cheap nfl jerseys china cheap nfl jerseys free shipping wholesale nfl jerseys china wholesale jerseys from china cheap nfl jerseys free shipping cheap nfl jerseys for sale cheap jerseys free shipping wholesale nfl jerseys from china cheap nfl jerseys sale cheap nike nfl jerseys china wholesale jerseys free shipping cheap nfl jerseys wholesale wholesale nfl jerseys online cheap nfl jerseys wholesale china jerseys wholesale cheap coach handbags outlet authentic designer handbags cheap coach handbags outlet cheap coach purses outlet discount coach bags coach bags sale coach purse outlet cheap real coach purses coach handbags sale online coach purse outlet michael kors outlet online store cheap michael kors bags cheap michael kors purse michael kors factory outlet online cheap michael kors handbags cheap michael kors purses michael kors bags outlet online cheap michael kors purse michael kors handbags discount

Rapid7’s security researcher discovers an Android browser exploit and a way to take over roughly 70 percent of Android devices via a Web page or app

This Android browser exploit looks pretty amazing for two reasons:
1)      It highlights the bigger issue of the challenge of updating Android devices (I mean the bug was patched from at least July last year, and yet 70% of Android devices are still vulnerable to it) – users in many case can’t update their OS, and even if they do, they also need to update their apps, and then there’s the additional software their carrier or device manufacturer forces them to have.  It’s kind of a mess, and I personally think Google is basically standing in the spot MSFT was before it built the Trusted Computing team and started Patch Tuesday – it needs to figure out how it’s going to tackle this whole updating thing across the ecosystem, and it needs to do it fast.  You already know I have this big concern that this situation is only going to get worse as we see more Internet of Things devices standardizing on Android.

2)      A researcher call jduck (Joshua Drake) just used the exploit on his GoogleGlass and it worked: https://twitter.com/jduck/status/431662744656293888 
 
Here’s the background info:
 
*      What is it?
It’s a Metasploit exploit for remote code execution for Android Browser.
 
*        How bad is it?
Very.  It basically gives the attacker the keys to your mobile device, it affects a high proportion of Android users (details below), and it’s complex to properly protect yourself.
 
*        Who does it affect?
Anyone using any Android version before 4.2.1, which is apparently about 70% of Android devices. Here are some sources for that number:
http://m.androidcentral.com/android-4x-now-786-active-devices-kitkat-still-under-2
http://developer.android.com/about/dashboards/index.html
In fact, lots of phones are still being sold to consumers with Android 4.0 and below (eg. http://wireless.walmart.com/content/android/), and Android is notoriously hard to update on some vendors (more on that below).
Users on Android 4.2.1 and later still need to be cautious of out-of-date apps.
 
*        How does it work?
It’s exploiting a vulnerability that was publicly disclosed in December 2012: http://50.56.33.56/blog/?p=314.  The initial attack vector was through javascript injection into a WebView in a third-party app, so it required the attacker already have a man-in-the-middle position on the target.  This new exploit makes this pretty simple to do remotely.
 
*        What does it do?
Essentially you can control the device remotely.  Depending on the permissions granted to the exploited application, potentially you can:
– read SD card contents
– read GPS info
– steal address book
– access camera/mic
 
*        How can people protect themselves?
The straightforward answer is to update your Android OS to the last version; however, this actually isn’t straightforward in practice at all due to the complexity of the ecosystem – OS updates are often controlled by the carrier and are different for each device type, so this is a huge challenge.  Many phone vendors lock you into an OS version and you actually can’t update without their permission. Also, most vendors bundle their own software which you cannot update or remove. In some cases, protecting against this will mean voiding your warrantee.
 
My initial thought was that maybe you could avoid using the browser, but many apps use WebView under the covers. One tested example is the Baidu app which was built with the old libraries, fresh installed on an Android 4.4.2 device. This is vulnerable – tested and proven by Metasploit contributor, Tim Wright.  So basically users need to update all their apps as well, and unfortunately, there’s no way to tell if your apps are vulnerable or not.
 
        Who created the exploit and who should you talk to for more info?
Joe Vennix (https://twitter.com/joevennix ) – a member of the Metasploit team.  He’s brilliant.  Questions by email please – this is his first media interaction and he’s a little shy.

Tagged with:
 

Comments are closed.