Relying on other projects has its advantages and disadvantages – on the one hand, we can relieve, reach for a ready-made solution, while the other take on the shoulders of problems not only his, but that also projects what is decided. Discovered this just Google employees and Android users. In this system, we discovered a very serious loophole that allows circumvent the entire model of security and gain root permissions type. It is true infection it is necessary to consciously install and run the application from outside the official channels and secure software distribution, although for the respectively, encouraged (eg. Deceived) user this will not pose any problem. This gap also shows sluggishness and weird action programmers Google.
Google employees fail to implement amendments to the Linux kernel – why did not they, and endanger the unit to attack?
Problem It does not apply strictly Android, but the Linux kernel, which is used in this system – a gap identified as CVE-2015-1805 was discovered in April 2014 but patched until the beginning of March 2015. So long it was due to the fact that it has never been considered a security risk. A slightly different situation is in the case of Android: here its use makes it possible to bypass the entire security system and gain root privileges. Google investigated the matter and found the applications that use it both in the Play Store, and beyond. Mechanisms analysis applications have therefore been updated.
Here is a curious same course of events: the Linux kernel has been patched it is true a year ago, but the developers Google for unknown reasons anyone fail to implement the required improvements to the kernel used in Android. As a result, in February, there was a notification from CORE team, and a few days ago from a company Zimperium, who won fame already discovered vulnerabilities Stagefright. In both cases they relate to successful attacks on the devices in the series Nexus, so the latest versions of Android. The company has already released relevant amendments and joined it to the repository project AOSP – March 16 released the security update for devices that use the system provided by Google, its users should therefore install the latest patches to protect Android.
Pure Android store and Google Play are already safe. What about the rest of the devices? Well, it’s hard to count on upgrades.
The vulnerability does not apply to smartphones and tablets, which uses the Android kernel 3.18 or later. In other cases, equipment manufacturers should reach the AOSP repository and issue updates (which, unfortunately, in the world of Android, you can not expect more). Sam gap will probably be quickly used as another way to consciously and quickly unlock access root – have a history of similar cases, an example could be an application Towelroot. Currently, the Google Play store is already protected, malicious applications using this loophole has been removed from it.
Source: Android Security Advisory
No comments:
Post a Comment