A new report that surfaced today claims that Google has ended support for WebView on Android devices running Android 4.3 or older, a move that could leave users exposed to malicious attacks. WebView is considered a “core component” of Android and is used by applications to display web pages without opening an actual browser session. Starting with Android 5.0 Lollipop, Google decided to unbundle WebView from the core system so updates could be pushed out via the Google Play Store.
The source of the news regarding a lack of updates for Android versions 4.3 or older came from a response by Google’s Android security team to a report of a bug in the AOSP browser which is based on WebView. According to the response to Joe Vennix of Rapid7 and independent researcher Rafay Baloch:
Security researcher Rafay Baloch released information about a vulnerability in the Same Origin Policy (SOP) protection used by browsers running on Android devices. The SOP is used to stop malicious code from spreading from one site to sites that a user has open in other tabs. According to some sources, this vulnerability is “a privacy disaster.” It appears to be limited to the Android Open Source Platform(AOSP) Browser, which has been replaced by Chrome on more recent builds of Android, and does not impact users on Android 4.4 or higher.
Metasploit, a popular vulnerability testing framework, added a new test module that would allow users to test how vulnerable some versions of the Android browser are to being hacked from shell access, and that’s when this exploit was found in Glass. The exploit would involve a man-in-the-middle hijacking that WebView instance, which wouldn’t be too difficult to do if you’re on a public WiFi or anything that isn’t well secured. At that point, the malicious code could do anything from taking photos with your device to remotely turning on your microphone. Definitely not a good thing.
Earlier this week Gibson Security tweeted some information it claimed could be used to exploit Snapchat enabling malicious hackers to match usernames with phone numbers and build a profile of users. Gibson Security also claimed the security holes could allow for the creation of dummy accounts in bulk. According to Gibson Security, they notified Snapchat of the problems last August, but after not seeing any move to correct an issue that supposedly could be fixed with ten lines of code, proceeded with making the exploit public.
Remember that little vulnerability we heard about on Nexus devices that could be maliciously exploited to cause a device to lock up and reboot? Looks like Google has finally added a fix for that in Android 4.2.2, which should be rolling out fairly soon. There are no other camera improvements or anything like that in this update, but according to the 4.4.2 changelog, there were a handful of things that got patched. The most major one is that SMS exploit, but that doesn’t mean the few other things that were patched aren’t appreciated. If you’re a Nexus user, keep an eye out for this update.
An IT administrator named Bogdan Alecu has discovered that Nexus phones receiving a flood of texts may start to function a little bit differently. The Galaxy Nexus, Nexus 4, and Nexus 5 are all effected by this new exploit that causes those phones to reboot, crash the messaging app, or even disable a network connection. While other devices seem to be safe, Alecu advises that he hasn’t tested many others. The bug is coming from Class 0 SMS messages that are not regularly stored on a handset.
A developer has already taken to the Play Store to release a fix. Class0Firewall is a free app that prevents the Class 0 SMS messages from sending your handset into a tailspin. Google has told PCWorld that they are looking into the issue; however, we have no timetable on when to expect a patch.
Source: DefCamp, Class0Firewall (Play Store)
You’ve read that title right folks. Only a few days after the device went on sale do we have an exploit that gives root access to the little HDMI dongle. The folks over at GTVHacker found this exploit. As you know the Chromecast is supposed to be running a simplified version of the ChromeOS however the folks at GTVHacker believe it to be more of a modified Google TV Release. It appears that the bootloader, binaries, init scripts and kernel are from Google TV. This allowed GTVHackers their access.
They’ve been able to build an exploit that allows people to gain a root shell through port 23 via telnet of the device. While this is interesting in itself, Google could send out an update to the dongle and close this loop hole. The team explains the loop hole:
“By holding down the single button, while powering the device, the Chromecast boots into USB boot mode. USB boot mode looks for a signed image at 0×1000 on the USB drive. When found, the image is passed to the internal crypto hardware to be verified, but after this process the return code is never checked! Therefore, we can execute any code at will.”
The GTVHacker’s Wiki page hosts the file and if you feel like tinkering with it you can download it from there. While this news doesn’t mean much for the average person, it was only a matter of time before someone would attempt to exploit the Chromecast. Hit the source link below for a full detailed explanation of how the exploit works. If you’re interested in seeing it in action you can check out the YouTube video after the break. Enjoy!
In December we reported on an exploit that had been discovered in Samsung’s Exynos chips. We have not heard of any malicious activity related to the security hole, though it became a popular vector for rooting devices. After looking into the issue, Samsung has started the process of issue a fix for the vulnerability. The devices and networks include:
- Sprint Galaxy S II Epic 4G Touch: Sprint’s update FL24 will push out to customers over the course of the next month and will receive Sprint’s Connections Optimizer as part of the update.
- T-Mobile Galaxy Note II: The T-Mobile version of the Samsung Galaxy Note II is getting an update dubbed T889UVALL4. T-Mobile is pushing this out over-the-air or users can manually update via Kies.
There are other devices on several carriers that have the same chipset and are vulnerable to the exploit. We anticipate seeing patches and updates rolling out for these devices over the next several days as well now that the ball has started rolling.
source: Android Central
Some bad news is surfacing this weekend for owners of several popular Samsung devices. Members of XDA Developers identified a kernel exploit for devices with certain Exynos processors that could provide root access without flashing the device. According to XDA member alephzain, the vulnerability was discovered on his Samsung Galaxy S III in /dev/exynos-mem. The weakness provides full read/write rights to all physical memory.
A couple of days ago, our own Stacy Bruce reported that the DROID XYBOARD had been rooted. Now, apparently, the developer of this root method, which he calls “Motofail”, is stating that this same exploit works on all current Motorola devices running Gingerbread or Honeycomb.
The Droid 4 root (“Motofail”) should work on all Gingerbread Motorola devices that I know of. The just-released XYBoard root (“XYZ”) should root all Gingerbread and Honeycomb Motorola devices. Both Motofail and XYZ rely on the same vulnerability, but the XYBoard had an additional hurdle in place that required me to exploit a second bug in order to trigger the first one.
This is great news for the modding community. With this root method, dozens of devices can now be rooted, including the Droid 4, Droid RAZR, Droid Maxx, Droid Bionic, Atrix, Atrix 2, Xoom, and many more. Interestingly, reports are coming in that the this exploit is NOT working on the Xoom Family Edition.
This comes on the heels of Motorola’s Ice Cream Sandwich upgrade schedule for many of their devices. Some updates are coming in Q2 or Q3, and some are not coming at all. Perfect timing for those on the “not coming at all” list.