Enterprise Mobility Report 06/2015. Creation date: Vlastimil Turzík

Transcription

1 06/2015 Creation date: Author: Vlastimil Turzík

2 Content Content... 2 Introduction... 4 ios... 4 Vulnerability... 4 ios Mail App Vulnerability Allows Hackers To Steal icloud Passwords... 4 Versions: Android... 5 Vulnerability... 5 Samsung vulnerability affects up to 600 million Android devices... 5 CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE Versions Blackberry Vulnerability Versions Vulnerability Versions MobileIron

3 Vulnerability Interesting Articles MobileIron and Google to Bring MobileIron AppConnect to Android for Work Preview of MobileIron for Windows 10 Launches Today ios 9: Making a Great Enterprise User Experience Even Better Gartner Positions MobileIron as a Leader and Furthest on Completeness of Vision Axis in 2015 Magic Quadrant for Enterprise Mobility Management Suites

4 Introduction This is the public version of System4u's Enterprise Mobility report. You can find here news about security of ios, Android, Blackberry and Windows Phone operating systems from last week. We cover also EMM solution MobileIron in this report, others EMM solutions will come in the future. Full version of report is issued for our customers and subcsribers. You can find there not only the news about security, but also interesting articles, links from the enterprise mobility world and recommendations to mitigate the vulnerabilities. ios Vulnerability No vulnerabilities in this month. ios Mail App Vulnerability Allows Hackers To Steal icloud Passwords Security researcher, Jansoucek, recently published the attack code on Github which reportedly exploits vulnerability on Apple s Mail app to steal user information. The attack can be used to steal important details such as the icloud password, the location as well as identity details of the user. He had already notified of this issue to Apple back in January, but the company is yet to fix it with a patch. Even the latest version of ios Mail App v8.3 has this vulnerability. So, he has finally published the attack code with full details on GitHub. According to ARSTechnica, attackers can use the fact that the ios Mail app does not remove HTML codes from incoming messages, which makes it easy for them to collect user information. For example, in a proof of concept attack, the existing HTML codes can be used to download a form which looks a lot like the icloud login prompt from the remote server. This can be then displayed when the user opens up the mail. 4

5 Since the mail app is known to ask for login details in between, this attack may turn out to be successful. Any user who does not pay close attention to the dialog may end up sending his or her password to the attacker. Versions: 8.4 Android Vulnerability Samsung vulnerability affects up to 600 million Android devices Hundreds of millions of Android mobile devices may be at risk because of a flaw in the default keyboard used by Samsung, and because of the level of access Samsung affords the keyboard software. Mobile security vendor NowSecure found that the version of the SwiftKey keyboard built-in to many popular Samsung Galaxy devices, from the Galaxy S3 to the S6 on multiple carriers, downloads language packs via HTTP and does not use a secure transfer protocol. This leaves devices vulnerable to a man-in-the-middle attack wherein a malicious actor capable of controlling a user's network traffic can intercept a request to download a language pack upgrade or new language pack and deliver back an infected file. CVE Adobe Flash Player before and 14.x through 18.x before on Windows and OS X and before on Linux, Adobe AIR before on Windows and before on OS X and Android, Adobe AIR SDK before on Windows and before on OS X, and Adobe AIR SDK & Compiler before on Windows and before on OS X allow remote attackers to bypass a CVE protection mechanism via unspecified vectors. 5

6 CVSS Score 6.8 CVE Adobe Flash Player before and 14.x through 18.x before on Windows and OS X and before on Linux, Adobe AIR before on Windows and before on OS X and Android, Adobe AIR SDK before on Windows and before on OS X, and Adobe AIR SDK & Compiler before on Windows and before on OS X allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE and CVE CVSS Score 5.0 CVE Adobe Flash Player before and 14.x through 18.x before on Windows and OS X and before on Linux, Adobe AIR before on Windows and before on OS X and Android, Adobe AIR SDK before on Windows and before on OS X, and Adobe AIR SDK & Compiler before on Windows and before on OS X allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE and CVE CVSS Score 5.0 6

7 CVE Stack-based buffer overflow in Adobe Flash Player before and 14.x through 18.x before on Windows and OS X and before on Linux, Adobe AIR before on Windows and before on OS X and Android, Adobe AIR SDK before on Windows and before on OS X, and Adobe AIR SDK & Compiler before on Windows and before on OS X allows attackers to execute arbitrary code via unspecified vectors. CVSS Score 10.0 CVE The Flash broker in Adobe Flash Player before and 14.x through 18.x before on Windows and OS X and before on Linux, Adobe AIR before on Windows and before on OS X and Android, Adobe AIR SDK before on Windows and before on OS X, and Adobe AIR SDK & Compiler before on Windows and before on OS X, when Internet Explorer is used, allows attackers to perform a transition from Low Integrity to Medium Integrity via unspecified vectors. CVSS Score 4.3 7

8 CVE Adobe Flash Player before and 14.x through 18.x before on Windows and OS X and before on Linux, Adobe AIR before on Windows and before on OS X and Android, Adobe AIR SDK before on Windows and before on OS X, and Adobe AIR SDK & Compiler before on Windows and before on OS X allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE and CVE CVSS Score 5.0 CVE Use-after-free vulnerability in Adobe Flash Player before and 14.x through 18.x before on Windows and OS X and before on Linux, Adobe AIR before on Windows and before on OS X and Android, Adobe AIR SDK before on Windows and before on OS X, and Adobe AIR SDK & Compiler before on Windows and before on OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE and CVE CVSS Score 10.0 CVE Integer overflow in Adobe Flash Player before and 14.x through 18.x before on Windows and OS X and before on Linux, Adobe AIR before on Windows and before on OS X and Android, Adobe 8

9 AIR SDK before on Windows and before on OS X, and Adobe AIR SDK & Compiler before on Windows and before on OS X allows attackers to execute arbitrary code via unspecified vectors. CVSS Score 10.0 CVE Adobe Flash Player before and 14.x through 18.x before on Windows and OS X and before on Linux, Adobe AIR before on Windows and before on OS X and Android, Adobe AIR SDK before on Windows and before on OS X, and Adobe AIR SDK & Compiler before on Windows and before on OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. CVSS Score 10.0 CVE Use-after-free vulnerability in Adobe Flash Player before and 14.x through 18.x before on Windows and OS X and before on Linux, Adobe AIR before on Windows and before on OS X and Android, Adobe AIR SDK before on Windows and before on OS X, and Adobe AIR SDK & Compiler before on Windows and before on OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE and CVE CVSS Score

10 CVE Use-after-free vulnerability in Adobe Flash Player before and 14.x through 18.x before on Windows and OS X and before on Linux, Adobe AIR before on Windows and before on OS X and Android, Adobe AIR SDK before on Windows and before on OS X, and Adobe AIR SDK & Compiler before on Windows and before on OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE and CVE CVSS Score 10.0 CVE Adobe Flash Player before and 14.x through 18.x before on Windows and OS X and before on Linux, Adobe AIR before on Windows and before on OS X and Android, Adobe AIR SDK before on Windows and before on OS X, and Adobe AIR SDK & Compiler before on Windows and before on OS X do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors. CVSS Score 5.0 Versions Android Lollipop Android KitKat Supported mobiles all supported mobiles 10

11 Blackberry Vulnerability No vulnerabilities in this month Versions Tmobile Czech Windows Phone 1) OS BlackBerry Bold 9900, ) OS Blackberry 9800, 9780, ) OS Blackberry ) OS Blackberry Curve ) OS Blackberry Curve 9320, 9360, ) OS Blackberry Curve ) OS Blackberry Bold ) OS BlackBerry PlayBook 9) OS Z30, Z10, Q10, Q5, Blackberry Passport, Porsche Design P 9983 Vulnerability No vulnerabilities in this month. Versions Windows Phone

12 MobileIron Vulnerability No vulnerabilities in this month. Interesting Articles MobileIron and Google to Bring MobileIron AppConnect to Android for Work MOUNTAIN VIEW, Calif. June 10, 2015 MobileIron (NASDAQ: MOBL), the leader in mobile enterprise security, announced that it is working with Google to bring the MobileIron AppConnect framework to the Android for Work platform. Google s release of Android for Work earlier this year delivered a unified way to secure enterprise apps, and to separate work and personal data on Android V5.0 using an EMM platform like MobileIron. On Android V5.0, the combination of MobileIron and Android for Work allowed Android apps to be installed and run in a secure workspace on the device without any modification to those apps. Because the security controls are at the OS-level, they can be applied to any app running on that OS. However, many organizations have devices running prior versions of Android, specifically V4.0 to V4.4. These devices do not have Android for Work security controls at the OS-level, so Google recently released the Android for Work App. This standalone app provides a secure workspace into which other enterprise apps can be installed and therefore protected from unauthorized access. However, this cannot be done without modification to the app itself. MobileIron AppConnect containerizes apps to protect corporate data-at-rest without touching personal data. The result is that each app becomes a secure container whose data is encrypted, protected from unauthorized access, and removable. By extending MobileIron AppConnect to the Android for Work app, developers will be able to deploy any AppConnect-enabled app in the secure workspace of the Android for Work App. Because AppConnect already has an extensive ecosystem of third-party and in-house apps using the framework, this expansion can dramatically increase the number of apps that can be secured through Android for Work on existing Android devices. 12

13 Google and MobileIron will make Android for Work the security baseline for not only devices running Android V5.0, but also the millions running older versions. said Bob Tinker, CEO, MobileIron. This announcement charts the path to an integrated, consistent app security strategy across Android using MobileIron. Preview of MobileIron for Windows 10 Launches Today SAN FRANCISCO June 10, 2015 During today s keynote with Microsoft at the Mobile First Conference, MobileIron (NASDAQ: MOBL) announced the launch of the Preview of MobileIron for Windows 10. Gartner has published* the following Strategic Planning Assumption: By 2020, smartphone security and management architectures will dominate the endpoint computing environment, while traditional PC image management will decline except on dedicated appliance-style devices. Traditionally, corporations have used group policy objects (GPO) to manage their Windows devices. The model is only effective when all devices are connected to a high-bandwidth network, but it does not work with mobile devices that are only intermittently connected to the corporate network. As a result, enterprise mobility management (EMM) platforms like MobileIron are becoming a leading security and management model because they enable business users to securely access enterprise data from any device, on any network, without compromising data security. Windows 10 is the first modern operating system to unify all form factors and MobileIron will play a central role for security and management, said Bob Tinker, CEO, MobileIron. We are very pleased to be working with Microsoft to launch our MobileIron Preview for Windows 10. MobileIron plans to be the policy engine for the new security and apps model of Windows 10: Data separation and protection: Windows 10 Enterprise Data Protection (EDP) provides personal and corporate data separation and containment to prevent unauthorized access and leakage of corporate data. This gives IT the ability to ensure that corporate data is only accessible by trusted apps and that corporate content cannot leak to unauthorized apps or services (e.g., web sites). An EMM platform can set and enforce EDP policies. 13

14 Unified application security and management: In Windows 10, programmers can develop universal apps that are written once with a single set of business logic and with a user experience that can run on any Windows 10 device. This gives employees a consistent experience across all Windows 10 devices. Through an EMM platform, IT can create and enforce shared policies that apply across smartphones, tablets, laptops, and PCs. The Windows Store for Business ( provides a single destination for IT administrators to get the apps they need. An EMM platform can also give IT the controls and configurations to effectively secure and distribute both modern Windows apps and older Win32 apps. ios 9: Making a Great Enterprise User Experience Even Better Apple's annual Worldwide Developer Conference (WWDC) brings together app developers from around the world to learn what new things Apple will be adding to ios and OS X. With the addition of watchos, app developers can now plan and develop their apps with three platforms. The combining of Apple's developer programs into a single developer program underscores Apple's desire to have single place to develop, manage, and distribute apps. By promising "a better experience with every touch," the release of ios 9 is clearly designed to enhance the platform s most commonly used features. For instance, Siri is being bolstered with proactive suggestions, and new ipad multitasking features will help users be even more productive on their devices. With additional upgrades that improve system performance, extend battery life, introduce "thinner" apps and strengthen mobile security, Apple has done an excellent job of refining an already advanced mobile operating system. Here s a sneak preview of some of the new device enrollment, application management, and per-app VPN capabilities that Apple is planning to include with ios 9: Removing the Apple ID requirement: With ios 9, Apple announced that EMM providers can now distribute a Volume Purchase Program (VPP) app to individual devices instead of assigning the app to an Apple ID. Eliminating the Apple ID requirement on every device greatly simplifies fleet- deployments where often there isn t an individual Apple ID assigned to a device. This is also great news for application developers because each device will require a separate app license. 14

15 Distribute apps without the App Store: For corporate-deployed ios 9 devices, enterprises will have the ability to disable the App Store yet still be able to deploy apps through the App Store. This feature will allow mobile administrators to better maintain a standard deployment blueprint and not worry about end users installing personal apps on corporate devices. Convert unmanaged apps to managed apps: With ios 9, an EMM vendor like Mobileiron can now transition a user-installed app to a corporate-liable app. Prior to ios 9, this process required an end user to manually delete the app and then reinstall the same app via an EMM's enterprise app store. Hold in ios Setup Assistant: For institutions that use Apple's Device Enrollment Program (DEP) to mass configure and deploy ios devices, ios 9 includes a feature that allows an EMM vendor to hold the ios device inside the ios Setup Assistant until all configurations and policies have been deployed. This ensures that the ios device is completely configured and ready for the end user. Trust UI: New for ios 9 is the inclusion of an interface that allows end users to trust the certificate used to digitally sign in-house developed apps. This change allows end users to definitively identify the source of any in-house app prior to installation. EMM vendors will also have the ability to prohibit end users from trusting any external sources while still retaining the ability to distribute their own in-house apps. Per-app VPN changes: Apple announced three changes for per-app VPN. First, UDP traffic will now be supported with the current per-app VPN implementation. This is a big win for apps that require UDP in order to stream audio or video. Second, a per-app VPN connection can be established at layer 3. This is key for managing the actual data traffic that enterprises want their per app VPN connection to traverse. Third, the builtin IPSec clients (IKEv1 and IKEv2) can be used to manage per-app VPN connections. By introducing these and other exciting new features for both the enterprise and end users, Apple is once again taking the mobile user experience and enterprise security to a whole new level. With the release of ios 9, Apple is clearly committed to reinforcing its position as the leading mobile operating system in the enterprise. Gartner Positions MobileIron as a Leader and Furthest on Completeness of Vision Axis in 2015 Magic Quadrant for Enterprise Mobility Management Suites 15

16 MobileIron named a Leader for the fifth consecutive year MOUNTAIN VIEW, Calif., June 11, 2015 /PRNewswire/ -- MobileIron (NASDAQ: MOBL), the leader in mobile enterprise security, today announced it has been positioned by Gartner, Inc. in the Leaders quadrant of the "Magic Quadrant for Enterprise Mobility Management Suites."* This is the fifth consecutive year that MobileIron has been positioned in the Leaders Quadrant and the second consecutive year that MobileIron has been positioned furthest on the Completeness of Vision axis. Download the full report here: report-magic-quadrant-enterprise-mobility-management-suites "Companies around the world are using mobile technology to transform their businesses and we believe our ongoing recognition as a Leader in the Magic Quadrant is the result of our focus on this new Mobile First world," said Bob Tinker, CEO, MobileIron. "The move to mobile is the most disruptive shift faced by enterprise IT in the last 20 years. Modern end-user computing is moving to the mobile model for security and management and our global customers trust MobileIron to deliver on the vision for mobile computing by delivering innovation and security at scale." MobileIron secures enterprise information wherever it lives, in the app, in the network, and in the cloud. 16