HACKERS HAVE UPDATED a Trojan virus that bypasses sandbox insecurity on Adobe Air apps like Tweet Deck.
We thought Adobe had learnt its lesson with the dependently exploitable Flash but it looks like Trojan attacks on Air say otherwise. Senior tech consultant at Sophos, Graham Cluley blogged yesterday about a fake Tweetdeck update that preys on Twitter users. Hackers used the bank holiday weekend to get users to click on loaded links for the fake critical Tweetdeck update that was a Trojan.
"The tweets are being posted from hacked Twitter accounts, and do not link to a legitimate update for TweetDeck", said Cluley. "Instead, unsuspecting users are putting themselves at risk of infection by a Trojan horse."
Twitter sent out a safety update yesterday, warning users not to download anything. "We're sending password resets to accounts posting a fake TweetDeck update; don't download that file!"
Cluley reckoned the hackers got away with the updated attack because Twitter stopped supporting, "basic authentication in their API today, meaning users have to be using a Twitter client which uses OAuth".
But the real loser here is the security on Adobe's Air. Tweetdeck was developed on Air, which Adobe designed with integrated sandboxing to limit Trojan attacks amongst other security features. Adobe said itself that Air apps need to be digitally signed. "The only way to instill confidence in the end user is by requiring developers to digitally sign their applications with a security certificate from a trusted third-party vendor," said Adobe.
However the most embarrassing issue, aside from the ability to self-sign certificates is the fact that a simple link is all that is needed to circumvent the security of Air's sandbox. Adobe told the INQUIRER, "If you choose to click on a link within the application, then it will open your default Web browser and take you to the site specified in the URL/link. At that point, you are surfing the Web through your Web browser, and TweetDeck, and consequently the AIR runtime, is no longer involved."
So while Adobe's sandbox may indeed provide some resemblance of security, one link is all that is required to sucker in users over the bank holiday. µ
Now you can watch documentaries about horribly disfigured people whenever you like
Brad to the bone
Being in a minority of one doesn't make you right
WeWork needs a rework