Slashdot Mirror
One Billion Android Devices Open To Privilege Escalation
msm1267 (2804139) writes "The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks. Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges. The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.
The researchers said they found a half-dozen different Pileup flaws within Android's Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said." Handily enough, the original paper is not paywalled.
The researchers said they found a half-dozen different Pileup flaws within Android's Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said." Handily enough, the original paper is not paywalled.
What the summary fails to explain properly is that this vulnerability only works with permissions that are new when the device gets an OS update. Say you install an app and it asks for permission to use NFC, but your device's OS is old and doesn't support NFC (pre 4.0 I think). You install it anyway. Then you upgrade the OS and now it supports NFC. The app then gets the NFC permission without any further prompts or warning to the user.
That is certainly an issue, but not the huge gaping security flaw the summary makes it sound like. Apps can only ask for normal permissions that the OS offers, not bypass security or the sandbox. It's basically a UI issue.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Wow, a freeby from Microsoft, how incredibly generous. Google will probably thank them for pointing it out. Isn't it nice how everybody just, *gets along*.
My ism, it's full of beliefs.
I expected better from Google.
My karma is not a Chameleon.
This depends on upgrades. Carriers, upgrade?
Hell, my wife and I are on different versions of Android, same carrier, same phone, both say they're fully up to date.
I have a shitty Alcatel on 2.3.7 which won't get its OS upgraded in a million years. No 13 years of updated like XP, woohooooo. This is what happens when you provide decent support for your best OS, MS!
That is certainly an issue, but not the huge gaping security flaw the summary makes it sound like
A security flaw is a security flaw. Whether or not it's a "gaping hole" it still can be exploited.
For that, I sincerely thank Microsoft for so kindly pointed out that security flaw.
No matter what's the ultimate intention / agenda of Microsoft in this case, with this security flaw exposed, let us hope that Google can do something to plug it, and make those "Billion Android Devices" just a little bit more safer.
Muchas Gracias, Señor Edward Snowden !
For years here on /., all you heard was "Linux = Secure, Windows != Secure", well... explain what's been going on for nearly a decade Penguins, on your 'invulnerable Linux' once it's the most used OS there is on a given computing platform"
(Like Windows ia, was, has been, + will be always on PC's & Servers combined over ANY other competing OS)
* You know - Lines of bullshit you fed people here from your "Open 'SORES'" crew around here, for decades, vs. many 1,000's of occurences over a decade now, like this article's an example of.
APK
P.S.=> Oh, yes folks: The torrent of bullshit & downmods of this post are inevitable - I am going to sit back, AND lmao (since no matter WHAT they say, they now have to (& you KNOW I'm going to say it, don't you? Of course) "Eat their WORDS" (lol)...
... apk
> ...on your 'invulnerable Linux' once it's the most used OS there is...
And then you win!
The cycle is complete.
A Microsoft research into Android would be highly neutral and non-biased as Microsoft has no direct competition with Android.
Android's firmware loader != Linux. Sorry to burst your bubble.
Luckily for most Android users Android is almost never updated, so in real life there's no real vulnerability.
"For that, I sincerely thank Microsoft for so kindly pointed out that security flaw."
"Kindly"? Are you serious? There was nothing "kind" about it. It's anti-Android PR for Microsoft. Why the hell do you think Microsoft was involved with looking into it in the first place? The goodness of their hearts? Puh-leeeeeze.
You'll find the scanner titled "Secure Update Scanner" in the Play store.
Old version of Android may be susceptible to hijacking by a malicious app. Such a malicious app can only get onto the device by direct user action ..
Certainly kinder than discreetly e-mailing their findings to every shady source of malware they know of. With so many years of experience, I'm sure they have a list.
Sign up now for patch+Mondays! Simply log in to your gmail....
Well, no /effective/ competition anyway.
Probably the same reason google does the same thing, to analyse how their competitors are doing. This method of exposure of vulnerabilities is what google want (as was demonstrated by them using the same method when they found vulnerabilities in MS products). They should be kindly thanked as they are following the procedure that Google want people to follow, their motivation is irrelevant,.
There are one billion Android devices? That's awesome!
Coder's Stone: The programming language quick ref for iPad
I suspected this as soon as I put a typo in the permissions required for my very first android app.
Does it really take that many researches to verify it and write a paper. I just assumed it was obvious. Maybe most people don't make as many typos as I do?
that the term check your privilege actually makes sense in a Slashdot article.
Think of all the help Microsoft could get spotting security flaws if Google and Stanford could look through the Windows source whenever they chose.
Now let's talk about that last patch batch where IE couldn't even safely display a JPEG in any currently supported version on any version of Windows.
Help stamp out iliturcy.
I'm pretty sure this story calls for a little Bible verse, from the book of Matthew.
Now brothers and sisters, please join me in a song from page 126 of your hymnal, "Open My Eyes That I Might See".
You are welcome on my lawn.
What are you talking about? A fake OS update? Does that have anything at all to do anything? A fake update wouldn't add any new system capabilities, so apps wouldn't gain any new capabilities.
Did you read the comment you replied to? Or TFA, or anything to get a clue what that topic is?
"Kindly"? Are you serious? There was nothing "kind" about it. It's anti-Android PR for Microsoft. Why the hell do you think Microsoft was involved with looking into it in the first place? The goodness of their hearts? Puh-leeeeeze.
What do you think of IE vulnerabilities found by Googlers ?
http://www.google.com/about/ap...
And I still don't give a crap.
Quit being alarmist--the exploit only works once every 28 days.
That there are 3,500 customized versions of Android developed by handset makers and carriers is really a news story unto itself.
so much for robotic companionship...
Considering the amount of money that Microsoft makes in patent licensing fees from Android I don't know how they could have any financial reason to want Android to go away. At the moment I suspect that Microsoft makes more money from Android than it does Windows Phone.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
"What do you think of IE vulnerabilities found by Googlers ?"
I wasn't saying Microsoft is any worse. Just that they weren't doing it for the sake of charity.
"For that, I sincerely thank Microsoft for so kindly pointed out that security flaw."
"Kindly"? Are you serious? There was nothing "kind" about it. It's anti-Android PR for Microsoft. Why the hell do you think Microsoft was involved with looking into it in the first place? The goodness of their hearts? Puh-leeeeeze.
That was a big one. You're lucky the mods nearly got it full force too. Next time you hear someone yell "duck" don't stand there looking for one just hit the deck or the Woosh may be fatal.
"Considering the amount of money that Microsoft makes in patent licensing fees from Android I don't know how they could have any financial reason to want Android to go away. At the moment I suspect that Microsoft makes more money from Android than it does Windows Phone."
That last bit is exactly why they want Android to go away. They don't make nearly as much money on Android as they'd make if all those same phones were Windows. Every Windows phone they can sell in place of an Android phone is more money in their pockets.
Sure, they'll make money off of Android where they can. But they'd rather it simply wasn't there.
Lemme guess. You think key-loggers are vulnerabilities Trucrypt should patch too, right?
It's already there in hosts (Linux uses hosts too - anything iwth a normal BSD based IP stack does)...except some KitKat miodel). Altering it's cake. ADB Pull command.
APK
P.S.=> Like I said though - a LOT of bullshit would flow (lol) from anyone replying to my post, but no answering my question (How "invulnerable" Linux is? Look no farther than this article & 1,000's yrs. before it on the SAME thing - look @ the other replies - just b.s. avoiding my question & they can't explain why Penguins on /. must "eat their words" (lol): Plus, My initial predictions came true as I knew they would, on downmods of my post in effete "retaliation"... apk
am I going to open an xterm and type call_accept on a nice debian system.
Android is open. Open is beautiful. Open is great. Open to unpatched vulnerabilities forever is the best.
Privilege escalation? That phrase, I don't think it means what you think it means.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
yes, key-loggers are vulnerabilities.
As long as the research is valid and the conclusions correctly presented (which, in this case, they do not seem to have been), I don't care for the motive.
Shachar
In that it still doesnt allow line-item veto of app priveleges.
This should be the most basic feature.
I love Android but sometimes its just really hard to get along with it.
Certainly kinder than discreetly e-mailing their findings to every shady source of malware they know of. With so many years of experience, I'm sure they have a list.
Er yes, but this is the company that insists everyone else does responsible disclosure and has threatened security researchers who don't. I sure hope the next people to find a major, wormable Microsoft vulnerability remember about this generosity.
That would be true if the security flaw could be exploited. But apparently, it would appear that this flaw is mostly theoretical. This article is MS funded anti-Android FUD.
Sure, they'll make money off of Android where they can. But they'd rather it simply wasn't there.
So, we should be expecting a similar report from MS regarding iOS, then?
Oh, wait; I said "iOS", right?...
iOS is already failing without Microsoft's help.
Android users are disgusting fat blobs who shit their pants and work at Best Buy.
Android's being infested FASTER, by far, than Windows EVER was IN THE SAME TIMEFRAME of existence...
APK
P.S.=> Fact... & another one is this:
The MORE USED AN OS IS, the apt it IS to be attacked + abused by malware makers etc. ...
However, in ANY event - YOU NEVER ANSWERED MY QUESTION: Why did you Penguins here say (for years here) basically "Windows != Secure, Linux= Secure" when the fact is, what you all said, isn't true (articles like this, & 1,000's like it the past few years now too) tend to "second my motion"... apk
YOU NEVER ANSWERED MY QUESTION: Why did you Penguins here say (for years here) basically "Windows != Secure, Linux= Secure"?
Especially when the fact is, what you all said, isn't true (articles like this, & 1,000's like it the past few years now too) tend to "second my motion"...
APK
P.S.=> Like I said, predicting I'd be unjustifiably downmodded for telling it HOW IT REALLY IS here on Linux and Android, & that I'd hear more BULLSHIT than was considered normally humanly possible in evasion of answering that question of mine above... & as per my usual? I was right, as always... apk
Why so defensive? A vulnerability exists and yes, people have certainly installed stuff that's going to cause problems when they upgrade. The good thing is, upgrading Android is a real PIA and few will bother doing it.
Represent!
Spelling "privilege" should be a more basic feature. #fail
oh yeah, i like it
HTML la gi
1. I don't recall Google sending out puff pieces to tech tabloids like how Microsoft seems to have done in this case.
2. Google didn't severely exaggerate the severity of the flaw in an attempt to spread FUD about their competitor.
So sweet of Verizon to not provide updates on a timely basis, then, which prevents this kind of attack from ever causing problems.
So I turn to CyanogenMod or similar, which I'm sure will have patched this by the time there's another upgrade.
Design for Use, not Construction!
As long as the research is valid and the conclusions correctly presented (which, in this case, they do not seem to have been), I don't care for the motive.
No argument. The research seems decent and worthwhile. The tone of the press release is what's eye-rollingly ridiculous. This is a minor security UI deficiency, but they're selling it as a "privilege escalation", which is normally understood to mean the ability to break out of the sandbox at least, and usually implies root access.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Using Privacy Guard, I can see that Facebook has attempted to read my contact list 94 times. These attempts were blocked.
LOL - you keep telling yourself that whilst getting fscked by Google.
Each and every one of them can be jail broken.
Why isn't THIS news?
I see what you're doing there.
Microsoft supports a report that sheds a competitor in a bad light. You bring up the 'he who is without sin cast the first stone' implication (somewhat vaguely but nonetheless) by bringing IE into the discussion. If we went down the road where nobody brought their competitors into a bad light as long as they had their own skeletons then we'd have even fewer issues brought into any light. You are actually a pretty bad person for even attempting that, and could create even worse problems if people actually listen to you.
Just because Microsoft has a load of buggy shit, that has no bearing on whether they find something (maybe a bit blown out of proportion) concerning other products..
Really.. what does IE have to do with the article? I don't even use IE and could care less about it. Does the IE bug make Android more or less secure or cause the user to make a better informed or worse decision about permissions?
nvm.. I won't even bother reading your follow-up.. You're just 'one of those'...
Their research dollar is better spent looking at the security of products they can fix. That is their job. When they can't even safely display a photo in their own products, their opinion on other people's product security is not qualified. They are not security subject matter experts.
Help stamp out iliturcy.
Yes, good point. IE has nothing to do with this. Nor does their virus, malware, ransomware, etc ridden OS have anything to do with this. There are so many virus and malware variants for Windows that Microsoft should consider opening up a store for them. The count would dwarf the App store and Google Play app counts.
Microsoft's resources would be better spent by patching their virus and malware ridden OS.
Don't let these bullshitters get to you. Notice that all the Google flaws are accompanied by CVE numbers and a Microsoft, or other vendor, bulletin. This is for two reasons; firstly these are real flaws (Microsoft is including applications which openly say they use a particular feature but only get it added during an upgrade - in other words things which can't possibly be seen as security vulnerabilities) and secondly Google first took them to Microsoft before releasing them.
What Microsoft has done by publishing a flaw before Google has fixed it is precisely what Microsoft is always telling us is wrong. When they start overblowing it, I'm sorry to say but they are going far beyond what Google has done. It is outrageous to compare the two companies.
So... what's your stance on all those vulnerabilities published by Google on Microsoft's applications?
[and jesus, I can't believe I'm "defending" Microsoft]
You might want to send a note to Google too, for all their papers on Windows/IE vulnerabilities.
Except that Microsoft is now releasing its own flavor of Android phones for the entry markets....
So how is the weather in Cupertino?
Thanks a lot for sharing it with us. I will look forward to read more from you.
Could I share this information on my site.
Web Designing in Chennai
Website designing and development comes under arts. The web development not only developing the website,
It also providing more services like Broucher design, logo design, Internet applications like Classified sites,
Social networking sites, e-commerce development etc.