Over 930M Android users in danger as Google stops delivering critical patches

Nearly a billion of Android users - over half of the total number of worldwide users - are in danger of being targeted by cyber attackers exploiting vulnerabilities in WebView, as Google has decided not to provide security patches for the core component used in pre-KitKat (v4.4) versions of the mobile OS.

WebView is the component that displays web pages on an Android device without the user needing to open another app to do it. Android KitKat and later versions of the OS have been equipped with a newer, Chromium-based version of WebView, which will continue to be updated by Google.

Google's decision not to update the pre-4.4 WebView component has been discovered by Rapid7 researchers when they flagged a new vulnerability affecting it to Google, and the company responded by saying that if the affected version is pre-4.4, they stopped developing patches for it themselves, but still welcome patches delivered with the report for consideration, which they then share with OEMs.

"Google's reasoning for this policy shift is that they 'no longer certify 3rd party devices that include the Android Browser,' and 'the best way to ensure that Android devices are secure is to update them to the latest version of Android.' To put it another way, Google's position is that Jelly Bean devices are too old to support - after all, they are two versions back from the current release, Lollipop." 

This, he notes, would be a reasonable decision, were it not for the fact that around 60 percent - over 930 million - of Android users still use Android versions older than KitKat, and most are likely unable to upgrade to a newer version.

"Any new bug discovered in 'legacy' Android is going to last as a mass-market exploit vector for a long, long time," he pointed out. A huge number of users will, therefore, be left vulnerable if Google doesn't reconsider its stance on this.

"It's important to stress that Android is, in fact, open source. Therefore, it's not impossible for downstream handset manufacturers, service providers, retailers, or even enthusiastic users to come up with their own patches. This does seem to happen today; a 4.3 vulnerability may affect, say, a Kyocera handset, but not a Samsung device with the "same" operating system," he explained the problem.

"While this is one of the core promises of open source in general, and Android in particular, it's impossible to say how often this downstream patching actually happens, how often it will happen, and how effective these non-Google-sourced patches will be against future 'old' vulnerabilities."

Twitter announces a mute option to silence annoying users

Detailed on the official Twitter blog earlier today, the social network will be rolling out a new feature that allows users to eliminate another user’s tweets from their main feed. Calling the new feature “Mute,” this will allow Twitter users to remove all tweets and retweets from a specific user within their main timeline while still continuing to actively follow them on the social network. For example, many people might consider muting users that like to spam the feed with multiple posts within a few minutes. It could also be useful to remove user tweets that are mostly comprised of auto-tweeting activity from other services. 

According to the details, you will no longer receive push notifications from a muted user on your mobile devices. Interestingly, the silenced user will have no idea that they have been muted, beyond a noticing a drop in user activity within their own feed. In addition, muting a user isn’t the same as blocking a user. A muted user will still be able to retweet, favorite or reply to your tweets. However, you won’t see any form of notification from Twitter about that activity. That silenced user could be attempting to start a conversation with you, but you won’t realize they are talking to you since they are muted. 

Muted users can be un-muted easily at any time. To mute someone from their profile page, you simply click the gear icon and select the mute option. You can also mute users from the timeline on the Web or the iOS and Android platforms. To mute someone within the feed, you will need to tap the more option before clicking the mute option. At the moment, the mute feature isn’t available to all users. According to the post, Twitter plans to roll out the mute feature to all users over the next few weeks.

In the same way you can turn on device notifications so you never miss a Tweet from your favorite users, you can now mute users you’d like to hear from less. Muting a user on Twitter means their Tweets and Retweets will no longer be visible in your home timeline, and you will no longer receive push or SMS notifications from that user. The muted user will still be able to fave, reply to, and retweet your Tweets; you just won’t see any of that activity in your timeline. The muted user will not know that you’ve muted them, and of course you can unmute at any time.
To mute a user from a Tweet on your iOS or Android device or on Twitter for web tap more and then mute @username. To mute someone from their profile page, tap the gear icon on the page and choose mute @username.
In the coming weeks, twitter will roll out the mute feature to everyone.

What is the Heartbleed OpenSSL Bug, and how can you protect your PC?

A serious vulnerability in the OpenSSL Internet encryption protocol known as the Heartbleed bug has potentially left the information of most Internet users vulnerable to hackers.
That’s according to a team of Codenomicon researchers, as well as Google Security researcher Neel Mehta. Codenomicon is a Web security firm whose clients include Microsoft, Verizon, and Cisco Systems. The Heartbleed bug reportedly affects as much as 66 percent of the world’s active websites, and has existed for roughly two years.
OpenSSL is a method of encryption employed by many websites that safeguard the data you type into your Web browser. OpenSSL contains a function known as a heartbeat option. With it, while a person is visiting a website that encrypts data using OpenSSL, his computer periodically sends and receives messages to check whether both his PC and the server on the other end are both still connected. The Heartbleed bug means hackers can send fake heartbeat messages, which can trick a site’s server into relaying data that’s stored in its RAM — including sensitive information such as usernames, passwords, credit card numbers, emails, and more.
“Considering the long exposure, ease of exploitation, and attacks leaving no trace, this exposure should be taken seriously,” Codenomicon warns.
The security researchers who uncovered the hole say that hackers who exploit the Heartbleed bug can steal all that and more, even instant messages and business documents. The researchers tested the flaw out for themselves, and discovered that they were able to steal such information without leaving any trace of their attack, and also without the benefit of any “privileged information,” including log-in credentials.

What can you do to protect yourself from the Heartbleed bug?

Aside from avoiding affected sites, which reportedly include Yahoo and OkCupid, and changing your passwords, there’s not much much you can do to safeguard your data. It’s up to individual companies to update their websites and services to use the fixed version of OpenSSL, which plugs the hole left by Heartbleed — stanching the bleeding, so to speak. The researchers that took the wraps off the bug say it’s the responsibility of operating system vendors, software makers, and network hardware vendors to use the new version, which they call FixedSSL.