Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Android Phones Hijackable With Chrome Exploit (theregister.co.uk)

Posted by ryuzaki0 on from the don't-even-go-there dept.

mask.of.sanity writes: Google's Chrome for Android has been popped with a single exploit that could lead to the compromise of any handset. The exploit, showcased at MobilePwn2Own at the PacSec conference, targets the JavaScript v8 engine and compromises phones when users visit a malicious website. It is also notable in that it is a single clean exploit that does not require chained vulnerabilities to work.

7 of 45 comments (clear)

  1. Not yet disclosed by unencode200x · · Score: 4, Interesting

    From TFA "acSec Google's Chrome for Android has been popped in a single exploit that could lead to the compromise of any handset.

    The exploit, showcased at MobilePwn2Own at the PacSec conference in Tokyo yesterday but not disclosed in full detail, targets the JavaScript v8 engine. It can probably hose all modern and updated Android phones if users visit a malicious website"

    --

    Chance favors the prepared mind.
    Perfect is the enemy of good.
    1. Re:Not yet disclosed by unencode200x · · Score: 2

      Actually, my bad, TFA says there was someone from Google there who got a copy of it. Interesting though. They say all that needed to be done is to go to this website and with only one vul you own the phone w/o user interaction.

      --

      Chance favors the prepared mind.
      Perfect is the enemy of good.
  2. Well at least it won't require an OS update to fix by Karlt1 · · Score: 4, Interesting

    Since Google can update Chrome for Android without requiring the OEM's and the carriers, it's not as bad as most Android security vulnerabilities.

  3. Re:You know what they say... by Coren22 · · Score: 2

    Go app yourself.

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  4. No chained vulnerabilities? Really? by Greger47 · · Score: 4, Interesting

    It is also notable in that it is a single clean exploit that does not require multiple chained vulnerabilities to work, the researchers say.

    I have a hard time believing that. On Android V8 and the rest of the layout engine run in a restricted sandbox service that has no permissions to install apps.

    In addition to exploiting V8 they must be using a separate privilege escalation in the Android userspace or Linux kernel to install the APK, especially if there is no interaction needed like accepting the standard install dialog.

    I'm sure curious to hear the real story when Google releases a fix.

    /greger

  5. Re:Well at least it won't require an OS update to by meerling · · Score: 2

    Javascript was named Livescript before the whole Java thing became super buzzworth so they changed the name to grab some coattail action.
    It seems to have worked for them, but it doesn't change the fact that Javascript and Java are NOT the same thing.

  6. Wait, *javascript* is vulnerable? by cfalcon · · Score: 3, Interesting

    Man, I'm so surprised that the problem happened with javascript. It's just so unprecedented that javascript would have a vulnerability. It has such a good history, you know, of safety.

    Not that I'm speaking in favor of Chrome here either- the rumored ios exploit used the ios version of chrome, and it's not been the most secure browser or anything on Windows.

    But I just don't understand why every browser jumps through every hoop possible to fully support even the stupidest javascript everything. On a PC you need a bunch of special addons to limit the damage, and generally your options are "block all scripts" or "allow all scripts", with no ability to say "allow scripts that don't X, Y, or Z". Browsers should absolutely allow more restrictive profiles here, and probably the default should not fully implement javascript, which maintains its record of pile of shit virus vector for twenty years straight.