KeyStore Vulnerability Affects 86% of Android Devices 71
jones_supa (887896) writes "IBM security researchers have published an advisory about an Android vulnerability that may allow attackers to obtain highly sensitive credentials, such as cryptographic keys for some banking services and virtual private networks, and PINs or patterns used to unlock vulnerable devices. It is estimated that the flaw affects 86 percent of Android devices. Android KeyStore has a little bug where the encode_key() routine that is called by encode_key_for_uid() can overflow the filename text buffer, because bounds checking is absent. The advisory says that Google has patched only version 4.4 of Android. There are several technical hurdles an attacker must overcome to successfully perform a stack overflow on Android, as these systems are fortified with modern NX and ASLR protections. The vulnerability is still considered to be serious, as it resides in one of the most sensitive resources of the operating system."
Google has patched only version 4.4 (Score:5, Interesting)
I can understand if Google wants to force vendors to update to the most recent android. However, from a vendor perspective, what's so hard about backporting this patch [googlesource.com] to, say, android 4.3 and below? Is there a contract with Google forbidding this? Do they get money from NSA?
Re:Serious? (Score:5, Interesting)
no, by google, the code OWNER, for much of the code base.
old 2.x android which still works for audio phone and email and simple web (which is 99% of what many users want, actually). but has no security patches from google since the last OTA update was at least 3 yrs ago, maybe more.
google abandons things. it may not be pleasant for fanboys to admit, but its a fact and its part of why I have so much anger toward google. they are not serious. not by my definition. 5 yr old hardware that needs security SHOULD get security updates. even 10 yrs. again, this is the money and power and brain-rich google we're talking about. they do NOT get a pass on being bad about backporting security. a 10 or 100 man company, sure. but google gets no free pass on abandoning their own phones (my case, the N1). total complete abandonment. even the gmail app BY google refuses to work properly on the N1, now. it does not auto poll and show newmail indications. you have to manually poll. a google app on a google phone that is broken. this is why I hate them.
Re:Serious? (Score:4, Interesting)
One difference between enterprise software companies and consumer software is that over 50% of the enterprise revenue is for support. Virtually none for consumer software because people are unwilling to pay for it and the product lifetime is short.
No bounds checking? (Score:4, Interesting)
A rookie mistake. Tools to trap this have been around for ages. And do not give the "but they were optimizing" excuse. The only thing a security module should be optimized for is security. Once again, a rookie mistake.
Re:Google has patched only version 4.4 (Score:4, Interesting)
I can understand if Google wants to force vendors to update to the most recent android. However, from a vendor perspective, what's so hard about backporting this patch [googlesource.com] to, say, android 4.3 and below? Is there a contract with Google forbidding this? Do they get money from NSA?
Backporting it probably isn't difficult, but getting all the vendors and carriers to patch, build, validate, and deploy their custom Android builds for all the various devices they have supported over the last few years is.