Slashdot Mirror
Android Phones Can Be Hacked Remotely By Viewing Malicious PNG Image (csoonline.com)
An innocent-looking image -- sent either via the internet or text -- could open your Android phone up to hacking. "While this certainly doesn't apply to all images, Google discovered that a maliciously crafted PNG image could be used to hijack a wide variety of Androids -- those running Android Nougat (7.0), Oreo (8.0), and even the latest Android OS Pie (9.0)," reports CSO Online. From the report: The latest bulletin lists 42 vulnerabilities in total -- 11 of which are rated as critical. The most severe critical flaw is in Framework; it "could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process." Although Google had no report of the security flaws being actively exploited, it remains to be seen if and how long it will take before attackers use the flaw for real-world attacks. Android owners were urged to patch as soon as security updates becomes available. But let's get real: Even if your Android still receives security updates, there's no telling how long it will be (weeks or months) before manufacturers and carriers get it together to push out the patches.
You can use this bug to execute privileged code? I assume that means as root. If someone publishes example code at some point, we could get a really convenient way to root phones. Maybe I should avoid updates for a while.
But youâ(TM)re not smug at all right?
You don't know if it 's being exploited. You don 't know if it has to be crafted for a specific phone. You don 't know how many phones will actually get that update.
The FaceTime bug was mitigated very soon after disclosure for every single device simultaneously.
Most Android users would love to have the "problem " of having to have the latest OS. Any iPhone user susceptible to the bug already had iOS 12.
All phones suffer when their batteries are old. It's harder to notice when the device runs like shit out of the box.
Why can't non-x86 world ever get its shit together? One unified Windows or Linux image installs on countless hundreds of different x86 things.
Meanwhile everywhere else it's always bake a custom rom specific to each and every variant of every device. Why is it still tolerated? The old excuses of abstraction costing too much made sense 20 years ago. Today it's a joke/lame excuse for tolerating the indefensible.
Wwwwaaaaayyyy past time to fire the cooks.
The x86 - or rather, the IBM-compatible - world is vastly different to the ARM world when it comes to system design. The entire family tree of x86-derived machines have gravitated towards open, or at least easily-licensed and inter-operable, hardware standards over the decades. Manufacturers want to keep their hardware reasonably compatible with everyone else, lest they be shut out of the market for being too 'niche'.
ARM, on the other hand, is almost the exact opposite. An ARM computer is often a custom-built hodge-podge of licensed hardware modules fitted around whatever ARM core the manufacturer licensed and etched onto silicon. Sound, graphics, memory. and other functions are not plug-and-play replaceable add-ons, but a custom chipset that the system designer picked out and configured. These bespoke system configurations will also have to contend with limitations on driver support and possibly the need to hand-configure settings.
Google has tried to correct this, and pull manufacturers to a more standardized system that would let Google handle a lot of the hard work, but this was never the norm in the embedded space.
Malicious PNG
All of those ARM chips (in Android) use GCC, an open compiler, so it isn't the chip that's causing problems. Most of the drivers are all open-sourced (the kernels is GPL, so they more-or-less have to), so it's not the hardware that's a problem.
The main problem is locked boot-loaders. If you can't install a custom ROM on a phone, that's probably the reason.
"First they came for the slanderers and i said nothing."