There must be a glitch in the Matrix. I feel like I'm writing the same news again and again. A pair of researchers from IBM's X-Force Application Security Research Team has discovered a set of vulnerabilities in Android and some popular app SDKs. The worst of the bugs can let a seemingly innocuous app run arbitrary code on the device, and it's present in Android versions 4.3 and above—affecting 55% of handsets worldwide. Check out the proof-of-concept video, where the Facebook app is replaced with Fakebook:
Both Google and the SDK makers have provided patches for their respective software, but as always, updates for non-Nexus devices must go through OEMs and carriers, so there's no word on when users will actually have fixes for their handsets. The researchers claim they have yet to see any exploits in the wild, but that could change at any moment.
The main vulnerability lies in how a piece of Android's code (specifically, the OpenSSLX509Certificate class) handles serialization during inter-process communication (IPC). A malicious app that needs no special permissions from the user can exploit the bug to inject malicious code into IPC requests. By doing so, the malicious app can gain system-level permissions.
The researchers also found similar vulnerabilities in some app SDKs. They surveyed 37,701 apps and discovered that a number of those were exploitable. Furthermore, the vulnerable apps all relied on the same set of six SDKs. The tools in question all misused a low-level toolkit called SWIG, which led to a code injection vulnerability similar to the one presented above. In this context, a malicious program could exploit a vulnerable app to gain the same level of permissions as the target, potentially gaining full access to that app's data and capabilities.
Full details of these exploits are available in IBM Security's research paper.
|Alphacool shows off Eisbrecher radiator and GPX waterblocks||1|
|Rumor: More GTX 1050 Ti and 1080 Ti details pop up||21|
|Cooler Master's MasterBox 5 and Zalman's Z9 Neo cases reviewed||7|
|Deals of the week: cheap mobos and a GTX 950||2|
|Thermaltake revs up Engine 27 low-profile CPU cooler||14|
|Logitech C922 Pro Stream webcam dispenses with green screens||15|
|MSI 100-series BIOS updates show Kaby Lake drops into LGA 1151||13|
|Razer revamps Kraken headsets with big drivers and metal bodies||9|
|Corsair Vengeance LED RAM family now sings the blues||6|