Security Intelligence Blog

We have recently disclosed a new vulnerability to the Android Security Team. The vulnerability affected many apps, including Settings (the one that is found on every Android device), Gmail, Google Now, DropBox and Evernote. To be more accurate, any App which extended the PreferenceActivity class using an exported activity was automatically vulnerable. A patch has been provided in Android KitKat. If you wondered why your code is now broken, it is due to the Android KitKat patch which requires applications to override the new method, PreferenceActivity.isValidFragment, which has been added to the Android Framework.

Something only the user knows. Most of us have encountered Knowledge Based Authentication (KBA), though we might not have realized it had a name. Think back to a time when… read more →

So it is finally patch Tuesday today! Last two weeks have been quite busy as we all heard about targeted and not targeted attacks exploiting 0 day vulnerabilities. As usual we will share some highlights of the MS Security Bulletin.

As a new addition to our securityintelligence.com site we will begin to more regularly feature threat analysis from IBM’s Managed Security Services organization.  This team operates a 24/7 Security Operations… read more →

How is it that malware can differentiate between being run on real hardware vs being run inside a (system) virtual machine? How exactly do some malware behave differently on real hardware (a bare metal computer system if you will) compared to a virtual machine in order to fight against malware analysis?

OBAD has been agreed upon to be one of the most sophisticated piece of android malware and you can find various analysis on the web. In this series we will take it apart together and learn about its functionality and various techniques that it uses to gain more power, avoid removal and making analysis harder.

When talking about web based threats like watering holes and drive by downloads, browser security is the critical layer that keeps your computer running clean. Still, there are times when zero-day and unknown vulnerabilities can wreak havoc before vendor patches are available.

With the release of Internet Explorer 10 in Windows 8, an improved version of IE’s Protected Mode sandbox, called Enhanced Protected Mode (EPM), was introduced. With the use of the new AppContainer process isolation mechanism introduced in Windows 8, EPM aims to further limit the impact of a successful IE compromise by limiting both read and write access and limiting the capabilities of the sandboxed IE process.

The Microsoft security update for October 2013 patches 26 vulnerabilities in 8 bulletins, with 4 rated ‘Critical’ and the rest ‘Important’. Of the 26 vulnerabilities, 17 resides in the IE (MS13-080) and kernel (MS13-081)

What are some of the things malware authors have to fight against to maintain this coveted FUD (Fully Undetectable) status and what are some of the strategies they employ? The longer the malware perpetrators can delay detection of their malware by security products, the longer they can keep reaping their ill gotten gains from infiltrating their victims.