This kind of headline leaves me with a smug smile on my face.......
THREE QUARTERS of Android mobes open to web page spy bug
A Metasploit module has been developed to easily exploit a dangerous flaw in 75 percent of Android devices that allows attackers to hijack a users' open websites. The exploit targets vulnerability (CVE-2014-6041) in Android versions 4.2.1 and below and was disclosed without fanfare on 1 September, but had since gathered dust, …
COMMENTS
-
-
Tuesday 16th September 2014 08:04 GMT TonyHoyle
1. AOSP has not been killed off, and I've never heard anyone suggest that it would be. They're talking about the AOSP *browser* which has been replaced by Chrome.
2. 4.2.1 is not 75% of phones. The entire 4.2.x series is only 20%, and 4.2.2 would be the majority of that - and 4.2.2 was released 18 months ago. Note the CVE relates specifically to 4.2.1. You can't even get close to 75% by adding all the previous versions together (which would be bogus anyway unless you could prove it existed right back to froyo/gingerbread).
So bug exists in a small % of old phones. Other than saying 'time to upgrade' what are people expected to do?
-
-
This post has been deleted by its author
-
-
-
Tuesday 16th September 2014 09:50 GMT Haku
I can't actually remember the last time I purposely used the Android Browser
Mainly because I prefer FireFox as there's AdBlock for it as well as being able to change the User Agent to view desktop versions of websites.
But there are one or two websites I've visited that will only ever display the mobile version, which I detest, despite changing the user agent in FF and selecting the "Request desktop version" option there appears to be no way so make FF only ever display desktop versions of websites.
-
Tuesday 16th September 2014 21:52 GMT BristolBachelor
Re: I can't actually remember the last time I purposely used the Android Browser
With the stock Android browser, you can get into an extra settings page and set any user-agent that you want, including NCA Mosaic. Sorry, from here can't remember how, but istr you enter a specific non-URL string and then select something weird in settings or somesuch.
I actually run Firefox because I also run it on one of my boxes too, so have access to open tabs, and bookmarks. However it doesn't do a good job with the "request desktop site" imho.
-
-
Tuesday 16th September 2014 11:42 GMT Charlie Clark
Terrible article
To borrow a neologism from Portlandia: Mr Pauli seems to be a "linkalist" and a bad one at that. Even based on the page he linked to 4.2.x has a distribution of 20 %. The article claims the exploit targets 4.2.1 but I suspect it might also work on earlier versions, too. Whatever, a journalist might research this, a linkalist just adds something racy to the headline. Obviously confusing JellyBean with KitKat doesn't matter.
It's a pity because adding value would be easy: alternative stats could be obtained from The Register's own statistics which would add credence to or detract from the numbers quoted; and a demonstration page could be set up for users to test, or linked to assuming someone else has already done this.
@El Reg can we start blacklisting some of the more futtocky linkalists you have? It's nice to be able to avoid the crap if possible.
-
Tuesday 16th September 2014 22:18 GMT wdmot
Re: Terrible article
Charlie, and TonyHoyle, I think the 75% figure comes from a few things: the sentence on Rafay site under "Affected Versions" says "The initial tests were carried out on android browser 4.2.1 (Qmobile) and below"; the "update" on the same site that says "Other folks have verified this issue to work under Android browser < 4.4" (presumably meaning 4.3 and earlier); and the androidcentral stat that 24.5% of Android phones are running 4.4.x (or adding up all the prior versions -> 75.5%). I think the key bit of info that is still unclear is whether the bug existed prior to 4.2.1, as Rafay isn't clear about what "and below" means (did he test at least version 2.2?).
If there's an easy way to test, I could do so with my version 2.1 which Sprint will never update...
-
-
-
-
Tuesday 16th September 2014 13:56 GMT dotdavid
Re: Remind me again why Android's crappy update system is good?
Google are moving away from the AOSP Browser towards bundling Chrome Mobile on their Nexus handsets, which of course is updateable via Google Play. The other alternative would be to release an update package to the AOSP Browser in the Play Store like they do for the News and Weather app.
Of course they're not doing the latter and the former isn't much help to those with this security problem.
-
-
Tuesday 16th September 2014 13:50 GMT Argh
Re: Remind me again why Android's crappy update system is good?
The majority of phones I've seen ship Chrome, which will auto-update happily.
Some phones (particularly older ones) ship an AOSP based browser, usually also customised by the phone manufacturer, which has this issue.
Android does allow such applications to be updated in the Play store, and some manufacturers have started to do this, e.g. manufacturers putting cameras, etc. in the Play store so they can be updated easily. Unfortunately, this has only started to happen fairly recently and I haven't yet seen a manufacturer customised browser updated via the store.
So -- it's not an Android issue, it's a manufacturer issue that reflects badly on Android.
-
-
-
Thursday 18th September 2014 14:56 GMT BleedinObvious
TWO-THIRDS not THREE-QUARTERS
If you exclude 4.4 it's three-quarters, but if you correctly exclude both 4.3 & 4.4, it's two-thirds.
Mind you, I'd be interested in whether Google plans to release a browser fix for 2.3 upwards (98.7%) via it's Google Play Services versions-are-irrelevant system updater launched late last year.
http://www.trustedreviews.com/opinions/why-google-play-services-is-more-important-than-the-nexus-5