SoylentNews is people
SoylentNews
4 vulnerabilities under attack give hackers full control of Android devices:
Unknown hackers have been exploiting four Android vulnerabilities that allow the execution of malicious code that can take complete control of devices, Google warned on Wednesday.
All four of the vulnerabilities were disclosed two weeks ago in Google’s Android Security Bulletin for May. Google has released security updates to device manufacturers, who are then responsible for distributing the patches to users.
Google’s May 3 bulletin initially didn’t report that any of the roughly 50 vulnerabilities it covered were under active exploitation. On Wednesday, Google updated the advisory to say that there are “indications” that four of the vulnerabilities “may be under limited, targeted exploitation.” Maddie Stone, a member of Google’s Project Zero exploit research group, removed the ambiguity. She declared on Twitter that the “4 vulns were exploited in-the-wild” as zero-days.
(Score: 4, Insightful) by Runaway1956 on Saturday May 22 2021, @10:26PM (10 children)
Are there things you can do to lower your vulnerability? Things like,
1. don't install random apps
2. don't click on random links
3. don't open email attachments and images
4. use a spam service of some sort that will filter out scam emails
5. don't open video links sent by random unknown persons
6. don't accept 3rd party cookies
7. turn off scripting
Doesn't very much matter what the exploit is, it has to get to you, right? How does it get to you? Is it an exploit of the underlying technologies that make cell phone possible? If that is so, there's not much you, the end user can do about it.
Oh, wait!
Well, you're screwed!
Abortion is the number one killed of children in the United States.
(Score: 1, Insightful) by Anonymous Coward on Saturday May 22 2021, @11:26PM (2 children)
Mitigation: forcefully apply large hammer to Android phone, then enjoy a distraction-free life.
(Score: -1, Troll) by Anonymous Coward on Sunday May 23 2021, @12:36AM
Word on the street is that Apple gadgets now have "Made in China" laser-etched into their cases.
Like, really? Paying a markup to brag about your shiny toy being assembled by slave labor in insect-land? The common consensus speaks: and so it be told, that migration shalleth be but a dead-end.
Now, we all know Tim Apple is a Jew, and Jews are not loyal to any nation or tribe other than themselves. But should not that the bragging rights not lie within the lack or not of pride in one's own craftsmanship? Would that not or perhaps so elicit a distrust or not in one's own shiny product?
(Score: 3, Insightful) by driverless on Sunday May 23 2021, @11:34AM
Mitigation: Forcefully apply large hammer to Android phone vendor to force them to update their firmware. The story is depressingly familiar: Google declares "a solution exists" and goes back to bed. All the phone vendors ignore it and push you to buy a new phone, which may or may not fix the problem. If not, buy yet another new phone and see if it's fixed then.
(Score: 2, Insightful) by SomeGuy on Sunday May 23 2021, @12:01AM (1 child)
You expect teenage girls to do all of that?
Might as well tell them to use a proper "telephone" with a cord.
(Score: 0) by Anonymous Coward on Monday May 24 2021, @03:42AM
Of course not. I'm too busy cruising for them in my van.
(Score: 1, Insightful) by Anonymous Coward on Sunday May 23 2021, @12:19AM (1 child)
8. Buy an iPhone.
(Score: 1, Insightful) by Anonymous Coward on Sunday May 23 2021, @01:15AM
Have you looked at the iphone appstore recently? Apps squatting under every spelling variation, every app free to attract speculative downloads, but any desired functionality requires an additional in-app purchase.
I am to the point where I'd be willing to put up with the hardships of a Linux phone just to be able to program it myself to do the things I want.
(Score: 2, Insightful) by Anonymous Coward on Sunday May 23 2021, @01:21AM
8) Don't use handheld devices to handle financial stuff.
(Score: 2) by inertnet on Sunday May 23 2021, @11:31AM
Thousands of Android users in Europe have fallen victim to this. People get text messages like: "Your package has been delayed, click here for track & trace". I have seen one of those messages, but it was on an iPhone. In the news was that in Belgium these messages appeared to come from their post office.
(Score: 2) by Teckla on Sunday May 23 2021, @02:11PM
(Score: 3, Funny) by Anonymous Coward on Saturday May 22 2021, @11:46PM
WITHIN THIS VALE
OF TOIL AND SIN
YOUR HEAD GROWS BALD
BUT NOT YOUR CHIN
Burma-Shave
(Score: 1, Insightful) by Anonymous Coward on Sunday May 23 2021, @12:54AM (3 children)
What about the android's Google vulnerability, eh?
(Score: -1, Troll) by Anonymous Coward on Sunday May 23 2021, @01:58AM (1 child)
Inserted by Jews. Just as they are doing with the Linux kernel. Nasty trannies destroying everything with the Jewish seal of approval. Disgusting hooknosed antisocial society-wrecking inbred pieces of shit covering up for their nasty rabbis committing in Jewish enclaves with their magical string-demarcated enclaves. There are two types of Jews, both equally disgusting: Judeo-globalists and entrenched Zionists.
There is one easy way to solve America's problems. Round up all folks with >=40 percent Jewish admixture. Strip them of all domestic resources, then offer them mandatory reassignment into their choice of Ukraine, Russia, or Israel. Simultaneously withdraw all American presence and support for those three countries while repatriating the previously mentioned weasel shitbags. Sit back and let nature take it's course.
(Score: 0) by Anonymous Coward on Sunday May 23 2021, @04:12AM
Go home, Adolf, you're drunk.
(Score: 2) by bzipitidoo on Sunday May 23 2021, @04:55AM
Yeah, who is the bigger threat, the big monopoly, or the criminal hackers?
(Score: 4, Informative) by Rich on Sunday May 23 2021, @09:57AM (5 children)
The submission could have had some more details: CVE-2021-1905, CVE-2021-1906, CVE-2021-28663, CVE-2021-28664 are all local root exploits via GPU.
No worries. These are not "bugs", but features that actually can give you control over the device you own :)
Also, it shows once more how closed-source system software that has to be finished to a schedule rips up gaping holes. (And I re-iterate here that I think that larger interested organizations have static or even hybrid checkers for instantly identifying such holes in shipped code. Think a mix of "Coverity" and "Valgrind", but for binaries.)
(Score: 3, Interesting) by FatPhil on Sunday May 23 2021, @12:59PM (3 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Insightful) by Rich on Sunday May 23 2021, @03:25PM (2 children)
I'd expect from root that it can access /proc/mem - which equals kernel level. Juggling things until root can't even 'mknod' that anymore is a perversion. However, there is no reason (among the Unices) that root is the "administrative" account of a system. The system could as well have an "admin" account that is member of all groups and has the right to do nearly everything - except for messing up the system. That would be what Apple does with the SIP, done right.
Getting political, the deeper cause for all the "distortions in logic" we see, is that the systemic need for eternal corporate growth leads to efforts to take away the power of general computation from the masses to convert those from owners to subscribers which can be increasingly milked, because there is no real new tangible stuff to be sold. The whole "right to repair" debate is really about that, too.
(Score: 3, Interesting) by FatPhil on Sunday May 23 2021, @09:57PM (1 child)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Interesting) by Rich on Sunday May 23 2021, @11:21PM
Indeed. Although IMO the existence of IOMMUs is also more about control grab than actual security. There might be fringe use cases like a public photo printing station, but in general it would be sufficient to have a few software checks that the machine is authorized (e.g. its owner nearby) at plug time and/or not design protocols that act like an open PCI bus when adversary plugs can be expected. And even these cases could be fortified by a simple mechanical slider, lockable, or with a switch that locks the system if opened unauthorized (like all server cases have a "tamper" switch).
As an addendum to my original post and your notes on shared memory, the sin that put Red Hat on my "evil" list was that they wanted to strip /proc/mem and unsigned modules from their signed kernel. There certainly was a backroom agreement they had with Microsoft in a ploy to gain exclusivity and exclusive control over all the juicy DRM deals. It's a disgrace for the "community" that they try to expel autists for their traits of being unPC (not that RMS was useful lately...), rather than booting out people like mjg who organizes the technicalities behind all that. I wouldn't be surpised if that guy signed the anti-RMS-note as part of a larger plan to get control of the FSF and write an "improved" 'later version' of the GPL to be inclusive of "social justice" and "rewards and protections for innovating corporations".
(Score: 3, Interesting) by fraxinus-tree on Sunday May 23 2021, @03:51PM
I was just going to ask the same - does it mean that we have a new ways of rooting / bootloader unlocking ? If yes, I am all for it.
(Score: 1) by HammeredGlass on Sunday May 23 2021, @02:05PM
I miss the xda days of rooting my phone with relative ease, and even more I miss the days of Windows Mobile 6.5 and earlier with the wide open dev market to do whatever you wanted.
(Score: 1, Interesting) by Anonymous Coward on Sunday May 23 2021, @04:06PM
and your "right to repair" consists in ... buying a new phone.
"sir, we are running low on.profits for the shareholder and our bonds look lackluster.."
boss pulls open a drawer, rummages around and pulls out some paper.
"well here, take these 'em code print outs and " accidentally " drop them off somewhere."
...
(Score: 0) by Anonymous Coward on Monday May 24 2021, @04:12PM
If they're known and have distributed fixes - they are not zero days. A zero day bug is one that's being exploited before its fixed - i.e. its only discovered by the white hat community by the discovery of an exploit exploiting it. These have a published patch, put the torch to the manufacturers fr turning a 20+-day bug into a 0-day since they can't push patches out.