Jay Freeman, aka @saurik, has detailed another Zip implementation bug in pre-4.4 (Kit Kat) versions of Android which, similarly to the notorious APK vulnerability exposed earlier this year, opens a hole that malware can sneak through. Freeman – whose previous credentials include security analysis of Google Glass and uncovering …
So the majority of Android users who will not be able to upgrade will still be at risk?
Solution, buy a new phone.
Yes, much like any operating system. Install something from a untrusted source and get malware.
Solution, don't install from untrusted sources.
It's also really easy to scan for this attack vector in the Google Play store, so the only people at risk are retards that "shop" for warez outside of the Google Play store.
Solution: Shop on Google Play.
Re: Easy fix.
You do realise that there are repositories of legitimate Android apps other than the Play store, don't you? - or perhaps not.
This isn't an Apple-like situation, where there is only one source allowed - downloading apps from somewhere other than Play doesn't automatically place an individual in the " retards that "shop" for warez" category.
I've just had a look at CyanogenMod – they pulled the fix in just yesterday. Here's the commit for the 10.2 branch.
I fully expect that they're not the only ones to have pulled it in.
bug vs. feature
This Android bug is a feature on Windows OS. There has been no mandatory authenticity verification on MS Windows for all these past and current years.
What, ANOTHER zip bug?
Zip seems to be Google's Achilles heel for programming in the same way daylight savings is for Apple!