KeyStore Vulnerability Affects 86% of Android Devices 71
jones_supa (887896) writes "IBM security researchers have published an advisory about an Android vulnerability that may allow attackers to obtain highly sensitive credentials, such as cryptographic keys for some banking services and virtual private networks, and PINs or patterns used to unlock vulnerable devices. It is estimated that the flaw affects 86 percent of Android devices. Android KeyStore has a little bug where the encode_key() routine that is called by encode_key_for_uid() can overflow the filename text buffer, because bounds checking is absent. The advisory says that Google has patched only version 4.4 of Android. There are several technical hurdles an attacker must overcome to successfully perform a stack overflow on Android, as these systems are fortified with modern NX and ASLR protections. The vulnerability is still considered to be serious, as it resides in one of the most sensitive resources of the operating system."
No bounds checking? (Score:5, Insightful)
No bounds checking? In a security module of Android? Duh! What sort of idiots do they have coding this thing?
Re:Google has patched only version 4.4 (Score:3, Insightful)
> what's so hard about backporting this patch to, say, android 4.3 and below?
It isn't part of their business model. There are tens of millions of android devices that have simply been abandoned because the business model is to sell moar phones and money spent on improving phones that have already been sold not only does not sell moar phones, it gives people less reason to buy moar phones.
Re:Google has patched only version 4.4 (Score:3, Insightful)
Backporting it probably isn't difficult, but getting all the vendors and carriers to patch, build, validate, and deploy their custom Android builds for all the various devices they have supported over the last few years is.
Google knew the problem early enough to have designed their Market app to allow for a system 8 times its old size. Forcing in a binary for a 30 line kernel patch is not be a [technological] problem.
Here is a little secret. Despite their "we don't fix old stuff" stand, they don't keep their hands out of my phone with updates to things I DO NOT WANT UPDATED. I reset my phone to factory once or twice a year when I'm fed up with the puny 256MB ram design where even apps you aren't using count against your text, call and running program quota. Anyway, they keep bloating this 2.2 phone with HUGE versions of Google Play and Frameworks (altogether about 25MB in a phone where the Market app was like 3). That cannot be stopped except by rooting and aggressively freezing the apps.
The lack of control over my device is not as grating as when I use iOS devices at work, but I am seriously dragging my feet over upgrading.
Re:Google has patched only version 4.4 (Score:4, Insightful)