Slashdot Mirror

← Back to Stories (view on slashdot.org)

Certifi-gate: Another Huge Android Vulnerability

Posted by Soulskill on from the don't-come-around-here-with-your-gates dept.

An anonymous reader writes: Security research firm Check Point has released information about a new vulnerability called Certifi-gate, which they say compromises the security of hundreds of millions of Android devices. The flaw exists within the mobile Remote Support Tools, which are intended to enable screen sharing and simulated taps for tech support purposes. Unfortunately, the way mRSTs validate the remote operator is easy to exploit. Because the software is designed to allow both monitoring of a device's screen and simulated input, the potential for misuse is quite serious. The flaw was disclosed to manufacturers a month ago. HTC, for one, has confirmed it is already starting to roll out a fix.

3 of 69 comments (clear)

  1. Re:Confused by timrod · · Score: 4, Informative

    It's not HTC's responsibility to patch all devices. Each manufacturer has a different hardware configuration and usually runs their own "flavor" of Android - HTC's version of Android is different from Samsung's, which is different from Google's. It's not simply a case of Google saying "fix it" and shipping patches to every single Android device out there. Google doing that would be like the Debian group trying to ship Debian patches to Ubuntu - it wouldn't work.

    HTC is merely saying "We're stepping up as soon as possible to patch devices that originated from us, starting with the HTC One M9."

  2. Re:Android update weakness by gTsiros · · Score: 4, Informative

    You think you have it bad? My barely two year old xperia z ultra, another "flagship", has already been pretty much abandoned, after releasing a half-assed update to lollipop with many bugs introduced which make you question if they even *have* a QA department (tapping the alarm icon in the status bar, for example, fails to open the alarm app... as it does in kk), I assume to please the masses.

    Their "user forums" are filled with idiots who either can't use their phones or poor sods who face actual problems but more often than not are asked to do a factory reset.

    Android had such potential, but google knly needs it to be popular for ad views thus it has become a shit operating system, development cycle and "ecosystem" in general.

    --
    Looking for people to chat about multicopters, coding, music. skype: gtsiros
  3. Re:That is confusing, who is "Android"? by swillden · · Score: 5, Informative

    really HTC *should* be responsible since they are the ones that customized it in a way that you could not just take straight patches from Google.

    It's even more than that, since the security vulnerability in this case was added by HTC. There are no remote support tools in the base Android platform, and therefore no insecure remote support tools.

    No Nexus devices have this problem.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.