Feeds

Researcher outs Android exploit code

Plenty more where that came from

Remote control for virtualized desktops

A security researcher has released proof-of-concept code that exploits a vulnerability in most versions of Google's Android operating system for smartphones.

M.J. Keith of Alert Logic said he released the attack code to expose what he characterized as inadequate patching practices for the open-source mobile platform. Rather than find the underlying bug himself, he searched through a list of documented security flaws for Apple's Safari, which relies on the same Webkit browser engine used in Android. In short order, he had an attack that exploits about two-thirds of the handsets that rely on the OS.

“They need a better patching system,” Keith told The Register. “They do  a good job of repairing future releases, but I think a better patching system needs to be set up for Android.”

The bug Keith's code exploits was fixed in Android 2.2, but according to figures supplied by Google, only 36 percent of users have the most recent version. That means the remainder are susceptible to the attack.

What's more, Keith said he had no trouble finding other documented Webkit vulnerabilities that have yet to be fixed in version 2.2.

“I found about four or five and I wasn't trying to [do]  an exhaustive search,” he said.

A Google spokesman declined to comment for this post.

To be fair, Android's design does a good job of segregating the functions of one application from those of another. That would make it hard for someone exploiting the bug Keith demonstrated to gain root privileges or access to many of the targeted handset's resources. But it still would allow an attacker to access anything the browser can read, including a phone's Secure Digital memory card.

The bigger point, Keith said, is that most users have no idea their devices are vulnerable to bugs that were patched long ago on other platforms.

“I wanted to demonstrate that nobody's being notified that their Android phone is vulnerable to this stuff,” he explained. Google “wants to pretend it's not there.” ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.