A working exploit for a dangerous bug in the video framework of Android is not yet released this week. The researcher who discovered the problem, would present the exploit at the Black Hat security conference.
Security Researcher Joshua Drake of security Zimperium now plans to give the exploit on August 24 released, he tells Tweakers on the Black Hat security conference in Las Vegas. “Friday I met representatives of mobile operators, who have asked me to wait,” said Drake. Initially he planned to present the exploit Wednesday at Black Hat.
The vulnerability in Android came to light last week. The bug in the video Stage Fright framework of Android makes it possible to run native code on a vulnerable Android device by someone sending a video. This may, inter alia, with the aid of an MMS: in this case is to send a message sufficient, because the video is then directly loaded into Android. However, the bug can also be exploited in other ways, for example from the browser or other chat apps. It is not clear whether other chat apps just as vulnerable as MMS.
Almost all Android devices are vulnerable to the security issue, including the Nexus 5 of Google. The Nexus 6 is partially patched, but not enough, says Drake. Cyanogen does have released a patch for CyanogenMod. The severity of the vulnerability varies by Android version: newer versions have better measures against abuse on board. Older versions such as Android 4.1 are particularly vulnerable, because an attacker on those devices can easily get root access. Especially budget phones often run on older Android versions, and no longer provide updates.
According to Drake feared the telecom providers in the United States for a Worm , which itself under the contacts of affected users would spread. The exploit that Drake would release makes it easy for attackers to design such a worm. Yet he still wants to release the exploit. “I’m not going to set off again,” said Drake. If someone else comes in addition to a previously working exploit, he gives his own version free. Chinese researchers have already been closed in the area, but do not yet have complete exploit.
Drake says it wants to create awareness with the exploit. The exploit can actually help to combat the problem: according to Drake, for example, security software makers and intrusion detection systems interested in the details
No comments:
Post a Comment