In brief: Android security updates, FireEye hushes infosec bod, Feds blab UK school IT vuln
Bits and pieces you may have missed
Vulture nybbles Google has emitted its first monthly batch of security updates for the latest version of Android – as promised in early August.
The web giant vowed to regularly release fixes for vulnerabilities after it was rocked by the Stagefright bug that affected potentially hundreds of millions of devices.
The first patch batch is detailed in this mailing-list post here, dated September 9, and new builds of Android 5.1.1 are available now for Nexus handhelds.
The following bugs have been squished in the update:
The Google team wrote:
We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process (Build LMY48M). The updates for Nexus devices and source code patches for these issues have also been released to the Android Open Source Project (AOSP) source repository. The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device.
We have not detected customer exploitation of the newly reported issues. The exception is the existing issue (CVE-2015-3636).
Please note that both Critical security updates (CVE-2015-3864 and CVE-2015-3686) address already disclosed vulnerabilities. There are no newly disclosed Critical security vulnerabilities in this update. We encourage all customers to accept these updates to their devices.
Google stresses that Android features various mitigations – such as Address Space Layout Randomization (ASLR) and SafetyNet – that should thwart attacks by malware, although it must be said, these are not infallible, so patch if you can. If you don't have a Nexus gadget running Android 5.x, bug your carrier and device manufacturer for an update.
FireEye slaps gagging order on security research team
Security biz FireEye slapped an injunction on a German infosec outfit that was about to reveal details of vulnerabilities in FireEye's anti-hacker products.
Felix Wilhelm of ERNW was set to give the lowdown on flaws in the webMPS software in FireEye's NX gear at the 44Con cybersecurity conference in London this week, but part of his presentation was censored as a result of the gagging order.
A paper detailing the vulnerabilities can be found here [PDF] and was published this month by ERNW. The document was redacted at the request of FireEye after the researchers contacted the IT giant to share their work and get the bugs fixed.
After some discussions back and forth, FireEye went to a court in Hamburg, Germany, to obtain an injunction ordering Wilhelm to not reveal any extra information about the webMPS flaws in London on September 10.
"Let me state here that we fully understand FireEye’s desire to protect their intellectual property, and of course we adhere to the respective laws," ERNW's Enno Rey wrote in a blog post about the debacle on Thursday.
"It’s just ... we never had the intention to violate that anyway, and we had abided by (both virtual and physical) handshake several times that nothing would be published without mutual agreement. We thought we were on the same track."
On Friday, FireEye published a lengthy article on its website laying out its side of the story. "You may have seen some headlines in the week that FireEye sued a research group, ERNW, in response to a vulnerability disclosure. These reports are flat out wrong, and we wanted to clarify how this was handled," the company stated.
"FireEye cooperated with ERNW on the public release of the vulnerabilities, giving credit to ERNW. In addition to this, ERNW decided to release its own report on the vulnerabilities. We asked to review the report and coordinate with them on the release.
"During this review, we called out that the report contained sensitive FireEye intellectual property and trade secrets and ask that this information be removed."
FireEye claims it had to get an injunction after seeing its intellectual property cropping up again and again in drafts of the ERNW's report and presentation slides. ENRW insisted: "We do not plan to publish any technical information besides the report (agreed upon with FireEye themselves) and the slides (based on the former)."
What a mess.
US Homeland Security reveals details of Brit school IT flaw
Remember Impero, the British maker of software aimed at school IT admins? Its Education Pro product allows staff to remotely control and monitor PCs in classrooms and labs.
Back in July, someone called Slipstream went public with details of a rather embarrassing vulnerability in the code that allowed him to log into systems using a hardcoded password.
Impero responded by threatening to sue Slipstream for copyright infringement by revealing the inner workings of the software. Slip responded by yanking his research off GitHub and Twitter.
Now the US Department of Homeland Security's Computer Emergency Readiness Team (CERT) has posted full details of the design flaw under the heading: Impero Education Pro classroom management software vulnerable to remote code execution.
Good luck cease'n'desisting Uncle Sam.
An American physics professor accused by the FBI of sending confidential blueprints for semiconductor lab equipment to China has had all charges against him dropped – after it turned out the schematics he supposedly leaked did not detail said equipment. An inventor of the lab gear even testified that the blueprints had nothing to do with the equipment. ®