Attackers Exploit New 0-day Vulnerability Giving Full Control of Android Phones (arstechnica.com) 26
"Attackers are exploiting a zero-day vulnerability in Google's Android mobile operating system that can give them full control of at least 18 different phone models," reports Ars Technica, "including four different Pixel models, a member of Google's Project Zero research group said on Thursday night." The post also says there's evidence the vulnerability is being actively exploited.
An anonymous reader quotes Ars Technica: Exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content. "The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device," Stone wrote. "If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox...."
Google representatives wrote in an email: "Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days. Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue."
The use-after-free vulnerability originally appeared in the Linux kernel and was patched in early 2018 in version 4.14, without the benefit of a tracking CVE. That fix was incorporated into versions 3.18, 4.4, and 4.9 of the Android kernel. For reasons that weren't explained in the post, the patches never made their way into Android security updates.
An anonymous reader quotes Ars Technica: Exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content. "The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device," Stone wrote. "If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox...."
Google representatives wrote in an email: "Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days. Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue."
The use-after-free vulnerability originally appeared in the Linux kernel and was patched in early 2018 in version 4.14, without the benefit of a tracking CVE. That fix was incorporated into versions 3.18, 4.4, and 4.9 of the Android kernel. For reasons that weren't explained in the post, the patches never made their way into Android security updates.
Clueless comment of the year award? (Score:1)
All OS I know had zero day exploits. Except OpenBSD probably. ;)
Finding exploits means you patched them. Somebody else can't find them anymore.
Not finding exploits means you didn't patch them. Somebody else could still find one.
AOSP, the basis for Android, is open source. Which is not perfect, as it does not guarantee anyone actually checking... or finding it if he does ... but it is vastly better than closed source in that regard.
Why are you even commenting? What's the real reason.
P.S.: Please mod off-topi
Re: (Score:3)
they were pretty clear.
this is not some isolated problem
this is merely an indication and consequence of modern software being utter trash.
use-after-free ? seriously? What's next? getting owned due to an off-by-one error?
and more than that, anyone with a two year old device won't be getting a patch... which is like what? 50% ? 60%? 40% of all android devices ? (not just phones... think tablets, drones, ICEs, fridges, bathroom scales or whatever else they shoved it into)
Theo, is that you? (Score:2)
https://www.zdnet.com/article/... [zdnet.com]
OpenBSD is no more immune to zero-day exploits than anything else.
If anyone used it in real life, then we'd hear about
- the attack
- the exploit
- the fix
But nobody users this amateurish OS for commercial purposes. So nobody bothers with the attack or the report.
E
Solution approaches for each half of the problem? (Score:3)
On the one hand I think you [BAReFO0t] are mostly feeding the troll, but on the other hand you were right to call for assistance from the moderators. I wouldn't have seen that FP anyway, since it was AC, but on the third hand, so far there is no visible positive moderation for any comment on this story. (My recurrent interest in the topic arises from my ownership of Android smartphones.)
For the app vulnerability, I think the best solution approach would involve revealing the developers' financial models. Pr
Dear Slashdot: I need to root my phone. (Score:2)
I hate that crackers are always so secretive about the actual exploit. I can't seem to find it.
The manufacturer of my phone is really annoying in that regard. It would be much easier, to just use this exploit. I checked, and it uses a vulnerable kernel.
I am a programmer, and have rooted phones via official ways before.
I haven't written any Android apps before, as I despise both enterprisey XML and enterprisey Java.
Where can I find an easy way to use this exploit?
Ideally an open-source app from the discovere
Re: (Score:3)
Re: (Score:3)
I am sorry, but anything that allows you to actually own the device you purchased is an unacceptable security risk.
Anything that allows random attackers to own the device you purchased, and which contains all of your data, is an unacceptable security risk.
If you want to run your own software, just buy a phone from a vendor that allows you to unlock the bootloader and do what you like.
Re: (Score:3)
Google representatives wrote in an email: "Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days.
The email continued:
For anyone else, please throw away your current phone, wait six months, buy the latest model, and see if it's running a patched version of Android. If not, repeat as often as required.
Re: Dear Slashdot: I need to root my phone. (Score:2)
Re: (Score:1)
Ideally an open-source app from the discoverer himself, that I can side-load, and that lets me install SuperSU.
SuperSU is a closed source app that is now run by a shadowy group in China. Why would you want to root your Android and install that?
Re: (Score:3)
Re: (Score:2)
Maybe there is a chance that I finally get to root my phone.
Locked down LG Q6, running Oreo.
Everything IT Seems Like Swiss Cheese These Days (Score:2)
Re: (Score:1)
Security holes, security holes and more security holes.
Well, the cops need access, ok? And facebook is being harassed into dropping their encryption too. Whaddya expect?
Re: (Score:2)
The issue is that android is WAY off the mainline kernel in their own idiotic separate ARM SoC bubble universe where the peripheral hw devs are even more incompetent than the interns writing the drivers for them.
There are hacks in the Android kernel (due to completely broken hw design) that would (and should) never go into the mainline. The problem is fundamentally unfixable.
Re: (Score:3)
To "ensure" Android protected - LOL (Score:4, Informative)
Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue.
A patch most partners will not deliver to so many current Android users. Use of the word "ensure" is humorous, more like "we did our part, don't blame us".
Re: (Score:3)
A patch Google themselves will not deliver to their own devices just a few years old.
Re: (Score:2)
LOL shithead.
Just like the ads (Score:2)
Re: (Score:3)