The security researcher who last year sucked thousands of IDs out of Apple's Developer Centre site has turned his gaze onto Android and turned up a bug that Trend Micro says is exploitable. According to Ibrahim Balic, the bug causes memory corruption on Android 4.2.2 , 4.3 and 2.3 at least, but he suspects all Android versions …
"the bug crashed Google's Bouncer"
"Google has been notified of the issue."
I should say so...
If you want to load untrusted software
on any computing device, there is always the potential for problems. Obviously instead of the proliferation of adware, etc. the Android ecosystem needs to grow up; with repositories either run by entities that can be held legally liable for their wares, or opensource with active community oversight and trusted signatures.
" If the attacker were to create malware that auto-started on power-up, the user's only option would be to completely wipe the device via a boot loader recovery."
Isn't it possible to boot with a known good image, then mount the bad partition and fix it. This is pretty normal when the boot system gets screwed, or to repair a damaged filesystem, etc. Or the bad filesystm/SD card could be removed an mounted on a PC, where the offending configuration can be edited -- that's what I do when playing with my tablets.
I thought one of the points of Java was that such string overflows shouldn't be possible?
The price of freedom
Android gives you the right to install unsigned 3rd party apps without jailbreaking and rooting the device. IMO this is much safer than the Apple approach, that forces you to effectively jailbreak and root the device, if you want to install anything they don't like you to have. (Like emulators, UI tweaks, Wifi scanners or other evil things).
Of course that doesn't mean you are always 100% protected. No security system is ever 100% safe. Stick to official appstores like Google's playstore or the Amazon Appshop, and you can be reasonably sure, you are safe, download dodgy apps from warezsites and live with the consequences.
I guess they didn't feel the need to bother doing any bounds checking since XML code doesn't use fixed sized buffers? How's that working out for ya?
Re: 387,000 characters?
They obviously never employed little Bobby Tables:
"...to brick the target ... the user's only option would be to completely wipe the device via a boot loader recovery."
So not bricked at all then. If it were bricked, even the bootloader would be broken.
If it is just causing a crash during bootup, then it may even be possible to uninstall the offending app via ADB in between reboots, if you timed it right.
Amusing bug though.
If you've enabled ADB......
However, I'm struggling to see the point of this exploit. Yes, it can cause your phone to endlessly reboot, but that isn't going to make money for the hacker is it? It's also relatively easy to fix by wiping the device from recovery - ok, so you'll lose your data, but we're all backing our data up these days aren't we? ;) (Helium backup FTW!)
The "point" for some is just to cause discomfort for people. Imagine the vuln packaged in an app someone can use to brick their ex's phone.
And yes, requiring a restore from the bootloader is "bricked" from the point of view of 98% of the userbase.
Yet only IOS accepts a low level payload
IOS runs low level code so any crash there is usually many times more exploitable.
So the news worthiness of possible Android exploits is for whos benefit?
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Review Tough Banana Pi: a Raspberry Pi for colour-blind diehards
- Product round-up Ten Mac freeware apps for your new Apple baby
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'