Linux Traffic Hijack Flaw Also Affects Most Android Phones, Tablets (zdnet.com) 39
Zack Whittaker, writing for ZDNet: As many as 80 percent of Android devices are vulnerable to a recently disclosed Linux kernel vulnerability. Security firm Lookout said in a blog post on Monday that the flaw affects all phones and tablets that are running Android 4.4 KitKat and later, which comes with the affected Linux kernel 3.6 or newer. According to recent statistics, the number of devices affected might run past 1.4 billion phones and tablets -- including devices running the Android Nougat developer preview. Windows and Macs are not affected by the vulnerability. The flaw, disclosed at the Usenix security conference last week, is complicated and difficult to exploit. If an attacker can pull off an exploit, they could inject malicious code into unencrypted web traffic from "anywhere". However, the source and destination IP address would need to be known in order to intercept the traffic, adding to the complexity of carrying out a successful attack.The exploitability isn't easy, though.
Re: (Score:1)
it's
What? (Score:2)
How is this different from a typical MITM attack?
Is this saying that it's a MITM attack that can exploit a flaw in the kernel resulting in arbitrary code execution?
If so, wouldn't a regular (compromised/malicious) website be able to do the same thing without the MITM being necessary, HTTPS or not?
If it's not saying that it's a MITM attack that can exploit a flaw in the kernel resulting in arbitrary code execution, WTF is it saying?
Re:What? (Score:4, Informative)
How is this different from a typical MITM attack?
The attacker does not have to be "in the middle" .
But standard defence against MITM - don't trust unencrypted connections - would work fine for this as well, I would think.
Re: (Score:1)
Re: (Score:2)
And Apple has an excellent history of bug fixes compared to Linux.
Apple has an excellent history of hiding fixes compared to Linux. FTFY
Re: (Score:1)
Compared to Linux? No, they don't, not even close.
Compared to Android as shipped in phones (i.e. not AOSP), then yes, Apple has a much better track record.
Re: (Score:2)
Patch already available (I think...) (Score:3, Informative)
The link was from here [ycombinator.com], which also suggests a fix for unpatched systems:
echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >>/etc/sysctl.conf;sysctl -p
(Courtesy of this site [isssource.com].)
Re:Patch already available (I think...) (Score:4, Insightful)
Re: Patch already available (I think...) (Score:3)
All the different distributions of Linux combined with no user friendly way of keeping the latest patches installed is just asking to be trouble.
All the distros I have used have had both n00b-friendly and cli-autobatible options for installing updates for more than a decade. E.g. red icon pops up in systray, click it to see what updates are available, deselect some if you need to defer restarting something, click the update button. and carry on with what you were doing. If a kernel or very common lubrary update was installed, you're informed at the end that you should reboot and you are asked if you want to reboot or do it yourself later.
I don't kn
One more reason I hate Lenovo/Mororola support (NO (Score:3, Informative)
Re: (Score:2)
My Nexus 6 is similar to your X Force... perhaps somebody can get one of the Nexus 6 ROMs to work on not just your device but all the other Motorola models that are relatively similar.
But even Google says they will stop guaranteeing updates for the Nexus 6 once Nougat is released. Keep in mind, the Nexus 6 was still a current product up until 9 months ago and you can still get them new in the box. But they've already warned us to not expect much. Not sure if this is Google or Motorola or both declari
Re: (Score:2)
This would worry me if there were any active exploits of security flaws. The fact is that mobile phone users in general are dumb as doorknobs and there are far easier ways to exploit the user and gain access to the phone through the legitimate pathways that the OS provides rather than exploiting security holes.
"Do you wan"OK yes OK I've clicked OK already just go away stupid popup asking me a question I didn't read!
Windows and Macs (Score:1)
"As many as 80 percent of Android devices are vulnerable to a recently disclosed Linux kernel vulnerability"
"Windows and Macs are not affected by the vulnerability."
Wait, run that past me again? You're absolutely sure this linux issue doesn't affect devices which don't run linux?
Linux problem affects linux devices? You don't say (Score:2)
(no further text)