NYU Wordpress Theme

Android Text Message (MMS) Vulnerability

A vulnerability which could allow an attacker to take control of any Android device that can receive text messages (phones, and some tablets with cellular service (AT&T, T-Mobile, Verizon, etc)) has been discovered. The vulnerability requires no interaction on behalf of the user, which would allow them to take control of the device, compromising any data stored on it. Combined with other vulnerabilities, this may also allow an attacker to compromise any accounts which are accessed by the device (email, Facebook, banking, etc).

This vulnerability is caused by Google Hangouts, and a flaw in the “Stagefright” media player component. Hangouts, when enabled, automatically processes media files in MMS (text) messages. If a malicious media file is sent to an Android device, Hangouts will read the attached media file, and Stagefright will execute the malicious code embedded.

Google has put out a patch for this flaw in its updates to supported versions of Android, but Google does not directly support most Android devices, which rely on their manufacturers for software support (e.g Samsung, HTC, LG, etc). Recent versions of the Nexus line of devices as well as “Google Play” variants of some phones which are directly supported by Google, devices running the Cyanogenmod version of Android (such as the Oppo OnePlus line), and the security based company, Silent Circle with their “Blackphone” product have already issued patches.

Threat Mitigation:

  1. To help secure your device and prevent the flaw from impacting you, you can disable automatic MMS processing in Google Hangouts by doing the following:
  2. Open Google Hangouts on your Android device
  3. Go to the menu, and click on Settings.
  4. Click “SMS” and scroll down until you see “Auto retrieve MMS.”
  5. If the box is checked, uncheck it, otherwise leave it unchecked. Once unchecked, you can close the settings window, and you should be safe from automated attacks
    1. If the item is greyed out but checked, then you will need to change your settings to briefly allow Hangouts to be your default SMS application.
    2. Go to the top of the Settings menu and locate “SMS disabled.” Click it, and allow it to become your default SMS handling application.
    3. Scroll back down, locate the “Auto retrieve MMS” option, and uncheck it.
    4. Now go back up, click to make Hangouts not be your default messaging application again (only do this if it was not your default application before).
    5. Scroll down in the menu presented and locate “Default messaging app.” Click it, then choose the application you were using before. You should typically only have two or three options on the list.

NOTE: Implementing this workaround does not patch the vulnerability. If you open a text message with a malicious media file and do not have the patch from Google installed, your system can still be compromised. As with emails from unknown sources, do not open text messages containing media files (attachments) from unknown numbers.

Technical Details:

The Stagefright exploit is a result of seven separate bugs in the media player component, which are

detailed in the following Google bug logs:

  • CVE-2015-1538,
  • CVE-2015-1539,
  • CVE-2015-3824,
  • CVE-2015-3826,
  • CVE-2015-3827,
  • CVE-2015-3828,
  • CVE-2015-3829

For more details, you can visit Sophos Labs’ Naked Security blog here:

https://nakedsecurity.sophos.com/2015/07/28/the-stagefright-hole-in-android-what-you-need-to- know/


Critical Microsoft Patch for Adobe OpenType Manager Library

This week, several previously unidentified critical vulnerabilities in a common component of all supported versions of Microsoft Windows were announced. The flaw is in the Adobe OpenType Manager Library. These flaws were found as a result of the infiltration of an Italian spyware making firm, and have been confirmed by Microsoft. In an unusual step, Microsoft has released a patch for these flaws between their usual patch release date, the second Tuesday of the month.

If you have Automatic Updates enabled in your version of Windows, you need not take any action regarding this vulnerability. The patch will automatically be applied, and you should simply reboot your computer at your earliest opportunity. If you have for some reason disabled Automatic Updates, then you should run Windows Update as soon as possible. To update, simply locate your Search bar, type in “update” without the quotes, and then click on Windows Update. Follow the prompts to install any available updates, and reboot when prompted.

For more information on this vulnerability, you may read the article at this link:

http://www.update.microsoft. com/windowsupdate/v6/thanks. aspx?ln=en&&thankspage=5

IT Managers may read Microsoft’s detailed description at the following link:

https://technet.microsoft.com/ library/security/MS15-078

As a reminder, Microsoft no longer supports versions of Windows older than Vista (i.e., Windows 95, 98, 2000, ME, and XP). If you are still using a version of Windows that is unsupported by Microsoft, these vulnerabilities, as well as any newly discovered ones going forward will remain unpatched. NYU TSS strongly recommends that you upgrade your operating system immediately by purchasing a new version of Windows or a new computer.