Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Android Phones Hijackable With Chrome Exploit (theregister.co.uk)

Posted by ryuzaki0 on from the don't-even-go-there dept.

mask.of.sanity writes: Google's Chrome for Android has been popped with a single exploit that could lead to the compromise of any handset. The exploit, showcased at MobilePwn2Own at the PacSec conference, targets the JavaScript v8 engine and compromises phones when users visit a malicious website. It is also notable in that it is a single clean exploit that does not require chained vulnerabilities to work.

24 of 45 comments (clear)

  1. Not yet disclosed by unencode200x · · Score: 4, Interesting

    From TFA "acSec Google's Chrome for Android has been popped in a single exploit that could lead to the compromise of any handset.

    The exploit, showcased at MobilePwn2Own at the PacSec conference in Tokyo yesterday but not disclosed in full detail, targets the JavaScript v8 engine. It can probably hose all modern and updated Android phones if users visit a malicious website"

    --

    Chance favors the prepared mind.
    Perfect is the enemy of good.
    1. Re:Not yet disclosed by unencode200x · · Score: 2

      Actually, my bad, TFA says there was someone from Google there who got a copy of it. Interesting though. They say all that needed to be done is to go to this website and with only one vul you own the phone w/o user interaction.

      --

      Chance favors the prepared mind.
      Perfect is the enemy of good.
    2. Re:Not yet disclosed by sexconker · · Score: 1

      What devices? I bet you can root, but not get perma root.

      This attack still wouldn't unlock the bootloader for some of the more locked-down devices.

    3. Re:Not yet disclosed by sad_ · · Score: 1

      Not disclosed, but that doesn't mean it is unknown. Some other, blackhat hacker may be aware of and using it already, perhaps even months/years before it's recent public discovery.

      --
      On a long enough timeline, the survival rate for everyone drops to zero.
    4. Re:Not yet disclosed by wardrich86 · · Score: 1

      I'd be happy with a soft root on my S5. I'm still under warranty so I don't want to trip Knox just yet. As far as I know, though, there's no option aside from flashing with an S5 on Lollipop.

  2. Well at least it won't require an OS update to fix by Karlt1 · · Score: 4, Interesting

    Since Google can update Chrome for Android without requiring the OEM's and the carriers, it's not as bad as most Android security vulnerabilities.

  3. Does it work on the Blackberry Priv? by barlevg · · Score: 1

    Really curious how effective all of Blackberry's hardening techniques really ended up being.

  4. Re:You know what they say... by Coren22 · · Score: 2

    Go app yourself.

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  5. No chained vulnerabilities? Really? by Greger47 · · Score: 4, Interesting

    It is also notable in that it is a single clean exploit that does not require multiple chained vulnerabilities to work, the researchers say.

    I have a hard time believing that. On Android V8 and the rest of the layout engine run in a restricted sandbox service that has no permissions to install apps.

    In addition to exploiting V8 they must be using a separate privilege escalation in the Android userspace or Linux kernel to install the APK, especially if there is no interaction needed like accepting the standard install dialog.

    I'm sure curious to hear the real story when Google releases a fix.

    /greger

    1. Re:No chained vulnerabilities? Really? by Greger47 · · Score: 1

      Yea you are right, that sounds like a plausible way to do it.

      A notification will still show up, but the app will probably have time to launch it's malicious payload using a broadcast receiver or such before the user has a chance to do anything about it.

      /greger

    2. Re:No chained vulnerabilities? Really? by swillden · · Score: 1

      Yea you are right, that sounds like a plausible way to do it.

      A notification will still show up, but the app will probably have time to launch it's malicious payload using a broadcast receiver or such before the user has a chance to do anything about it.

      /greger

      Well, it would require getting a malicious app into Play, and the user would still have to launch the app after installing it. Getting a malicious app into Play used to be easy but now they're scanned before publishing, and the scanner is pretty good these days.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:No chained vulnerabilities? Really? by swillden · · Score: 1

      and the user would still have to launch the app after installing it

      I should say "and the user would still have to launch the app after it's installed, unless the attacker can find and exploit a bug in the code that unpacks and compiles the APK".

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  6. Re:Well at least it won't require an OS update to by BradleyUffner · · Score: 1

    Java was touted as to be secure write-once, run-everywhere. Impervious to trivial things like heap overflows and buffer overruns.

    This is an exploit in JavaSCRIPT, not Java.

  7. Re:Well at least it won't require an OS update to by meerling · · Score: 2

    Javascript was named Livescript before the whole Java thing became super buzzworth so they changed the name to grab some coattail action.
    It seems to have worked for them, but it doesn't change the fact that Javascript and Java are NOT the same thing.

  8. Re:Well at least it won't require an OS update to by viperidaenz · · Score: 1

    Java code is impervious to trivial things like heap overflows and buffer overruns.

    The JVM itself, is a regular C/C++ application and is not.

    Also, this has nothing at all to do with Java, it's a JavaScript virtual machine, written in C++.

  9. Wait, *javascript* is vulnerable? by cfalcon · · Score: 3, Interesting

    Man, I'm so surprised that the problem happened with javascript. It's just so unprecedented that javascript would have a vulnerability. It has such a good history, you know, of safety.

    Not that I'm speaking in favor of Chrome here either- the rumored ios exploit used the ios version of chrome, and it's not been the most secure browser or anything on Windows.

    But I just don't understand why every browser jumps through every hoop possible to fully support even the stupidest javascript everything. On a PC you need a bunch of special addons to limit the damage, and generally your options are "block all scripts" or "allow all scripts", with no ability to say "allow scripts that don't X, Y, or Z". Browsers should absolutely allow more restrictive profiles here, and probably the default should not fully implement javascript, which maintains its record of pile of shit virus vector for twenty years straight.

    1. Re:Wait, *javascript* is vulnerable? by cfalcon · · Score: 1

      You could block the ability to access elements of certain types (if type is application/pdf, don't allow it to be appended to body or etc.).

      You could block the ability of it to retrieve or view anything but a default set of variables (font list fingerprinting, end it pls- you could fix this in CSS with a setting too, while you are at it)

      You could block the ability of it to EVER trigger a goddamned thing on the right mouse button. You could replace that with some alternate control, such that right mouse button continues to work.

      You could disable the ability of it to load another page.

      You could disable the ability of it to ever make a dialog box.

      You could allow a hard limit on how much RAM any given script or its descendants can allocate.

      You could have an option for the browser to zero any RAM that the javascript has allocated on deallocation, and before garbage collection.

      Basically, type something into google like "javascript stop user from".

      Now, everything that comes back from that, EVERY SINGLE THING should be able to be blocked in the browser.

      Javascript is vile garbage.

  10. LD_LIBRARY_PATH by emil · · Score: 1

    Can someone please explain to me why LD_LIBRARY_PATH does not point first to a /data/lib directory, where an app-store had a chance of patching a flaw in /system?

    I am updating vlcplayer at least once every three months - why did Google decide to carve the stagefright libraries into /system stone with no hope of updating?

    At least this bug does not impact me - I rooted and torched stock because of the SOP bug, and Chrome just on principle.

  11. Re:Well at least it won't require an OS update to by Sark666 · · Score: 1

    yeah not as bad... you mean on the flipside when it's an OS issue and you're fucked?

  12. Re:Well at least it won't require an OS update to by jrumney · · Score: 1

    Also the stagefright buffer overflow, which the GP mentioned after that was in C code, not Java.

  13. Your Honor! by ThatsNotPudding · · Score: 1

    ...javascript, which maintains its record of pile of shit virus vector for twenty years straight.

    "Objection! The record clearly shows that my clients trash programs holds this title outright!" -- Adobe Space Chicken lawyer.

  14. Re:Well at least it won't require an OS update to by Fnord666 · · Score: 1

    Java is to Javascript as car is to carpet.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  15. Re:Funny by macs4all · · Score: 1

    I've always found the term "morbidly obese" to be funny. Sounds like the name of one of those Scandinavian death metal bands. Imagine four or five fat-assed guys jamming on a stage and the stage collapsing from the weight.

    You mean like THIS?

  16. Re:Funny by macs4all · · Score: 1

    Almost all toilets in North America have a plunger sitting right next to them. That shows forward thinking!

    No, it shows the abomination that is most "Low Flush" toilets.

    Seriously, the low-flush toilet at my work is so lame that you have to literally un-wad (or unroll) the "soiled" toilet paper and "feed it" down the hole like a party-streamer, or else it will instantly clog. And I'm not talking soccer-ball sized wads, neither; more like not even a baseball-size.

    By contrast, my most-excellent (and relatively cheap) Niagara low-flow toilet only gets clogged about once a year or two, no matter how much paper I try to flush. And most of the time, a second flush with clear the clog with no plunging required.

    But then, I did my research before I bought that toilet. $150, and it out-flushes pretty much every other toilet out there. I swear, you can flush a tennis ball. And it has the same 3 inch poop-chute as all the other 'Murican toilets.