Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Old Apache Code At Root of Android FakeID Mess

Soulskill posted about 3 months ago | from the write-once-run-anywhere dept.

Android 127

chicksdaddy writes: A four-year-old vulnerability in an open source component that is a critical part of Android leaves hundreds of millions of mobile devices susceptible to silent malware infections. The vulnerability affects devices running Android versions 2.1 to 4.4 ("KitKat"), according to a statement released by Bluebox. The vulnerability was found in a package installer in affected versions of Android. The installer doesn't attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates. In short, Bluebox writes, "an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim."

The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.

Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.

cancel ×

127 comments

Sorry! There are no comments related to the filter you selected.

Thankfully those will be patched right in a jiffy! (2, Insightful)

Anonymous Coward | about 3 months ago | (#47562059)

Phew, good thing Android is open source and these vulnerabilities will be patched right away be all those "for profit" companies, who wouldn't want their users to get angry!

Giggity [youtube.com]

Re:Thankfully those will be patched right in a jif (5, Informative)

ShaunC (203807) | about 3 months ago | (#47562105)

The patch already exists [phandroid.com] , now it's up to our cell carriers to distribute it.

Re:Thankfully those will be patched right in a jif (5, Informative)

mightypenguin (593397) | about 3 months ago | (#47562203)

Actually the patch is already distributed without any manufacturer intervention required. http://www.osnews.com/story/27... [osnews.com]

Re:Thankfully those will be patched right in a jif (0, Troll)

Rosyna (80334) | about 3 months ago | (#47562265)

This only works if the exploit isn't hidden in some way.

If "Verify Apps" worked as good as some claim, 10% of the Google Play store wouldn't be malware. It'd be a much, much smaller number.

How can Java code be "native code"? (0)

Anonymous Coward | about 3 months ago | (#47562347)

The summary says "native Android libraries that are based on Harmony code" but that confuses me a lot. Harmony is Java code, right? And Java is not native code, right? Java runs on a VM, right? So how can it be a native library if it's written in Java? Doesn't a native library have to be written in C or C++ or assembly or some other lang that gets compiled down to native machine code? How can Java code be native code?

Re:How can Java code be "native code"? (1)

Anonymous Coward | about 3 months ago | (#47562415)

It's the Java runtime. It allows other programs written in Java to run. It is not Java itself.

Re:How can Java code be "native code"? (1)

devman (1163205) | about 3 months ago | (#47562795)

Many parts of the Java runtime environment are written in Java.

Re:How can Java code be "native code"? (1)

devman (1163205) | about 3 months ago | (#47562793)

Native as in "comes with the OS", not as in "compiled to machine code". It is confusing, but that is what I make of it.

Re:Thankfully those will be patched right in a jif (4, Insightful)

Anonymous Coward | about 3 months ago | (#47562365)

10% of the Google Play store wouldn't be malware.

It's not. That claim was typical hyperbole by an AV vendor desperately trying to find a market to sell their snake oil in now that Windows is in decline. The report they used even showed the Google Play Movies application as malware... They've since backed off the claim, but of course the mud (as intended) still sticks.

http://www.techrepublic.com/ar... [techrepublic.com]

Re:Thankfully those will be patched right in a jif (1, Flamebait)

Rosyna (80334) | about 3 months ago | (#47562485)

I only said 10%, not 70% or any of the other high numbers in the July 2014 trend micro report.

Re:Thankfully those will be patched right in a jif (5, Informative)

Anonymous Coward | about 3 months ago | (#47562741)

I only said 10%,

Then where does the 10% claim come from?

Oh right - it was made up by AV vendors trying to scare peopple into buying their products.

Unless you’ve had your head under a rock you’ll have noticed the latter is fast becoming the weapon of choice for Google’s rivals in attempting to curtail the former. On paper it should. Android malware rose from 238 threats in 2012 to 804 new threats in 2013. What was the combined total of new threats for Apple iOS, BlackBerry OS and Microsoft Windows Phone in that time? Zero. The remaining 3% came from Nokia’s axed Symbian platform.

All of which poses a very valid question: how do you stay safe on Android? Perhaps surprisingly the answer is: easily. Why? Because here’s the part Google’s rivals don’t want you to know: the figures are misleading.

Let’s be clear. From a statistical viewpoint researcher and security specialist F-Secure got them right. Android does account for 97% of all mobile malware, but it comes from small, unregulated third party app stores predominantly in the Middle East and Asia. By contrast the percentage of apps carrying malware on Google’s official Play Store was found to be just 0.1%

http://www.forbes.com/sites/go... [forbes.com]

So that one's busted. Anything else you'd like to sell?

Re:Thankfully those will be patched right in a jif (2)

AmiMoJo (196126) | about 3 months ago | (#47563999)

Only 804 new threats a year? That shows remarkable constraint. I remember a few years ago they were claiming around 50,000 new viruses per day for Windows. Presumably they were counting every slight morphing of a given virus as a new, unique strain.

Re:Thankfully those will be patched right in a jif (3, Informative)

DrXym (126579) | about 3 months ago | (#47564233)

I bet virtually all malware on Android originates not from the official store but from idiots downloading and install apks from the wild or some dodgy Chinese app store - "this cracked Candy Crush says it needs access to make calls, send & receive SMS messages, access to my contacts, my Google accounts and email but I really want to play so I'm going to click through this obvious red flag and wonder later why my phone is calling premium numbers in Ouagadougou at 3am and why I have 10 missed calls from Visa loss prevention".

I'm pretty certain Google has systems in place (as well as an after the fact kill function) to eradicate malicious apps that find their way onto the app store. Doubtless there are some there but they're background noise.

Re:Thankfully those will be patched right in a jif (-1, Flamebait)

BasilBrush (643681) | about 3 months ago | (#47564373)

So in practice Android has a single store just like Apple? Unless you're an idiot?

Re:Thankfully those will be patched right in a jif (4, Informative)

DrXym (126579) | about 3 months ago | (#47564415)

In practice Android has several reputable stores - Google & Amazon Appstore and there is a second tier of stores which some standard of validation / vetting Samsung Apps, GetJar, F-droid, Appslib, SlideME etc.

At the end of the day, android gives users the freedom to choose where they get apps from. But freedom implies the freedom to do stupid things. It won't stop a user installing warez if they want, but if they get owned it's their own damned fault. Not much different from what happens on a PC or Mac really.

That said I don't think Android does enough to protect users from malicious or rogue apps, e.g. allowing the device to deny a permission to the app even if it claims to need it. Cyanogenmod demonstrates it can be added, but Google haven't seen fit to provide that functionality in the stock android code.

Re:Thankfully those will be patched right in a jif (0)

Anonymous Coward | about 3 months ago | (#47563549)

So what you're saying is, Verify Apps works?

Even if we were to accept your 10% number, there's a gigantic difference between verifying a certificate chain and verifying an executable program.

Not so fast. (1)

thieh (3654731) | about 3 months ago | (#47562299)

There are craploads of devices discontinued by the manufacturers. Are they covered by the patch?

Re:Not so fast. (0)

Anonymous Coward | about 3 months ago | (#47562517)

There are craploads of discontinued manufacturers. Are they covered by the patch?

Re:Not so fast. (0)

Anonymous Coward | about 3 months ago | (#47562903)

If the device runs 2.3 or higher, it has access to Google's own malware scanning facilities, which are programmed to uninstall any application which has an invalid cert chain.

Re:Thankfully those will be patched right in a jif (1)

trparky (846769) | about 3 months ago | (#47562229)

Couldn't this be patched as part of an update to the Google Services Framework? From what I understand, Google controls the Google Services Framework and can push updates even to phones/devices that haven't been updated by their network provider.

Re:Thankfully those will be patched right in a jif (3, Insightful)

Anonymous Coward | about 3 months ago | (#47563099)

Couldn't this be patched as part of an update to the Google Services Framework?

It is and has been.

There is close to zero chance that anyone will be affected by this "Android mess". It's a beat up.

Re:Thankfully those will be patched right in a jif (2)

CastrTroy (595695) | about 3 months ago | (#47562251)

This is why I have a big problem with Android. The carriers have nothing to do with manufacturing or maintaining the phone. Why should they have anything to do with the update process. Updates should come straight from the manufacturer, and carriers should not have their own custom firmware. Or even better, all updates should come straight from Google. The only customizations at the manufacturer level should be applications which can be reinstalled (or uninstalled) at the customer's discretion. Apple does it, Windows phone does it. Why can't Android do the same thing.

Re:Thankfully those will be patched right in a jif (0)

Anonymous Coward | about 3 months ago | (#47562315)

Sticking with Nexus devices gets you close to the Apple model. Carriers still push the updates, but my Nexus 5 (and the 4 before it) receives very quick carrier updates (within a day, 2 at most) on AT&T and Sprint. Not as seamless and my wife's iPhone, but close enough for me.

Re:Thankfully those will be patched right in a jif (0)

Anonymous Coward | about 3 months ago | (#47562951)

Not as seamless and my wife's iPhone, but close enough for me.

Which just goes to prove that women really are smarter than men.

Re:Thankfully those will be patched right in a jif (0)

Anonymous Coward | about 3 months ago | (#47563833)

Not as seamless and my wife's iPhone, but close enough for me.

Which just goes to prove that women really are smarter than men.

No, *his wife* has the iPhone...

Re:Thankfully those will be patched right in a jif (1)

BorgDrone (64343) | about 3 months ago | (#47564329)

Not as seamless and my wife's iPhone, but close enough for me

And not as long either, Google only provides updates for 18 months. If you buy a phone on a 2 year contract (as many people do) and you get the new Nexus the day it is released, you still have 6 months in which you will not receive (security) updates.

Completely unacceptable.

Re:Thankfully those will be patched right in a jif (0)

Anonymous Coward | about 3 months ago | (#47562363)

Why can't Android do the same thing.

It can, but the carriers and the manufacturers have decided to "enhance" the Android experience. They believe their "value add" software gives them a competitive advantage. Blame greed (it is always about the money).

Re:Thankfully those will be patched right in a jif (0)

Anonymous Coward | about 3 months ago | (#47562369)

Because you are the product with Android. That includes the carrier making a cut from the software on your phone. This means that carriers have to be able to ensure their crapware work with your handset.

Re:Thankfully those will be patched right in a jif (0)

Anonymous Coward | about 3 months ago | (#47562539)

Why can't Android do the same thing.

Literally, because Google doesn't care.

They want eyeballs. This is how you get eyeballs. Cheap, carrier modified devices will always be pushed by the carriers.

Re:Thankfully those will be patched right in a jif (0)

Anonymous Coward | about 3 months ago | (#47562933)

Because Android jumped onto the market primarily by being two things:

1. Hey, manufacturers that aren't Apple! You can sell a modern smartphone platform!
2. Hey, carriers that aren't AT&T! You can sell a modern smartphone platform!

The whole point was that manufacturers and carriers were free to do whatever the hell they wanted so long as they followed Google's certification guidelines. They've tightened up a slight bit since then, you can't release new devices on 2.x anymore, and they somehow got Samsung to stop modding the hell out of Android all the time. But the underlying idea behind Android was for Google to get a foot in the door for mobile by basically giving away a smartphone platform, and they could get access to it's app store by just making sure that Google everything was preinstalled on the phone.

They're moving away from this. The new Android platforms they announced at I/O this year (TV, smartwatches, and automotive) have much stricter limitations on what the manufacturer is allowed to put on the device. And all of them tether to the phone rather than having a mobile radio in them directly so carriers have zero say as to what goes on in them either.

Re:Thankfully those will be patched right in a jif (0)

Anonymous Coward | about 3 months ago | (#47562507)

Ok. So how do I patch my system without doing an OS upgrade. I don't want to upgrade because then I get all of Google's other malware additions.

Play Services (3, Informative)

Namarrgon (105036) | about 3 months ago | (#47562583)

If you have any of Google's apps installed, you'll also have Play Services installed - and this has already been updated to detect attempts to use the specific vulnerable certificates involved. If you only get your apps from the Play Store, you're fine, as they've already all been scanned (and no exploit attempts detected). Even if you sideload, so long as you left the Verify Apps checkbox on (default setting), then Play Services will scan any sideloaded apps too (no exploit attempts have been detected that way either).

While the vulnerability is a serious one, it's not something that will concern the vast majority of Google's Android users. It's probably a lot more significant for companies like Amazon, who will have to develop their own response, and (inevitably) for all those millions of Chinese users of generic non-Google Android derivatives.

passive scan isn't perfect (1)

dutchwhizzman (817898) | about 3 months ago | (#47563747)

This doesn't fix the underlying vulnerability; it merely scans for known ways to exploit it. I'm sure some clever people will find a way to thwart these scans and exploit the vulnerability, unless it gets fixed.

The only way this sort of thing can be taken care of is if Google or some governments in countries with a large market share will mandate vendors of phones or their manufacturers to provide security updates for devices for at least the duration of the contract, but preferably for the expected life of the device. Devices tend to keep working for three or four years, so that way Android users would get a similar security experience as iOS users.

Re:Thankfully those will be patched right in a jif (2)

Miamicanes (730264) | about 3 months ago | (#47562723)

Find a popular ROM at XDA derived from whatever version you want to stick with and flash it (with a compatible kernel) to your phone.

Until you have a few months of reflashing experience, DO NOT attempt to flash any ROM that requires repartitioning the flash, and don't ask the recovery manager to wipe /system unless you really know what can happen & have a plan for dealing with it. This goes DOUBLE for anybody with a Samsung Galaxy S3.

Long story short: the eMMC is kind of like a SSD controller, and there are MAJOR known bugs (and plenty of poorly-understood ones, too) in the firmware. Basically, it's as if you tried to use Linux to create a new filesystem, but a bug caused it to just make all the old directories owned by some undefined user with impossible permissions instead... and do it in a way that made the drive initially LOOK reformatted, but spontaneously resurrect those corrupted files as more and more writes occurred.

Now for the bad news (if you have a Galaxy S3) -- the eMMC firmware installed with stock roms older than 4.3 is dangerously buggy with AOSP-derived ROMs, and getting rid of enough of those bugs to semi-safely do wholesale repartitioning almost requires installing a stock-derived (but hacked so it doesn't enforce Knox) ROM first to get the eMMC firmware updated. More confusingly, the eMMC firmware is part of the radio modem firmware, even though it doesn't really have anything to do with the radio modem itself. So, if you're running a 4.1 stock ROM and want to install a 4.1 AOSP-derived ROM, tread VERY carefully, and pay special attention to any warnings at XDA that involve the word "eMMC".

Re:Thankfully those will be patched right in a jif (5, Interesting)

thesupraman (179040) | about 3 months ago | (#47562655)

Not just that.. its already reasonably moot.

http://www.osnews.com/story/27868/Another_day_another_sensationalist_unfounded_security_story
"First, a patch been sent to OEMs and AOSP, but with Android's abysmal update situation, this is a moot point. The crux, however, lies with Google Play and Verify Apps. These have already been updated to detect this issue, and prevent applications that try to abuse this flaw from being installed"

Google reacted to this disclosure rapidly and well.
Of course such a vulnerability would probably never be FOUND in iOS or WinPhone, since they are closed source, and almost certainly never disclosed if it was.

Just update your play store, and you are safe unless you are sideloading (never a great idea)
If you are sideloading then if you leave verify apps on, its also no problem.

Google are also scanning all apps on Google Play to check no one has been trying this.

Yawn, another google/Android beatup trying to wag the dog. Not hard to guess where the spin is originating.

What about towelroot? (0)

Anonymous Coward | about 3 months ago | (#47562939)

Despite the rooting fun, [towelroot.com] what happens when hostile apps start using root to sidestep Android security? Can Google screen and block the use of a Linux system call?

Re:Thankfully those will be patched right in a jif (0)

Anonymous Coward | about 3 months ago | (#47563399)

You are unbelievable!

Every security vulnerability in closed source you treat as proof that closed source is bad. Every security vulnerability in open source you treat as proof that open source is good because it was discovered. Oh, and those open source vulnerabilities are all moot, spin, and no problem.

You are seeing what you want to see and suffer from a terminal case of confirmation bias. I've never seen, NEVER, any statistically compelling evidence that open source is superior to closed. Not for security and not for bugs generally.

Do you think that all those Microsoft patches, thousands of them to date, were not "discovered"? That their closed source origins meant that they were not patched? What planet are you on?

Fix your bugs. Get on with doing your work and protect your users. Stop claiming some kind of metaphysical superiority when it's more than clear that open source has an equivalent set of problems to closed source. Not necessarily equal, but certainly equivalent. "Those who live in glass houses should not throw stones." You lack the wisdom contained in this statement.

Otherwise you are just spreading FUD and acting unprofessional.

Re:Thankfully those will be patched right in a jif (-1)

Anonymous Coward | about 3 months ago | (#47562691)

Or, Google could quite using Java. But too late, that horse left the barn.

Re:Thankfully those will be patched right in a jif (2, Interesting)

TheGratefulNet (143330) | about 3 months ago | (#47562777)

cell carriers? I have a google nexus (one) and it was abandoned BY GOOGLE, not the carriers, 2 years ago. no security fixes, no nothing. stuck at 2.2.something.

google fucked us over by saying that nexus phones are upgradable and supported. they are not - not by any reasonable definition of 'supported'. I can have linux kernel, ip-stack (etc) updates (at least for security) for 10+ yr old linux pc's. but a few yr old phone - NO WAY. google has the attention span of a 5 yr old.

should I have to throw away a $300 paid for phone that still works, electrically (at least)? this is why I hate android and hate google even more. they use the word 'linux' a lot but they bastardize it and abandon it and tell you 'go re-buy your phone'. sorry, that's not acceptable. not on a device that is less than 5 yrs old and still in perfect working condition. the only issue is the poor software and that will NEVER be fixed, it seems.

I hate google. totally fucking hate their whole development model for phones. (and that leaves me no choice since I also hate apple and their whole scheme of lock-in).

wish there was another choice. the whole mobile data thing really unnerves me with how bad the scene really is.

I guess I can't (or wont) install any apps since the certs can't be trusted (or the code that checks them) and so whatever apps I have now, that's what I have and won't ever have any more on this phone.

(and I fully expect the google fanboys to mod me down. they always do when I yell about their most holy and blessed google.)

Re: Thankfully those will be patched right in a ji (1)

Anonymous Coward | about 3 months ago | (#47562999)

You weren't abondoned, the core apps still receive updates. The N1 is fine on GB so long as youre using play and updating apps.

If you want a full OS build then look for an aftermarket ROM like Cyanogenmod. I use my Desire Z (cousin of the n1) with Cyanogen 10 and it is fantastic. Do a bit of homework and leave your flaming for reddit.

Re:Thankfully those will be patched right in a jif (1)

thegarbz (1787294) | about 3 months ago | (#47563009)

That's all good and fine but just realise that you are in fact the minority. 2 years is not an accepted life span for many devices, but for many phones it most definitely is. You can thank contracts that last that long and come with a "free" phone.

Re:Thankfully those will be patched right in a jif (0)

TheGratefulNet (143330) | about 3 months ago | (#47563263)

I can thank contracts? this was bought outright and from google. it used to be their flagship (yes, a long time ago, but that's not relevant). what is relevant is how google ACTS vs what they SAY. their action speaks volumes and if it wasn't google, with 10's of thousands of employees who are, supposedly, best-in-the-world - they SHOULD have at least one person to support older phones, at least for security and major bugfixes. to this day (and on its birth day) it had a problem with x,y screen calibration. after a few hours of use, it buzzes at you if you touch the screen to click something. from DAY ONE it did that and it never got fixed. flagship phone, has to be reset (power cycle) to reset the x,y calibration. I don't mean the just-loaded-software (touch corners to calibrate) - but I mean that a power cycle will cause the x,y locations to stop vibrating at you and accept your input.

this is just one of the many bugs in the nexus one. I will never buy another nexus now that I see how short google's attention span really is. I don't care what their marketing says, from personal ownership experience, they are shit and they abandon stuff for whatever reason - but the end user is screwed.

there's lots of reasons to hate carriers, but all of this that I mentioned is nothing to do with them and everything to do with google's product mgmt. they decided to pull people off the n1 project and abandon it, leaving major holes in the software. pathetic. I'd expect this from a 10 or 50 man company but NOT from the almighty google. seriously!

Re:Thankfully those will be patched right in a jif (1)

thegarbz (1787294) | about 3 months ago | (#47563839)

I can thank contracts? this was bought outright and from google.

Irrelevant. The market place in general works on 2 year contracts. Just because you do something different doesn't magically mean a company should support you for it.

In my experience they acted perfectly fine. Compare say your Nexus which received 2 years worth of updates, to *any other Android phone* which never received any updates from the manufacturer.

As for the calibration, I wonder why you didn't return the phone under warranty? You had a problem? Well 200000 other people didn't. There was no major public outcry, and the phone was rated highly in its prime. So why did you sit there waiting for a software fix for a problem only a handful of people experienced?

Re:Thankfully those will be patched right in a jif (1)

TheRaven64 (641858) | about 3 months ago | (#47564673)

I can only assume that you rarely talk to non-geeks. I upgrade my phone roughly every 3 years and most of my non-geek friends have significantly older phones than me. Many of them get new phones only when a geeky relative upgrades and hands down their old device, so the least technical users end up with the least secure devices...

Re:Thankfully those will be patched right in a jif (2)

Zuriel (1760072) | about 3 months ago | (#47563051)

The Nexus One was abandoned because Google said the hardware was too old. And they have a point - you have to jump through some major hoops to get a modern ROM onto it.

The N1 has 512 MB internal flash, and the way it was partitioned meant Android 4.0 was larger than the N1's system partition. Its partitioning scheme dates from the days when apps couldn't be moved to the SD card, so the system partition is only barely big enough to hold Android 2.3 to allow the maximum possible space for apps. Sure, you can plug it into a PC, repartition and format, load a new system image onto the phone from the PC, use a hack so all apps get silently redirected to an SD card, etc... but there was no way to do an OTA update.

In short: the Nexus One has a critical hardware issue in that it only barely has enough internal space to store its own OS.

Re:Thankfully those will be patched right in a jif (0)

TheGratefulNet (143330) | about 3 months ago | (#47563281)

bullshit excuse. I don't want or need new features. I want the 512 meg stuff TO WORK and not buzz at me when I touch the screen. or reboot (showing the shimmering X) during gps car use! or have their maps route me into a downtown (redwood city) when I'm really going from south san francisco to san jose. that is a pure route101 trip and yet, time after time, it sends me thru downtown RC when I didn't need to do that.

gmail app is broken (I have to use k9 to read my gmail) - gmail app won't even poll for new messages anymore.

we're talking HUGELY EMBARASSING BUGS here. and yet, they act like the platform is 'done' and the tell you 'just buy another phone, rich guy'. yeah, right, feed the landfills by throwing away functioning hardware.

fucking google... sigh ;(

Re:Thankfully those will be patched right in a jif (1)

Zuriel (1760072) | about 3 months ago | (#47563407)

Updated software won't fit on the device is a bullshit excuse for not putting updated software on the device?

Re:Thankfully those will be patched right in a jif (1)

Richard_at_work (517087) | about 3 months ago | (#47564197)

If security fixes take up significant amount of additional space, then something's being done wrong. Very very wrong.

Re:Thankfully those will be patched right in a jif (1)

Zuriel (1760072) | about 3 months ago | (#47564659)

It's more like you install a 17 gig OS on a 17 gig disk, and then they release a free service pack that adds a ton of stuff. From Face Unlock to data usage limits to VPNs to support for new screen dimensions. And it needs more space for all the extra code. And then they offer security updates that assume you have the free service pack. They didn't release security fixes for Windows XP SP3 and also backport the fixes to SP2 and SP1.

cm11 unofficial (0)

Anonymous Coward | about 3 months ago | (#47563061)

Google is your friend.

Re:Thankfully those will be patched right in a jif (1)

DrXym (126579) | about 3 months ago | (#47564199)

Cell carriers don't have to distribute it. Google could use their Play service and patch devices regardless of what the carrier did. They could even scan devices for active use of the exploit.

KitKat (0)

Anonymous Coward | about 3 months ago | (#47562219)

So it doesn't affect 4.4 KitKat?

READ THE MOTHERFUCKING SUMMARY! (2, Informative)

Anonymous Coward | about 3 months ago | (#47562267)

JESUS FUCKING CHRIST, I know this is Slashdot, but were you totally unable to read even the second sentence of the summary?

The vulnerability affects devices running Android versions 2.1 to 4.4 ("KitKat"), according to a statement released by Bluebox.

Re:READ THE MOTHERFUCKING SUMMARY! (-1)

Anonymous Coward | about 3 months ago | (#47562821)

And are you likewise too stupid to realize it only has the potential to affect side-loaded apps *after* you disable the "Verify Apps" security system?

This is a non-story. "If you let random shit from unknown, unverified publishers on your device, you will get screwed".

Re:READ THE MOTHERFUCKING SUMMARY! (0)

Anonymous Coward | about 3 months ago | (#47564189)

That's a completely another detail of this vulnerability. We are talking whether Android 4.4 is vulnerable too, and the answer is yes.

Impossible. (-1, Troll)

Anonymous Coward | about 3 months ago | (#47562233)

Open Source does not contain this type of flaw. All those eyes, don't you know...

Re:Impossible. (1)

Stumbles (602007) | about 3 months ago | (#47562275)

Um if you read TFA it says Google is using code that was discontinued years ago. So one has to ask Google how they could be so stupid.

Re:Impossible. (1)

willaien (2494962) | about 3 months ago | (#47562293)

And a lot of android is open source. And it's used by many parties.

Re: Impossible. (0)

Anonymous Coward | about 3 months ago | (#47562339)

And every day, those assholes at Google are closing off more and more of it.

Re: Impossible. (1)

Namarrgon (105036) | about 3 months ago | (#47562593)

Luckily, it's entirely because they have been "taking android back" that they've been able to issue a (closed-source) Play Services response to the threat so quickly, to all Google-using android phones regardless of carrier.

Re:Impossible. (1)

gnasher719 (869701) | about 3 months ago | (#47562635)

And a lot of android is open source. And it's used by many parties.

As soon as you put open source code into your product, it's part of your product, and the quality is your responsibility. If you are a small time developer, you can use "Google used it as well, and they didn't find the problem" as an excuse. If you are Google, that excuse doesn't work.

Re:Impossible. (1)

mythosaz (572040) | about 3 months ago | (#47562295)

There were fewer eyes back then...

Re:Impossible. (1)

Anonymous Coward | about 3 months ago | (#47563845)

There were fewer eyes back then...

So it was mpossble?

Re:Impossible. (0)

Anonymous Coward | about 3 months ago | (#47562437)

Um if you read TFA it says Google is using code that was discontinued years ago. So one has to ask Google how they could be so stupid.

Mature (old) code is not the problem. Bad code is. Security related code is notoriously hard to review, whether that code is new, or old, and once written (and the review is done) tends to not be reviewed again. Openssl is the poster child for this.

Re:Impossible. (0)

Anonymous Coward | about 3 months ago | (#47563567)

Um. Google is continuing it? With a lot more resources than it had originally? Unless you think Android is discontinued, but at that point I really can't help you.

Calling the Android Java Libraries discontinued because Apache isn't involved anymore is like calling Libre Office discontinued because Oracle isn't involved anymore.

Why didn't Java stop this? (0, Flamebait)

Anonymous Coward | about 3 months ago | (#47562307)

I don't know much about Java and virtual machines and all that (I'm just a graphic and media designer), but I constantly hear the programming guys at work saying that the Java virtual machine is more secure than just normal software codes. I know I've disabled it in my Safari but why didn't it stop this bug on Android? The guys at work who like Android told me I should get a Samsung Android phone next time instead of an iPhone because Java is more secure than whatever iOS uses for apps. But after reading about this bug, which sounds really serious to me I think, I don't know if I want to get an Android phone. I was going to get one but will it be secure if it has the Java on it?

Re:Why didn't Java stop this? (1)

Narcocide (102829) | about 3 months ago | (#47562329)

sigh. merely replying to undo accidental moderation. meant to moderate insightful not redundant. slashdot really needs a manual undo of moderation.

Re:Why didn't Java stop this? (1)

jones_supa (887896) | about 3 months ago | (#47564207)

Well, as we are sailing on the seas of offtopic already, I might ask what's you favorite Pringles flavor? I'll go with the classic Paprika myself.

Re:Why didn't Java stop this? (0)

Anonymous Coward | about 3 months ago | (#47562421)

I don't know much about Java and virtual machines and all that (I'm just a graphic and media designer), but I constantly hear the programming guys at work saying that the Java virtual machine is more secure than just normal software codes. I know I've disabled it in my Safari but why didn't it stop this bug on Android? The guys at work who like Android told me I should get a Samsung Android phone next time instead of an iPhone because Java is more secure than whatever iOS uses for apps. But after reading about this bug, which sounds really serious to me I think, I don't know if I want to get an Android phone. I was going to get one but will it be secure if it has the Java on it?

Congratulations.

Nice troll. ;)

Java sandboxing helped in this case (1)

raymorris (2726007) | about 3 months ago | (#47562993)

Essentially, what Java sandboxing is designed to do is to completely separate different apps, so for example your text messaging app doesn't have access to your browser's password storage. On a regular OS, traditional applications have access to all of your files and all of your hardware, meaning one piece of malware can get everything on your computer. Sun hasn't done a great job of implementing the sandbox in their Windows Java plugin. Google may have done a better job on Android.

In Android, you specially allow each app to have access to different things. If a flashlight app requests permission to read your text messages, you don't install that flashlight, because a flashlight has no legitimate reason to be reading text messages.

This bug isn't directly related to sandboxing, but sandboxing does reduce the impact. This bug allowed the author of an app to lie about who they are, about who made the app. So Joe Hacker could have marked his app as being made by Microsoft. If you trust Microsoft, you might install the app thinking it was made by Microsoft, but it wasn't really. So you go to install Microsoft Flashlight and the system says "Microsoft Flashlight wants to read your text messages". You'd click the "fuck off" button because a flashlight app doesn't have any business reading your text messages - even a flashlight app made by Microsoft. So while the bug allowed them to lie about who made the app, you can still see what the app is trying to access and deny if if doesn't make sense.

Re:Java sandboxing helped in this case (1)

Wyzard (110714) | about 3 months ago | (#47563921)

Not quite.

First, sandboxing in Android isn't done at the Java level, it's done at the OS level, by running each app under a different UID and letting the kernel take care of enforcing what that UID is (and isn't) allowed to do. It's the same system that prevents different users on a "conventional" Linux system from accessing each other's private files. This is why Android apps can load and run native code (via JNI) without needing any special security permission or exemption. Native code is still in the sandbox.

Second, the real danger in this flaw isn't malicious apps tricking the user, it's malicious apps tricking other apps. Android's permissions system includes a feature called "signature-level permissions" which allows apps that are signed by the same publisher to grant each other permissions that aren't available to apps signed by other publishers. This bug means that a malicious app can pretend to be signed by Company X in order to gain signature-level permissions to interact with actual Company X apps in privileged ways. Depending on the app, this may allow access to sensitive data.

Whew! (0)

Anonymous Coward | about 3 months ago | (#47562311)

At least Nokia won't be tarnished by this! Glad I went with Windows Phone!

Re:Whew! (0)

Anonymous Coward | about 3 months ago | (#47563903)

Lucky you.

I call BS (4, Funny)

Charliemopps (1157495) | about 3 months ago | (#47562351)

Why are we blaming yet another coding mistake on Native Americans?
Native Americans are just as good as anyone at programming. I'd even say the Apache tribe has some top notch C++ people. Yes, the computers don't last long in the sweat lodges, but that's the price you pay for that "Made by real Americans" label.

Re:I call BS (1)

godrik (1287354) | about 3 months ago | (#47562441)

Too bad there is no "not funny" tag on slasdhot. This would be a perfect use case for it.

You are so RIGHT! (0)

Anonymous Coward | about 3 months ago | (#47562495)

I am SO tired of these incompetent Indian programmers fucking things up for us!

I tell, there's been many times when offshored programmers have sent me on a Trail of Tears!

And I sit back and just have to say, "How."

Re:I call BS (1)

Charliemopps (1157495) | about 3 months ago | (#47562799)

There is. The long series of 1s following the comments under your profile for example ;-)

Re:I call BS (0)

Anonymous Coward | about 3 months ago | (#47562541)

Should have used Navajo code instead. Everybody knows it's better than Apache code... That's why they used it in WWII.

Re:I call BS (0)

Anonymous Coward | about 3 months ago | (#47562667)

Somebody else owns it, they were afraid they might get Siouxed.

Re:I call BS (1, Informative)

rahvin112 (446269) | about 3 months ago | (#47562685)

There is no tribe called simply the "Apache". Though, the word Apache is used in the name of several of the tribes that make up the ethnic group. There are numerous tribes in the Apache ethnic group. One of largest of these tribes is the Navajo which doesn't use the word Apache in the tribal name.

Re:I call BS (1)

Charliemopps (1157495) | about 3 months ago | (#47562791)

So you missed the fact that my statement was completely nonsensical and not based in reality? and yes, I mean more so than usual.

Re:I call BS (0)

Anonymous Coward | about 3 months ago | (#47563415)

Your joke was stupid, his post is interesting. Get over yourself.

Re:I call BS (0)

BasilBrush (643681) | about 3 months ago | (#47564335)

There is no tribe called simply the "Apache". Though, the word Apache is used in the name of several of the tribes that make up the ethnic group. There are numerous tribes in the Apache ethnic group. One of largest of these tribes is the Navajo which doesn't use the word Apache in the tribal name.

Fragmentation is always a problem. If they'd had the sense to trademark it in the first place this would never have happened.

Re:I call BS (0)

Anonymous Coward | about 3 months ago | (#47563779)

Genuinely funny, but it also brushes on a common issue: why oh why do Slashdot use "title case"? It helps with nothing, and it hinders readability at least on a daily basis.

"Old Apache code at root of Android FakeID mess" -- what would be the downside of this readable title? We are trained to find capital letters in running text and attach meaning to it. Because of the excessive capitalization in the actual item title, where almost every word is emphasized for the reader, in reality nothing is emphasized, and it reads more like:
"old apache code at root of android fakeID mess"
Sure, context makes it readable after re-parsing a few times, but there is just no reason for any part to do it this way.

Let us be an example to the world (or rather, a quite small subset of the world) and kill title case. Every negative quality of sentence case is fully related to habit.

Open Source Dangers (1)

v. Konigsmann (808666) | about 3 months ago | (#47562379)

Kind of strange how all these reports of Open Source vulnerabilities are increasing recently. Despite the fact that, as in Heartbleed, hyped to the max, very few actual bad things seem to happen. Almost as if it were coordinated.

Re:Open Source Dangers (2)

Kardos (1348077) | about 3 months ago | (#47562649)

I see it as good news that security software is getting more attention. There was a lot of bug backlog that's finally getting fixed. Each bug a bug is fixed we slowly and steadily eliminate attack vectors. Heartbleed is undoubtedly one of the drivers of this renewed attention, as are the revelations that nation states are actively working to exploit weaknesses. Patching bugs is one of the ways ordinary people can work against mass surveillance.

> Despite the fact that, as in Heartbleed, hyped to the max, very few actual bad things seem to happen.

Not all exploits get noticed. If your old laptop was keylogged, and a year after you got a new laptop you discovered that you were a victim of some sort of identity theft--- would you ever trace it back to the keylogger? If your $device was part of a botnet used for some sort of click fraud, would you notice?

Re:Open Source Dangers (1)

Zxern (766543) | about 3 months ago | (#47563345)

One of the down sides of having fast, powerful and cheap computers today is that most users won't notice when they've been infected with a virus.

Appalling (2)

countach (534280) | about 3 months ago | (#47562403)

I don't know the fine details of this bug, but am I the only one appalled at how obvious this bug sounds? It doesn't even properly check the certificate? I mean buffer overflows and such are one thing, but not properly testing your certificate code seems unforgivable.

Re:Appalling (0)

Anonymous Coward | about 3 months ago | (#47562601)

Maybe not an unintended "bug"...

NSA at work?

Re:Appalling (1)

jones_supa (887896) | about 3 months ago | (#47564259)

Meeh. I think that also here the saying "Never attribute to malice that which is adequately explained by stupidity" works as the Occam's razor.

Re:Appalling (0)

Anonymous Coward | about 3 months ago | (#47562627)

You are the only one.

The rest of us are actually appalled at the fact that Google intends to fork openssl to, supposedly, fix its many flaws, when they can't even get this one simple thing right.

Re:Appalling (5, Informative)

swillden (191260) | about 3 months ago | (#47562755)

I don't know the fine details of this bug, but am I the only one appalled at how obvious this bug sounds? It doesn't even properly check the certificate? I mean buffer overflows and such are one thing, but not properly testing your certificate code seems unforgivable.

No, it's not that it doesn't check certificates generally, it's that if there's an additional, extra certificate of a particular form in the list that forms an app's certificate chain (but isn't actually in the chain) then that extra certificate gets included in the list of signatures associated with an app... making other apps that query the signature list believe that the app is signed by a certificate it's not. This doesn't, for example, fool the Play store into believing an app is from developer A when it's really from developer B. But it can fool other apps. There are some apps that load others as plugins, and make decisions about which plugins to load based on whether they're signed by a particular key. This flaw allows malicious apps to subvert that, convincing the plugin-loading apps to execute them, thereby giving the malicious app the same permissions as the plugin-loading app.

It's a serious security flaw, no doubt. But it's a little more subtle and less obvious than the summary makes it appear. Also, it appears that no app in the Play store, nor any of the other apps that Google has scanned, attempt to exploit the flaw. It's very easy to identify them by scanning the certificates in the package.

I've implemented tests for certificate chain validation code several times (not in Android), and it never once occurred to me to test for this particular odd construction, nor, I think, would anyone else think to test for it without some specific reason. This sort of bug requires inspection of the code.

(Disclaimer: I'm a member of the Android security team, but I'm not speaking in an official capacity, just summarizing what I've read of the vulnerability -- which isn't a great deal. Others on my team are well-informed, but I haven't followed this issue closely.)

TLS hardening (0)

Anonymous Coward | about 3 months ago | (#47562405)

While I am there I cannot resist promoting my own paper on TLS hardening [arxiv.org] , for the administrator and the developer, or to anyone missing the basics to understand security problems like the one reported here. From the summary:

This document presents TLS and how to make it secure enough as of 2014 Spring. Of course all the information given here will rot with time. Protocols known as secure will be cracked and will be replaced with better versions. Fortunately we will see that there are ways to assess the current security of your setup, but this explains why you may have to read further from this document to get the up to date knowledge on TLS security.

We will first introduce the TLS protocol and its underlying components: X.509 certificates, ciphers, and protocol versions. Next we will have a look at TLS hardening for web servers, and how to plug various vulnerabilities: CRIME, BREACH, BEAST, session renegotiation, Heartbleed, and others. We will finally see how the know-how acquired on hardening web servers can be used for other protocols and tools such as Dovecot, Sendmail, SquirrelMail, RoundCube, and OpenVPN.

We assume you already maintain services that use TLS, and have basic TCP/IP network knowledge. Some information will also be useful for the application developer.

No matter the flavor... (1)

93 Escort Wagon (326346) | about 3 months ago | (#47562585)

Relying on Java for anything fundamental is going to bite you in the butt.

It was inevitable (1)

maroberts (15852) | about 3 months ago | (#47562715)

What did Apache expect when their code was written by Cowboys?

Re:It was inevitable (0)

Anonymous Coward | about 3 months ago | (#47562861)

What did Apache expect when their code was written by Cowboys?

Aliens?

Useable Code ... I'll Take It ... Thank You ! (0)

Anonymous Coward | about 3 months ago | (#47562841)

Wow.

Not in a long time has usable code been identified.

The likes of Apple have been down grading Net BSD since after Tiger. I guess the last X in OS X X is an emulation layer running XP SP3.

"The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged." This is evidence of a Master at work. Gwa-Dang I'm getting a boner.

This code IS for me !

Malicious Actors? (1)

Art3x (973401) | about 3 months ago | (#47563029)

Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems.

It's a good thing most actors aren't good at programming.

Seriously, why do we feel we must constantly reel words, which were perfectly content in their familiar habitat, into the jargonic fold? "Actor"? Couldn't we have used one of dozens of words already used in everyday English: programmers, hackers, thieves, people? That last suggestion brings up another question: which of the two instances of the word "malicious" could safely be removed from the sentence? Both. After a long introduction about a security hole, we're so ready for a scenario about villainy that we would be positively thrown off otherwise. At least they said "could create" and not "could potentially create."

Someone could put a fake certificate from Adobe into their mobile app.

There.

The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.

After the lawsuit from Oracle and now this, if I were the one who chose Java as Android's language, I would be kicking myself just about every day now.

Re:Malicious Actors? (1)

Kardos (1348077) | about 3 months ago | (#47563259)

Really? The summary describes a software flaw with grave security implications, and you weigh in with some whining about the use of 'actor' and a mediocre quality sentence?

Education time: Some words have multiple meanings. Actor is one of them.

    actor
    noun: actor; plural noun: actors
    1. a person whose profession is acting on the stage, in movies, or on television.
    2. a participant in an action or process.

It's bog standard to use the second sense in this context. See http://en.wikipedia.org/wiki/A... [wikipedia.org]

Re:Malicious Actors? (0)

Anonymous Coward | about 3 months ago | (#47563317)

Seriously, why do we feel we must constantly reel words, which were perfectly content in their familiar habitat, into the jargonic fold? "Actor"?

Maybe you should find out the meaning of the word 'actor' before you spout off like an ignorant moron?

Oh, wait, too late.

Sorry, but if you're going to be an arrogant douche, you should at least be correct.

You're not.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?