Category: IT Security

Own an Android smartphone? Beware, as just an innocuous-looking image on social media or messaging app could compromise your smartphone.

Along with the dangerous

Quadrooter vulnerabilities

that affected 900 Million devices and other previously disclosed issues, Google has

patched

a previously-unknown critical bug that could let attackers deliver their hack hidden inside an innocent looking image via social media or chat apps.

In fact, there is no need for a victim to click on the malicious photo because as soon as the image’s data was parsed by the phone, it would quietly allow a remote attacker to take control over the device or simply crash it.

The vulnerability is similar to last year’s

Stagefright bug

(

exploit code

) that allowed hackers to hijack Android devices with just a simple text message without the owners being aware of it.

The Stagefright flaw affected more than

950 Million Android devices

and resided in the core Android component Stagefright — a multimedia playback library used by Android to process, record and play multimedia files.

However, the recent vulnerability (

CVE-2016-3862

) resided in the way images used by certain Android applications parsed the Exif data in an image, SentinelOne’s

Tim Strazzere

, the researcher who uncovered the vulnerability, told

Forbes

.

Any app using Android’s Java object ExifInterface code is likely vulnerable to the issue.

An Image Received…? Your Game is Over

Making a victim open the image file within an affected app like Gchat or Gmail, a hacker could either cause a victim’s phone to crash or remotely execute malicious code to inject malware on the phone and take control of it without victim’s knowledge.

“Since the bug is triggered without much user interaction – an application only needs to load an image a specific way – triggering the bug is as simple as receiving a message or email from someone,” Strazzere said. “Once that application attempts to parse the image (which was done automatically), the crash is triggered.”

According to Strazzere, attackers could develop a simple exploit inside an image to target a large number of vulnerable Android devices.

Strazzere crafted exploits for the affected devices and found that it worked on Gchat, Gmail and most other messenger and social media apps, though he did not disclose the names of the other non-Google apps affected by the flaw.

When will I expect a Fix?

All versions of Google’s operating system from Android 4.4.4 to 6.0.1 are vulnerable to the image-based hack, except today’s update that fixed the vulnerability.

The researcher even successfully tested his exploits on a handful of phones running Android 4.2 and Amazon devices and found that the devices remain unpatched, leaving a large number of users of older Android devices exposed.

So, if you are not running an updated version of operating system and/or device, you probably are vulnerable to the image-based attack.

Google has

delivered a patch

to fix the issue, but given the shaky history of handset manufacturers and carriers rolling out security patches, it is not known how long the companies will take to update vulnerable Android devices.

Google rewarded Strazzere with $8,000 as part of the company’s Android bug bounty program.

As promised at the Black Hat and Def Con security and hacking conferences, Offensive Security – the creators of Swiss army knife for researchers, penetration testers, and hackers – has finally released the much awaited Kali Linux 2016.2.

Kali Linux is an open-source Debian-based Linux distribution designed to help ethical hackers and security professionals with a wide range of tools for penetration testing, forensics, hacking and reverse engineering together into a single package.

Earlier the Kali Linux distribution was known as

BackTrack

.

Kali Linux 2016.2 is an updated Live ISO image of the popular GNU/Linux distribution that includes the latest software versions and enhancements for those who want to deploy the operating system on new systems.

What’s new?

Besides bringing the updated Live ISOs of Kali Linux, the Kali Linux team brings multiple variants of the GNU/Linux distribution with various Desktop Environments, specifically KDE, Xfce, MATE, LXDE, and Enlightenment – all available only for 64-bit platforms.

What’s even more exciting is that, from Kali Linux 2016.2 onwards, the team promises to release updated Live ISO images of Kali with new software versions and the latest security patches every week.

Since Kali Linux has been the most advanced and widely used distro for penetration testing and forensics, this weekly update has come up as exciting news for those involved in various hacking and security-related projects.

It’s been several months since the last update to the official Kali Linux Live ISOs, and there are a few hundred new or updated packages pushed to the Kali repositories.

This means that the packages incorporated in the previous Kali Linux ISOs need bug fixes and OS improvements, which are implemented in the most recent versions of the Linux distro.

"Since our last release several months ago, there’s a few hundred new or updated packages which have been pushed to the Kali reports," the Kali Linux team’s announcement reads. "This means that anyone downloading an ISO even 3 months old has somewhat of a long ‘apt-get dist-upgrade’ ahead of them."

You can download the latest

Kali Linux 2016.2 ISOs

from its official website now. The Kali Linux team has also promised to bring a lot of exciting announcements in the next few weeks, so keep an eye on its announcements for the latest updates.