A bunch of fairly recent Android phones suffer from a nasty zero-day vulnerability. And it was Google that found it.
The flaw is currently being exploited, but it’s not clear by whom. Patches won’t be available immediately.
If they’re ever available, that is. In today’s SB Blogwatch, we switch to Airplane mode.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Sia-ish.
UAF LPE FAIL
What’s the craic? Dan Goodin warns of, “0-day vulnerability that gives full control”:
There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero … said. [But] NSO representatives … said the “exploit has nothing to do with NSO.”
The use-after-free vulnerability originally appeared in the Linux kernel and was patched in early 2018 in version 4.14. [But] the patches never made their way into Android security updates. That would explain why earlier Pixel models are vulnerable and later ones are not.
While the vulnerability … is serious, vulnerable Android users shouldn’t panic. The chances of being exploited by attacks as expensive and targeted as the one described by Project Zero are extremely slim. Just the same, it may make sense to hold off installing non-essential apps and to use a non-Chrome browser until after the patch is installed.
Yikes. So what next? Phillip Prado effects a headline—“Android zero-day exploit”:
A patch is now available on the Android Common Kernel and Android partners have been informed. The Pixel 1 and 2 will receive the Android exploit patch updates this month.
So the carriers will issue a quick patch, right? Right? Graeme Burton brings bad news—“Android zero-day gives hackers full control”:
While Android had a reputation for lax security, Google has done much to tighten up in recent years – so much so that Android security flaws now fetch a premium in the open market over Apple iOS flaws. Nevertheless, new Android security flaws of varying sophistication are emerging all the time.
A large element of Android insecurity, though, is down to a lack of rigorous patching by the large number of providers, not to mention the mobile operators that supply them.
Fair point. ZVNexus offers this advice:
Never buy from carriers. Always buy an unlocked model that you know will get updates as soon as [the vendor] pushes them out.
Who found it? Google Project Zero’s Maddie Stone—“Use-After-Free in Binder driver”:
The following issue exists in the android-msm-wahoo-4.4-pie branch. … There is a use-after-free of the wait member in the binder_thread struct.
This issue was patched in Dec 2017 in the 4.14 LTS kernel, AOSP android 3.18 kernel, AOSP android 4.4 kernel, and AOSP android 4.9 kernel. … Devices which appear to be vulnerable:
1) Pixel [1 and] 2 …
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
6) Oppo A3
7) Moto Z3
8) Oreo LG phones …
9) Samsung S7, S8, S9
What a mess. typical182 says it’s typical:
To me, the biggest part of this story is:
1. Over two years ago, this was apparently detected automatically by the syzkaller kernel fuzzer, and automatically reported on its public mailing list.
2. Over a year and a half ago, it was apparently fixed in the upstream kernel.
3. It was apparently never merged back to various “stable” kernels, leading to the recent CVE.
4. This is apparently a super common sequence of events, with kernel vulnerabilities getting lost in the shuffle, or otherwise not backported to “stable” kernels.
Dmitry Vyukov (original author of syzkaller fuzzer that found this 2 years ago) gave a very interesting talk on how frequently this happens a couple weeks ago at the Linux Maintainer’s Summit, along with some discussion of how to change kernel dev processes to try to dramatically improve things.
And gTsiros is deeply unsympathetic:
this is merely an indication and consequence of modern software being utter trash.
use-after-free ? seriously? What’s next? getting owned due to an off-by-one error?
and more than that, anyone with a two year old device won’t be getting a patch… which is like what? 50%? 60%? 40% of all android devices? (not just phones; think tablets, drones, ICEs, fridges, bathroom scales or whatever else they shoved it into).
This is fine, as hansmuff seems to say:
Yeah, so shout-out to TMOBILE USA for having my Samsung S9+ on the JULY security update. I guess you got enough money from that sale to not care anymore.
Meanwhile, arglebargle_xiv imagines the industry’s real attitude:
Please throw away your current phone, wait six months, buy the latest model, and see if it’s running a patched version of Android. If not, repeat as often as required.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. E&OE.