Slashdot Mirror
Security Expert Warns of Android Browser Flaw
justice4all writes "Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. 'While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,' Cannon wrote. 'It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.'"
Sophos's Chester Wisniewski adds commentary on how this situation is one of the downsides to Android's increasing fragmentation in the mobile marketplace.
On iOS, vulnerabilities are only used for jailbreaks.
1. Have to know full path to a file to view it.
2. Have to download a file, presumably from someone you don't know and trust.
3. This is in all browser versions, so how exactly does fragmentation factor in?
Like everything else, buzzwords like Android fragmentation guarantee hits.
"Zero-day" attacks are when the application developers had no awareness of the problem before the information got to people who might exploit the problem.
TFA says Cannon gave Google prior warning, so this isn't zero-day, right?
http://en.wikipedia.org/wiki/Zero-day_attack
I think news agencies just stick "zero-day" to all virus/bug news because it sounds scary.
Expert in software patents or patent law? Contribute to the ESP wiki!
Tired of Amazon S2 prices piling onto your organization's IT expenses? Thinking of running large distributed apps on your own equipment? We offer cloud computing services for cheap!
Standard on-demand instances:
Small (1000 Android cellphones): $0.05 per hour
Large (5000 Android cellphones: $0.20 per hour
Extra large: call
Get a 10% discount if you sign up before zero day is over.
The real problem is that there is no easy way to patch this. Seriously, Android/Google should have long ago known that this situation (i.e. vulnerability with no quick way to patch) could be possible.
But you do go to Microsoft and ask for Windows patches for your Dell or HP (or even for your iWhatever, if your iWhatever is an iMac, and you're running Windows on it.)
This is a nightmare because you have to go to the company that sells you the gadget... and it can take months for the phone manufacturer to validate a new ROM for your phone based on Google's code, and then a few more months for your carrier to validate that ROM.
His point is arguably more valid for some types of problems than for others...
Some things are inherently difficult in an environment with numerous hardware variations that cannot be depended upon(designing UIs that work nicely across multiple screen sizes/keyboards vs. softkeys only, etc, substantial differences in proccessing power, RAM, storage); but most security bugs, unless apocalyptically foundational in some ugly way, generally don't qualify. Nor are security fixes(unlike new features, or issues related to custom skins and other OEM differentiation crap) generally something that carriers are likely to be conflicted about from a marketing perspective. Lots of carriers are doing a lousy job of updating existing handsets to newer android versions because they would really rather just sell you the Model N+1 and another two year contract. Doing that with an obscure bug is harder.
So let's say you bought a Windows box. Maybe you got it from HP. Maybe you got it from Dell. Maybe from Sony.
Who do you expect to provide you with a patch when someone discovers a new Windows vulnerability? Microsoft, right? If it's really serious it'll probably pop up in the next Patch Tuesday. If it's hyper-serious then it might come out three or four days after the vuln was announced.
That's not the way it works in the Android world, annoyingly enough. Imagine if the version of Windows loaded onto that HP machine was a special HP version, full of HP customizations like a proprietary HP window manager and a proprietary HP web browser. MS can't give you any patches because the HP customizations are a fork of MS's source; when MS does bugfixes, someone at HP has to take a diff of the new MS tree, merge it with the HP tree, and run it all through QA. Oh, and the store you bought it from? Some of them have their own variant source trees too, so the same machine bought from Best Buy rather than direct from HP has its own fork of the OS.
Now multiply this by a different fork for every damn model they sell. Oh, and because they only have so much money, HP/Dell/Sony/Best Buy/whoever typically only bother merging in the OS updates for computers they made in the last year. If you're lucky.
Oh, and some of them have implemented DRM that will trash your computer if you try to install vanilla MS Windows. And nobody makes the drivers for their custom hardware available anywhere outside of the binary blobs they distribute. Pretty much everyone except the hardcore nerds is just gonna be running whatever release of the OS came with their computer, or maybe the one update they got - even if they keep the machine for five years. Even if they want to try and update it.
So tell me, why is this a problem?
egypt urnash minimal art.
They just don't want to spend any more money on it. Android code gets released, then the OEM customizes it, and then the carrier finally customizes it. That's a lot of work -- the 10 or so current phones they've got out, plus their entire back catalog. They've already got your money. So long as it doesn't affect their network, why do they need to bother? It only takes one of the OEM or carrier to decide it's not important.
Chester was entirely wrong about Windows Phone, too, unless he is confusing it with Windows Mobile (the pre-7 stuff). Windows Phone 7 is the complete opposite of how Android is doing it: Microsoft is basically trying to create an iPhone competitor in every way, but allowing for multiple devices. To do this they made very stringent hardware and software requirements -- all the phones are basically exactly alike on the inside. Samsung couldn't even use their own Hummingbird processor, because Microsoft only allows the Snapdragon. They also don't allow OEMs or carriers to modify the OS -- the most they can do is pre-install some apps, which act like every other app, so they can be fully removed and are automatically updated.
Because of this, updating the OS is very very easy. There is no fragmentation, and Microsoft plans to push out all the updates themselves, exactly like Apple does. There might be a short delay between carriers to certify that it won't bork their network, but that's all. (Apple can hide this because they only have to do it with one carrier)
I cant recall a single windows phone on which I could install patches directly from Microsoft. Yes there where a Windows Update button but it always timed out after 15 minutes telling me that it couldn't connect and I still had to wait for the phome manufacturer to release the patch (if ever). This on SE phones, perhaps there where other winphones where this worked better?
Since your post was so rife with inaccuracies, I felt I had to correct the misconceptions you were attempting to spread.
And a few generations of iPod touch as well... and the iPads. Ok... so more like a total of 8 or 9 models... of ios device...
Where did you get that from? The iPad and iPhone and Touch all run the same OS version now, 4.2. The only iOS device that cannot run 4.2 is the first gen iPhone or the 1st (and possibly second) gen Touch. That's not eight, it's around two. And both of those can be patched by jailbreaking, which happened within a few days of the PDF exploit.
Given most people had to sign a 3
No iPhone has ever had more than a two-year contract.
But the really silly thing is comparing Androids fragmentation to apple's going it alone with ios and concluding that the fragmentation is somehow a disadvantage.
Right, because the fact this vulnerability will take months to fix for 80% of Android users vs. something like it days to fix for 80% of iOS users, means nothing. Sure, you just keep saying that.
If each of 20 vendors write their own operating system from the ground up the way apple did, would that be somehow better??
In some ways, yes, because then they would each be on the hook to fix vulnerabilities, or not even have them with so many diverse implementations. But the simple truth is that they ALSO would have been better using Android in a way that Google would be the one pushing updates for things like the browser. That would have been the sane model, but Google decided to bow to the will of carriers and device makers and let them have all the control over updates.
If 20 manufacturers did what apple did, we'd have 20 distinct operating systems. 20 incompatible app stores.
How would that be different than what you are getting? You already have a few different app stores, including Verizon. Who is to say that in a few years the situation will not be exactly as you describe?
The real issue with fragmentation is that you don't HAVE Android anymore, all you have are variants with Android at the core.
Thank god we don't have 20 apples. One is quite enough.
Unfortunately, the market and consumers really need two but Google decided to take themselves out of the running; with any luck Microsoft has learned and can be the Other Apple.
"There is more worth loving than we have strength to love." - Brian Jay Stanley