{"id":6101,"date":"2015-08-13T08:35:43","date_gmt":"2015-08-13T12:35:43","guid":{"rendered":"https:\/\/kasperskydaily.com\/uk\/?p=6101"},"modified":"2017-11-08T07:39:03","modified_gmt":"2017-11-08T07:39:03","slug":"security-week-digest-32","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/security-week-digest-32\/6101\/","title":{"rendered":"Security Week 32: Android Stagefright, new car hacks, Do Not Track 2.0"},"content":{"rendered":"

Merely 23 years ago Microsoft released Windows 3.1 operating system<\/s>, Apple showed its first iPhone<\/s> PDA, and Linus Torvalds released Linux under GNU license. Eugene Kaspersky published the book with a detailed description of next to all known at that time virii and methods of their removal, among them \u2014 by using the program known then as -V. The threat landscape then wasn\u2019t a big deal: all virii could be described in a relatively small book, and even over the next couple of years it was quite relevant.<\/p>\n

\"The<\/a>

The Complete \u0421atalogue of Malware, written by Eugene Kaspersky in 1992<\/p><\/div>\n

Those were good times. Now we have 325,000 new malware pieces arriving daily, and the industry on almost a weekly basis faces new proofs of system-wide security failures \u2014 from cars and skateboards to nuclear power plants. This is both bad and good at the same time: the more people who think of security of their data, business and their own lives, which is dependent on computers these days, the more chances are there things will turn to the better.<\/p>\n

And now, lean back and relax, watch the things going on. Moving forward, each Monday we\u2019re going to present the three most important news with extensive commentary and trolling. The stories will be hand-picked from Threatpost and Kaspersky Daily.<\/p>\n

Stagefright: an Android flaw that hasn\u2019t changed anything yet<\/h3>\n

The Threatpost story. Google\u2019s feedback. CERT Advisory. The Kaspersky Daily advice on how to prevent this vulnerability.<\/p>\n

Wired calls it one of the \u201cworst Android vulnerabilities discovered to date,\u201d but it is wrong: it can be worse. The main difference of this flaw from, say, Heartbleed and Shellshock, is that there was no need to invent a fancy name, Stagefright is an Android engine for audio and video playback, a part of Android Open Source Project. Technically, it is an entire set of vulnerabilities (the Zimperium experts who discovered this reserved seven IDs at CVE base), mostly related to buffer overflow.<\/p>\n

\"infosec-digest-33-stagefright\"<\/a><\/p>\n

The engine\u2019s task is to play back various sounds and videos, and as ZDNet mentioned, it is tailored in a way to be ready to play the video \u201cbefore you even think about watching it.\u201d For some mysterious reason all these tasks are sometimes performed at \u201cGod\u201d access level. The reasons, actually, are not too mysterious: it was easier to code it that way. Regardless, it was quite easy to escape the Android\u2019s sandbox, prepared specifically for the tricks like these.<\/p>\n

\n

95% of #Android<\/a> phones can be hacked with one just #MMS<\/a>, millions at risk https:\/\/t.co\/BJg5e7ss8N<\/a> #infosec<\/a> pic.twitter.com\/DGBSkhQdDo<\/a><\/p>\n

\u2014 Kaspersky (@kaspersky) August 4, 2015<\/a><\/p><\/blockquote>\n