Stories
Slash Boxes
Comments

SoylentNews is people

Old Android Flaw Elevates Privileges, Steals SMS, Call Logs

posted by CoolHand on Thursday May 05 2016, @04:52PM   Printer-friendly
from the well-thought-out-OS dept.

"exec" writes:

A five-year-old privilege escalation vulnerability in Android disclosed today affects hundreds of different device models going back to Jelly Bean 4.3.

https://threatpost.com/five-year-old-android-flaw-exposes-sms-call-history/117873/

-- submitted from IRC

A five-year-old Android vulnerability disclosed today affects hundreds of different device models going back to Jelly Bean 4.3. Older devices are at the greatest risk; newer devices running Android with SE Android, the OS' implementation of Security Enhanced Linux, are at a lesser risk.

The vulnerability allows attackers to escalate privileges on a device, leading to further attacks such as stealing SMS or call logs. Researchers at FireEye's Mandiant Red Team found the flaw, CVE-2016-2060, in Qualcomm software available from the Code Aurora Forum. Related Posts Apple Updates Xcode's Git Implementation May 4, 2016 , 3:02 pm Google Patches More Trouble in Mediaserver May 2, 2016 , 2:00 pm Phony Google Update Spreads Data-Stealing Android Malware April 29, 2016 , 12:52 pm

Qualcomm patched the affected software and moved a fix to OEMs in March. As with other Android patches, OEMs must push updates to devices. Mandiant cautions, however, that it's likely many devices will not be patched. The vulnerable APIs, for example, were found in a 2011 git repository, meaning that the code has been in circulation for five years and could be in an untold number of devices.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Old Android Flaw Elevates Privileges, Steals SMS, Call Logs | Log In/Create an Account | Top | 13 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by JNCF on Friday May 06 2016, @04:43PM

    by JNCF (4317) on Friday May 06 2016, @04:43PM (#342614) Journal

    If memory serves correct not all Android devices have bootloader locks, it's something that the manufacturers put on. So it raises the same questions as opensourcing firmware. I agree with your doubts, I don't think either restriction is likely to happen. They would be interesting scenarios to see play out.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 3, Informative) by bitstream on Friday May 06 2016, @07:20PM

    by bitstream (6144) on Friday May 06 2016, @07:20PM (#342677) Journal

    The Google Nexus phones don't have bootloader lock. But they also cost a lot. There's always the nuclear option, of decapping and scanning if the entities that are want to overstep the moral boundaries. I have some vague memory of the SMM code in x86 processors having to be signed to be accepted. But if the code can be read.. the world is free to have a ride with the SMM.