Recent Android Vulnerability Discovery Remains A Threat To Devices b4in.org/t5L1 According to security researchers more than 86 percent of all Android devices remain vulnerable to a threat discovered last month. On Monday, IBM Security researchers shed new light on a vulnerability (CVE-2014-3100), which affects the Android KeyStore service that is used for storing cryptographic keys and other user information. This vulnerability was reportedly patched in the latest version of the open source operating system – Android Kitkat 4.4 – but the problem remains as the vast majority of Android users aren’t running this latest version. While this is not an easy flaw to exploit, it does reside in the KeyStore, which is one of the most sensitive resources in the Android OS. If this is compromised a hacker could log in as the actual device’s user to any service where passwords are likely remembered. “Exploiting this vulnerability can theoretically be done by a malicious application; however, a working exploit needs to overcome a combination of obstacles,” wrote Roee Hay, who leads the application security research at IBM. Those obstacles could include Data Execution Prevention (DEP), which Hay said could be bypassed by Return-Oriented Programming (ROP) payloads; as well as Stack Canaries and Address Space Layout Randomization (ASLR), as well as Encoding techniques. “However, the Android KeyStore is respawned every time it terminates. This behavior enables a probabilistic approach; moreover, the attacker may even theoretically abuse ASLR to defeat the encoding,” Hay added. “Successfully exploiting this vulnerability leads to a malicious code execution under the keystore process.” Hay was able to exploit the bug and execute the malicious code that leads keys used by banking and other sensitive apps, virtual private networks (VPN) and even the PIN or finger patterns that are used to unlock a device More b4in.org/t5L1
Posted on: Mon, 30 Jun 2014 18:15:05 +0000
Trending Topics
Recently Viewed Topics
© 2015