Android Zero-Day Panic as Ancient Linux Flaw Forgotten

A bunch of fairly recent Android phones suffer from a nasty zero-day vulnerability. And it was Google that found it.

The flaw is currently being exploited, but it’s not clear by whom. Patches won’t be available immediately.

If they’re ever available, that is. In today’s SB Blogwatch, we switch to Airplane mode.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Sia-ish.


UAF LPE FAIL

What’s the craic? Dan Goodin warns of, “0-day vulnerability that gives full control”:

 There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero … said. [But] NSO representatives … said the “exploit has nothing to do with NSO.”

The use-after-free vulnerability originally appeared in the Linux kernel and was patched in early 2018 in version 4.14. [But] the patches never made their way into Android security updates. That would explain why earlier Pixel models are vulnerable and later ones are not.

While the vulnerability … is serious, vulnerable Android users shouldn’t panic. The chances of being exploited by attacks as expensive and targeted as the one described by Project Zero are extremely slim. Just the same, it may make sense to hold off installing non-essential apps and to use a non-Chrome browser until after the patch is installed.

Yikes. So what next? Phillip Prado effects a headline—“Android zero-day exploit”:

 A patch is now available on the Android Common Kernel and Android partners have been informed. The Pixel 1 and 2 will receive the Android exploit patch updates this month.

So the carriers will issue a quick patch, right? Right? Graeme Burton brings bad news—“Android zero-day gives hackers full control”:

 While Android had a reputation for lax security, Google has done much to tighten up in recent years – so much so that Android security flaws now fetch a premium in the open market over Apple iOS flaws. Nevertheless, new Android security flaws of varying sophistication are emerging all the time.

A large element of Android insecurity, though, is down to a lack of rigorous patching by the large number of providers, not to mention the mobile operators that supply them.

Fair point. ZVNexus offers this advice:

 Never buy from carriers. Always buy an unlocked model that you know will get updates as soon as [the vendor] pushes them out.

Who found it? Google Project Zero’s Maddie Stone—“Use-After-Free in Binder driver”:

 The following issue exists in the android-msm-wahoo-4.4-pie branch. … There is a use-after-free of the wait member in the binder_thread struct.

This issue was patched in Dec 2017 in the 4.14 LTS kernel, AOSP android 3.18 kernel, AOSP android 4.4 kernel, and AOSP android 4.9 kernel. … Devices which appear to be vulnerable:

1) Pixel [1 and] 2 …
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
6) Oppo A3
7) Moto Z3
8) Oreo LG phones …
9) Samsung S7, S8, S9

What a mess. typical182 says it’s typical:

 To me, the biggest part of this story is:

1. Over two years ago, this was apparently detected automatically by the syzkaller kernel fuzzer, and automatically reported on its public mailing list.

2. Over a year and a half ago, it was apparently fixed in the upstream kernel.

3. It was apparently never merged back to various “stable” kernels, leading to the recent CVE.

4. This is apparently a super common sequence of events, with kernel vulnerabilities getting lost in the shuffle, or otherwise not backported to “stable” kernels.

Dmitry Vyukov (original author of syzkaller fuzzer that found this 2 years ago) gave a very interesting talk on how frequently this happens a couple weeks ago at the Linux Maintainer’s Summit, along with some discussion of how to change kernel dev processes to try to dramatically improve things.

And gTsiros is deeply unsympathetic:

 this is merely an indication and consequence of modern software being utter trash.

use-after-free ? seriously? What’s next? getting owned due to an off-by-one error?

and more than that, anyone with a two year old device won’t be getting a patch… which is like what? 50%? 60%? 40% of all android devices? (not just phones; think tablets, drones, ICEs, fridges, bathroom scales or whatever else they shoved it into).

This is fine, as hansmuff seems to say:

 Yeah, so shout-out to TMOBILE USA for having my Samsung S9+ on the JULY security update. I guess you got enough money from that sale to not care anymore.

Meanwhile, arglebargle_xiv imagines the industry’s real attitude:

 Please throw away your current phone, wait six months, buy the latest model, and see if it’s running a patched version of Android. If not, repeat as often as required.

And Finally:

Chandelier


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: gfk DSGN (Pixabay)

Featured eBook
Open Source Security: Weighing the Pros and Cons

Open Source Security: Weighing the Pros and Cons

Over the past few years, open source has grown in popularity, especially among developers using open source code in their application development efforts. Open source software offers incredible benefits to enterprises IT and development efforts. Free, available software libraries mean cost savings, easy customization, speed, agility and flexibility for development and IT teams. There are ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 85 posts and counting.See all posts by richi