• Subscriber/Sign In
  • Register
  • About Us
isssource.com
  • Home
  • Register
  • News
    • Careers
    • Government
    • Incidents
    • Industry Voices
    • Products and Services
    • Sending it Your Way
    • Technology Update
    • Views
  • Research
  • Events
  • Login
  • Lost Password
  • Training & Certification
  • White Papers
  • Subscribe Now
  • Archives

Breaking News

  • AIChE: Safety with a Cause
  • Attack Group Targets Healthcare, Manufacturing
  • 3 Nukes Shutting Down
  • Bedrock’s Security March Continues
  • TX Refinery Blast Emits Contaminants
  • BD Patches Pyxis
  • Vecna Clears VGo Robot Holes
  • Intel Updates 2G Modem Firmware
  • Advantech Working to Fix HMI Holes
  • AIChE: Safety: Doing More with Less
  • AIChE: Safety ‘Underpins’ Industry
  • AIChE: Safety Obsession to the Core
  • FDA to Hike Medical Device Security
  • Teen who Hacked CIA, DHS Heads gets 2 Years
  • Siemens Mitigation Plan for Simatic App
  • Chemicals Leak at DE Refinery
  • Read More

Chemical Safety Incidents

White Papers

  • A Year in Vulnerabilities
  • A Year in Threats
  • Year in Hunting and Responding
  • Finding the Competitive Edge
  • Going Digital
  • Visibility Leads to Knowledge
  • Tips to SCADA Security
  • Read More

Sending it Your Way

  • exida Explains
  • ABB: Process Automation Insights
  • Joel Langill: SCADAhacker
  • [In] Security Culture
  • Eric Byres: Practical SCADA Security
  • Department of Homeland Security
  • Jim Cahill
  • Dale Peterson
  • Industrial Defender
  • Wurldtech
  • Read More

Mobile Security Apps Patch Holes

Wednesday, September 9, 2015 @ 02:09 PM gHale

Avira and Webroot patched their mobile security applications for iOS to address vulnerabilities that could lead to man-in-the-middle (MitM) attacks.

There is a SSL certificate hole in Webroot Mobile Protection for iOS, said Security researcher David Coomber who discovered the vulnerability. The app, part of the SecureAnywhere Business suite, provides essential security for iPhones and iPads, and includes features that allow IT teams to manage and secure their mobile workforce from a central console.

RELATED STORIES
OrientDB Flaws Fixed
Fortinet Fixes Antivirus Vulnerability
Zero Day in FireEye Antivirus
Kaspersky Fixes Antivirus Zero Day

Webroot Mobile Protection versions 1.10.316 and prior don’t validate the SSL certificates received when connecting to secure websites, Coomber said in an advisory.

This could allow an MitM attacker to inject a rogue SSL certificate into the victim’s session and silently intercept usernames, passwords, and other sensitive information.

The vulnerability came into Webroot August 2 and it ended up patched on August 31 with the release of Webroot Mobile Protection 1.11.

Coomber has identified a similar vulnerability in Avira Mobile Security for iOS, an app designed for email protection and lost device recovery.

Avira Mobile Security versions 1.5.7 and prior send login information via an HTTP POST request. This allows an MitM attacker to capture usernames, passwords and other sensitive information.

Coomber said the password does use hashing, but since the MD5 algorithm sees use in the task, it’s easy for a malicious hacker to crack the password.

The researcher reported the flaw to Avira July 17 and the security firm patched it on September 3 with the release of Avira Mobile Security 1.5.11.



Leave a Reply

Click here to cancel reply.

You must be logged in to post a comment.

« German Steel Mill Attack: Inside Job
Websites a Ransomware Risk »

  • Home
  • Register
  • View Spotlight Article
  • News
  • Research
  • Events
  • Login
  • Lost Password
  • Training & Certification
  • White Papers
  • Subscribe Now
  • About Us
  • Archive
  • Sitemap
  • Careers
  • Government
  • Incidents
  • Industry Voices
  • Products and Services
  • Sending it Your Way
  • Technology Update
  • Views
Policies
Copyright © 2018 isssource.com
Powered by Magic Members Membership Software