SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow5743
A serious vulnerability that remains unfixed in many Android devices is under active exploit, marking the first known time real-world attackers have used it to bypass key security protections built in to the mobile operating system.
Dirty Cow, as the vulnerability has been dubbed, came to light last October after lurking in the kernel of the Linux operating system for nine years. While it amounts to a mere privilege-escalation bug—as opposed to a more critical code-execution flaw—several characteristics make it particularly potent. For one, the vulnerability is located in a part of the Linux kernel that's almost universally available. And for another, reliable exploits are relatively easy to develop.
By the time it was disclosed, it was already under active exploit on Linux servers. Within days of its disclosure, researchers and hobbyists were using the vulnerability, indexed as CVE-2016-5195, to root Android phones.
Now, more than 1,200 apps available in third-party marketplaces are exploiting Dirty Cow as part of a scam that uses text-based payment services to make fraudulent charges to the phone owner, researchers from antivirus provider Trend Micro reported on Monday.
(Score: 1, Funny) by Anonymous Coward on Monday October 02 2017, @12:40PM
You are all cows! Cows go moooooooooooo! Mooooo cows moooo! Moooooo say the cows! You dirty cows!!
(Score: 4, Insightful) by halcyon1234 on Monday October 02 2017, @01:25PM (4 children)
Because what could possibly go wrong with all your payment info being directly attached to an always-on, internet-connected, general purpose computer that is perpetually running black-box third party code (code which also mutates at the whim of whoever controls the dev account via auto-updates)
Next up: crowd-source driven! Put your car on the Internet, then just sit back and relax while the Wisdom of the Crowds controls your morning drive.
Original Submission [thedailywtf.com]
(Score: 2) by DannyB on Monday October 02 2017, @02:13PM (2 children)
There are a lot of those whoevers. Not just one whoever. Each App has a 'whoever' that developed the app and can update it. So the number of whoevers can potentially match the number of installed apps. You could have several apps from the same whoever.
There is a mapping between whoevers and apps. The set of whoevers is a non empty subset of the apps.
don't drive like that! Let's try to get there in as few pieces as possible.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 3, Funny) by Whoever on Monday October 02 2017, @05:36PM (1 child)
... but only one here at Soylentnews. [soylentnews.org]
(Score: 2) by bob_super on Monday October 02 2017, @06:47PM
But there could be a whoevers, making us all wonder is you are that whoevers and therefore all the whoevers, or if somehow whoevers doesn't include just any whoever.
(Score: 2) by TheRaven on Monday October 02 2017, @02:23PM
sudo mod me up
(Score: 2) by cosurgi on Monday October 02 2017, @01:34PM (6 children)
OK, so anybody knows if a regular user of androind (let's say samsung) has some possibility of upgrading phone to remove this? Does there even exist an android version release with this vulnerability removed?
#
#\ @ ? [adom.de] Colonize Mars [kozicki.pl]
#
(Score: 2, Informative) by Woosh on Monday October 02 2017, @02:07PM
It was patched about a year ago according to the article. Also it says if you're running version 5.1.1 or earlier you're probably still susceptible.
(Score: 3, Interesting) by DannyB on Monday October 02 2017, @02:19PM (3 children)
I love my Nexus 6P from Google. First in line for OS and security updates. No delays from either the OEM or the mobile network operator. I just got Oreo last month, which was the last promised OS upgrade from Google. (Not that they couldn't potentially provide another OS upgrade.) I'm also promised security updates through September 2018. So if I can manage to keep this phone for that long, it will be the longest I've ever had a single phone.
My previous phone was a Samsung Galaxy S5. I liked it until the installed bloatware was so bad that I couldn't do OS updates any more. I had removed everything that I was willing to remove. That's another thing about Google's phones -- no preinstalled non-removable bloatware. Just bare bones apps like a browser, phone dialer, etc. No assumption that you want, for example, FaceTwit. If I wanted to install FaceTwit, I know how to find it in the Play store.
At this point, I may never go back to an OEM or carrier phone. Only if someone could manage to make a phone with an even larger screen than what I have now, but still fit in a jeans front pocket.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 3, Touché) by TheRaven on Monday October 02 2017, @03:06PM (2 children)
Except Google Maps, Google Mail, and all of the other Google spyware. Of course they don't want third-party spyware preinstalled - it would reduce the value of the data that they collect about you if anyone could collect it.
sudo mod me up
(Score: 2) by DannyB on Monday October 02 2017, @08:19PM
Yep, it's true.
But I do get value in return for the google spyware.
A superior experience. Maps. News. Gmail. Organizer. Contacts. YouTube. Docs / Drive. Voice recognition / commands. Translation. And much more. It's all nicely integrated into my phone. When I switch phones, it all conveniently moves with me.
I understand Google's desire for the information. To better target ads to my eyeballs. As long as ads are few and relevant, I find it's not so bad.
It's great as long as Google's policy is:
[x] Don't Be Evil!
Oh, wait.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 2) by urza9814 on Tuesday October 03 2017, @01:47PM
This is exactly why I run LineageOS on my Galaxy S5. It's an excellent phone and even better software.
The only Google app I have is the play store, and even that is optional.
I've got a few uninstalled updates available actually as I haven't updated in several months -- the last one was released six days ago -- but I'm running Android 7.1.2 already with security patches up to June 2017...so I'm safe from this one at least. And Google only patches for 3 years -- the S5 is older than that already, so if this was a Google device it wouldn't be getting updates anymore. But I expect I'll still be getting updates for years to come, long after I eventually decide to upgrade the hardware. Not that I see any need to right now; this thing can easily handle everything I throw at it.
(Score: 0) by Anonymous Coward on Monday October 02 2017, @03:28PM
I have an Android tablet yet, but I'm thinking the upgrade is going to be to native GNU/Linux instead of this GNU running on Android/Linux crap I have on it right now. (Installed a minimal Gentoo, compiled some things I wanted like ssh, and it's GNU and it mostly works. Portage tree on that device is hopelessly out of date these days though.)
As for my phone, I'm biting the bullet and moving to a feature phone with physical buttons.
That leaves me with the problem of a media player for the car, for which I think a Raspberry PI 3 with the official 7" touchscreen and the case meant to hold both will do if not just the aforementioned soon to be ex-Android tablet.
(Score: 0) by Anonymous Coward on Monday October 02 2017, @05:26PM
Well because nobody has been rectal enough to throw this out there yet, what "operating system" is Linux? I always thought that was a kernel.