A five-year-old privilege escalation vulnerability in Android disclosed today affects hundreds of different device models going back to Jelly Bean 4.3.
https://threatpost.com/five-year-old-android-flaw-exposes-sms-call-history/117873/
-- submitted from IRC
A five-year-old Android vulnerability disclosed today affects hundreds of different device models going back to Jelly Bean 4.3. Older devices are at the greatest risk; newer devices running Android with SE Android, the OS' implementation of Security Enhanced Linux, are at a lesser risk.
The vulnerability allows attackers to escalate privileges on a device, leading to further attacks such as stealing SMS or call logs. Researchers at FireEye's Mandiant Red Team found the flaw, CVE-2016-2060, in Qualcomm software available from the Code Aurora Forum. Related Posts Apple Updates Xcode's Git Implementation May 4, 2016 , 3:02 pm Google Patches More Trouble in Mediaserver May 2, 2016 , 2:00 pm Phony Google Update Spreads Data-Stealing Android Malware April 29, 2016 , 12:52 pm
Qualcomm patched the affected software and moved a fix to OEMs in March. As with other Android patches, OEMs must push updates to devices. Mandiant cautions, however, that it's likely many devices will not be patched. The vulnerable APIs, for example, were found in a 2011 git repository, meaning that the code has been in circulation for five years and could be in an untold number of devices.
(Score: 3, Insightful) by jcross on Thursday May 05 2016, @05:31PM
This must be Google's brilliant strategy to avoid being sued by the FBI.
(Score: 0) by Anonymous Coward on Thursday May 05 2016, @05:56PM
Your post makes me sad, because what you suggest is plausible :(
(Score: 2) by TheGratefulNet on Thursday May 05 2016, @06:26PM
interesting. I never thought of it that way.
it actually makes sense, too, if you think about it. google has enough manpower and money to fix all android bugs. yet they abandon versions like there's no tomorrow.
it can't be because are they unable to fix the bugs. it can't be because they have not enough people or funding. it HAS to be that they leave bugs in place for, ahem, their real masters.
the more I think about it, the more I think this is the actual reason.
I'm now even more depressed than I was when I woke up. damn.
"It is now safe to switch off your computer."
(Score: 2) by Scruffy Beard 2 on Thursday May 05 2016, @07:23PM
If if makes you feel any better, this can still be explained by incompetence.
You see, the industry standard practice is Ad-hoc debugging: where you hammer away at the code until all of the obvious bugs are gone.
The problem is that you know there are going to be bugs in the shipping product. You just hope they will be minor.
I think I read somewhere that an estimated 150 people work-wide actually do formal software correctness proofs as part of their jobs. Even safety-critical software is not proven correct (nor run on redundant hardware).
(Score: 1) by Scruffy Beard 2 on Thursday May 05 2016, @07:25PM
That should read: "... world-wide..."
(Score: 0) by Anonymous Coward on Saturday May 07 2016, @03:28AM
no one has to be involved in any conspiracies for this, though i wouldn't put it past any of them.
Just like googlebot didn't support tlsv1.2 for 8 years. remember what the fix for beast was during that time? RC4! i'm sure the NSA couldn't possibly have had an exploit for that. At the same time google was (theoretically) strong arming the whole web for the nsa via googlebot, they were acting so outraged about having their email intercepted by the same defenders of the civilized world that they were participating in prism with.
This is just one of thousands of discovered but undisclosed and undiscovered bugs lurking in our beloved slave phones as a consequence of closed source firmware, software, base band OS and the closed cell networks. Android is freer than the Elop'd windows nokia phones and the devil phones but that's nowhere near enough for people who think they are free human beings. Qualcomm is openly hostile to freedom and people need to wake up and start making it hard on these slave traders who peddle the chippery that goes in these pocket rats. Quit buying their new phones when they won't open them up or when oem's won't put TI, freescale, etc chips in them. Until then buy old phones. they expect the new money. they will freak out with just the lightest resistance.
(Score: 3, Informative) by PizzaRollPlinkett on Thursday May 05 2016, @06:23PM
If you keep reading long enough, you get to: "To exploit the vulnerability, an attacker would need physical access to a vulnerable device, or would have to load the exploit onto an application and entice the user to download and execute it." They can go to Goodwill's electronics junk recycling center and get my old devices and have physical access.
(E-mail me if you want a pizza roll!)
(Score: 1, Insightful) by Anonymous Coward on Thursday May 05 2016, @06:25PM
The single biggest reason that IOT should never be. Companies can't be bothered to maintain firmware for anything.
(Score: 3, Interesting) by bitstream on Thursday May 05 2016, @08:11PM
A bug has been working for 5 years and suddenly FireEye which is vulnerable to "nice letters" discovers this bug. Same company that also have certification by the government. Not to be a conspiracy theorist, but it does seem like a convenient way to disclose bugs without any trace back to ones own front door.
The patch circus of Android better start cleaning up. Release the driver source so the open source community can take over where the commercial entities obviously suck. The problem isn't really bad phones, but locked bootloader and closed source.
(Score: 2) by JNCF on Friday May 06 2016, @01:47AM
Last I read, Cyanogen was trying to replace the proprietary drivers in their codebase and Google was voluntarily helping them. But they had (I suspect still have) proprietary drivers in their codebase. Whoops! It would be really interesting if Google required phone companies to make drivers opensource. I wonder if a group of phone companies would distribute a rebranded version without the requirement.
(Score: 2) by bitstream on Friday May 06 2016, @01:21PM
I doubt Google would do that. They could however sponsor people with equipment and food-and-rent-aid. Just removing the bootloader lock would be a big step forward.
(Score: 2) by JNCF on Friday May 06 2016, @04:43PM
If memory serves correct not all Android devices have bootloader locks, it's something that the manufacturers put on. So it raises the same questions as opensourcing firmware. I agree with your doubts, I don't think either restriction is likely to happen. They would be interesting scenarios to see play out.
(Score: 3, Informative) by bitstream on Friday May 06 2016, @07:20PM
The Google Nexus phones don't have bootloader lock. But they also cost a lot. There's always the nuclear option, of decapping and scanning if the entities that are want to overstep the moral boundaries. I have some vague memory of the SMM code in x86 processors having to be signed to be accepted. But if the code can be read.. the world is free to have a ride with the SMM.