Slashdot Mirror
Android Phones Can Be Hacked Remotely By Viewing Malicious PNG Image (csoonline.com)
An innocent-looking image -- sent either via the internet or text -- could open your Android phone up to hacking. "While this certainly doesn't apply to all images, Google discovered that a maliciously crafted PNG image could be used to hijack a wide variety of Androids -- those running Android Nougat (7.0), Oreo (8.0), and even the latest Android OS Pie (9.0)," reports CSO Online. From the report: The latest bulletin lists 42 vulnerabilities in total -- 11 of which are rated as critical. The most severe critical flaw is in Framework; it "could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process." Although Google had no report of the security flaws being actively exploited, it remains to be seen if and how long it will take before attackers use the flaw for real-world attacks. Android owners were urged to patch as soon as security updates becomes available. But let's get real: Even if your Android still receives security updates, there's no telling how long it will be (weeks or months) before manufacturers and carriers get it together to push out the patches.
Dude, it's Android: you can choose any one of zero security patches provided by your OEM.
Dude, it's Android: you can choose any one of zero security patches provided by your OEM.
I got one update to my phone, once, to 5.5.1.
I have a 6 uear old Galaxy tablet that still gets security updates from Samsung. I've never kept a phone for longer than two years or so, so I can't speak to that.
You can use this bug to execute privileged code? I assume that means as root. If someone publishes example code at some point, we could get a really convenient way to root phones. Maybe I should avoid updates for a while.
This is no big deal. Since there is no hope of getting any security updates for my Android devices from the fantastic hardware vendors and network providers, I'll just browse the web on my Android devices using lynx from now on. Thanks guys! Thanks a lot! Really appreciate ya'll locking down these devices so hard to prevent malicious third-party open source developers from flashing custom boot ROMs over your fantastic OEM build.
I have an LG from 2016 and they haven't released any OS updates since 2017.
More OS memory access bugs, yay.
According to this breakdown, 88% of Android OS is written in Java, C, and C++ -- all of which are notorious for memory access bugs (in the runtime environment, in the case of Java). Perhaps the #1 security best practice should be to use a language designed to be memory safe. Right below that would be "don't try to bolt on security to insecure software."
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
As an Android user, this is pretty shitty. If it allows arbitrary code execution in privileged context, that means your phone can be rooted just by looking at a web page. Once that happens, you need to restore a clean firmware image or you simply can't trust the phone. That's far worse than being able to access camera/mic if a feature isn't disabled.
But youâ(TM)re not smug at all right?
You don't know if it 's being exploited. You don 't know if it has to be crafted for a specific phone. You don 't know how many phones will actually get that update.
The FaceTime bug was mitigated very soon after disclosure for every single device simultaneously.
Most Android users would love to have the "problem " of having to have the latest OS. Any iPhone user susceptible to the bug already had iOS 12.
All phones suffer when their batteries are old. It's harder to notice when the device runs like shit out of the box.
Reading the bulletin though it only works when the process that triggers it is privileged in the first place. So there is no privilege escalation. So there isn't a way that this exploit could root a phone.
I'm sure there are things that this could be used for. But it can't get out of the particular sandbox the application that views the PNG is sitting it.
Why can't non-x86 world ever get its shit together? One unified Windows or Linux image installs on countless hundreds of different x86 things.
Meanwhile everywhere else it's always bake a custom rom specific to each and every variant of every device. Why is it still tolerated? The old excuses of abstraction costing too much made sense 20 years ago. Today it's a joke/lame excuse for tolerating the indefensible.
Wwwwaaaaayyyy past time to fire the cooks.
Obviously we need complex multimedia formats that are decoded by C code complete with buffer overflows all running in Kernal mode.
But what would be even better is if the PNG could contain JavaScript inside it. Why limit the output to just a few algorithms? With JavaScript running actually inside the PNG much greater compression could be achieved for many applications. More importantly, a whole new plethora of animation techniques could be developed.
Indeed, if that JavaScript within the PNG was used to implement a Virtual Machine, a whole sub operating system could run inside that image. Just think of the possibilities!
We need more, Lots more. Of stuff.
If, as the summary suggests, this allows arbitrary code to run with elevated permissions simply by viewing a PNG image, then this could be exploited to install malware that runs as root with access to all the data on your device, all your accounts, ability to modify any app, etc. That's pretty fucked up. (Yeah I know summaries can be misleading, but I have a relatively low UID so I've been conditioned over years to never RTFA.)
The x86 - or rather, the IBM-compatible - world is vastly different to the ARM world when it comes to system design. The entire family tree of x86-derived machines have gravitated towards open, or at least easily-licensed and inter-operable, hardware standards over the decades. Manufacturers want to keep their hardware reasonably compatible with everyone else, lest they be shut out of the market for being too 'niche'.
ARM, on the other hand, is almost the exact opposite. An ARM computer is often a custom-built hodge-podge of licensed hardware modules fitted around whatever ARM core the manufacturer licensed and etched onto silicon. Sound, graphics, memory. and other functions are not plug-and-play replaceable add-ons, but a custom chipset that the system designer picked out and configured. These bespoke system configurations will also have to contend with limitations on driver support and possibly the need to hand-configure settings.
Google has tried to correct this, and pull manufacturers to a more standardized system that would let Google handle a lot of the hard work, but this was never the norm in the embedded space.
Malicious PNG
All of those ARM chips (in Android) use GCC, an open compiler, so it isn't the chip that's causing problems. Most of the drivers are all open-sourced (the kernels is GPL, so they more-or-less have to), so it's not the hardware that's a problem.
The main problem is locked boot-loaders. If you can't install a custom ROM on a phone, that's probably the reason.
"First they came for the slanderers and i said nothing."
Actually drivers are the problem. Particular drivers for radios.
In order to pass certification for things like FCC the drivers need to be certified too. If they were open source then the user could just crank up the transmit power on their cellular modem or wifi to illegal levels, and I imagine that the network operators wouldn't be too happy about it either.
This affects the x86 world too. Some laptops have a list of acceptable wifi cards baked into the BIOS. If you try to fit a non-certified one it won't work. Reason being that when you have 3 antennas they could potentially all be used to exceed acceptable transmission power limits if the user fits any random card, so the manufacturer has to limit to ones tested by the FCC etc. to never do that.
Having said that, Google has largely fixed this now. Modern versions of Android can be patched by the Play Store services directly, and indeed in this case the issue has been mitigated that way even if the manufacturer doesn't supply updates.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Lesbian porn is gay.
The custom ROMs use the binary blob radio drivers from the official ROMs.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC