As we regularly suggest at SecurityProNews, avoid the temptation to visit links or open files delivered in email from unknown or suspicious senders. Microsoft, meanwhile, urges people to report security issues to it directly, rather than publicizing them and laying the groundwork for zero-day exploits.