Enterprise Mobility Report 12/2014
Creation date:
4.1.2015
Author:
Vlastimil Turzík
Enterprise Mobility Report
December 2014
Content
Content ....................................................................................................................... 2
Introduction ................................................................................................................. 3
iOS ............................................................................................................................. 3
Vulnerability ............................................................................................................ 3
Android ....................................................................................................................... 3
Vulnerability ............................................................................................................ 3
Android devices vulnerable to new Trojan ........................................................... 3
CVE-2014-7911 ................................................................................................... 3
CVE-2014-8507 ................................................................................................... 4
CVE-2014-8609 ................................................................................................... 4
CVE-2014-8610 ................................................................................................... 4
Fakedebuggerd vulnerability ............................................................................... 4
Blackberry................................................................................................................... 5
Vulnerability ............................................................................................................ 5
BlackBerry response to reports of tethered jailbreak vulnerabilities .................... 5
Windows Phone.......................................................................................................... 5
Vulnerability ............................................................................................................ 5
System4u s.r.o.
Křížová 18, 603 00, Brno
Czech Republic
Tel.: +420 543 210 522
E-mail: [email protected]
www.system4u.cz
IČ: 26945231, DIČ: CZ26945231
Zapsaná v obchodním rejstříku u Krajského
soudu v Brně, oddíl C, vložka 47320.
2
Enterprise Mobility Report
December 2014
Introduction
This is the public version of System4u's Enterprise Mobility report. You can find here news
about security of iOS, Android, Blackberry and Windows Phone operating systems. We cover
also EMM solution MobileIron in this report, others EMM solutions will come in the future.
Full version of report is issued for our customers and subcsribers. You can find there not only
the news about security, but also interesting articles, links from the enterprise mobility world
and recommendations to mitigate the vulnerabilities.
iOS
Vulnerability
No vulnerabilities in this month.
Android
Vulnerability
Android devices vulnerable to new Trojan
Cyber security sleuths have alerted Android-based smart phone users against an
infectious Trojan virus which steals vital information from the personal device and can
even illegally send SMSes to those on the mobile contact list.The deadly virus has
been identified as ‘AndroidSmssend’ and it can acquire as many as four aliases to
hoodwink the user and perpetrate its destructive activities on a personal Android
enabled phone. ”Android/SmsSend is a premium service abuser family malware that
arrives bundled with legitimate Android applications and infects Android based smart
phones. ”Once infected, it sends text messages (typically with a link to itself or a
different threat) to a specific number, typically to numbers on the contact list and is also
capable to send SMS to premium rate numbers.
CVE-2014-7911
Site: https://web.nvd.nist.gov
luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream
implementation in Android before 5.0.0 does not verify that deserialization will result in
an object that met the requirements for serialization, which allows attackers to execute
arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel
System4u s.r.o.
Křížová 18, 603 00, Brno
Czech Republic
Tel.: +420 543 210 522
E-mail: [email protected]
www.system4u.cz
IČ: 26945231, DIČ: CZ26945231
Zapsaná v obchodním rejstříku u Krajského
soudu v Brně, oddíl C, vložka 47320.
3
Enterprise Mobility Report
December 2014
within an intent sent to system_service, as demonstrated by the finalize method of
android.os.BinderProxy, aka Bug 15874291.
CVE-2014-8507
Site: https://web.nvd.nist.gov
Multiple SQL injection vulnerabilities in the queryLastApp method in
packages/WAPPushManager/src/com/android/smspush/WapPushManager.java
in
the WAPPushManager module in Android before 5.0.0 allow remote attackers to
execute arbitrary SQL commands, and consequently launch an activity or service, via
the (1) wapAppId or (2) contentType field of a PDU for a malformed WAPPush
message, aka Bug 17969135.
CVE-2014-8609
Site: https://web.nvd.nist.gov
The addAccount method in
src/com/android/settings/accounts/AddAccountSettings.java in the Settings
application in Android before 5.0.0 does not properly create a PendingIntent, which
allows attackers to use the SYSTEM uid for broadcasting an intent with arbitrary
component, action, or category information via a third-party authenticator in a crafted
application, aka Bug 17356824.
CVE-2014-8610
Site: https://web.nvd.nist.gov
AndroidManifest.xml in Android before 5.0.0 does not require the SEND_SMS
permission for the SmsReceiver receiver, which allows attackers to send stored SMS
messages, and consequently transmit arbitrary new draft SMS messages or trigger
additional per-message charges from a network operator for old messages, via a
crafted
application
that
broadcasts
an
intent
with
the
com.android.mms.transaction.MESSAGE_SENT action, aka Bug 17671795.
Fakedebuggerd vulnerability
New ‘Fakedebuggerd’ vulnerability in all versions of Android OS upto lollipop, lets
hackers root access.
This new vulnerability allows potential hackers to gain root access to install files and
escalate privileges on the smartphones and tablets running on Android OS and run
malicious codes at will. Fakedebuggerd targets Android 4.x devices.
System4u s.r.o.
Křížová 18, 603 00, Brno
Czech Republic
Tel.: +420 543 210 522
E-mail: [email protected]
www.system4u.cz
IČ: 26945231, DIČ: CZ26945231
Zapsaná v obchodním rejstříku u Krajského
soudu v Brně, oddíl C, vložka 47320.
4
Enterprise Mobility Report
December 2014
Blackberry
Vulnerability
BlackBerry response to reports of tethered jailbreak
vulnerabilities
Site: www.blackberry.com
This security notice addresses publicly disclosed vulnerabilities affecting Qualcomm®based BlackBerry OS 7.1 and earlier devices (identified below). BlackBerry® is
diligently working to investigate the vulnerabilities and to determine how best to
mitigate customer risk. Investigations are still ongoing, but can confirm that BlackBerry
products are impacted by these vulnerabilities. We may update this security notice if
new information becomes available.
Windows Phone
Vulnerability
No vulnerabilities in this month.
System4u s.r.o.
Křížová 18, 603 00, Brno
Czech Republic
Tel.: +420 543 210 522
E-mail: [email protected]
www.system4u.cz
IČ: 26945231, DIČ: CZ26945231
Zapsaná v obchodním rejstříku u Krajského
soudu v Brně, oddíl C, vložka 47320.
5
Download

Enterprise Mobility Report 12/2014