Friday, March 18, 2016

Vulnerability endangers million Android devices – Computerworld

Millions of Android devices are vulnerable again after researchers discovered a new way to exploit an old vulnerability that had been repaired earlier by Google.

NorthBit, security company based in Israel, published an article describing the “Metaphor,” a nickname for the new loophole found in Stagefright, multimedia library of Android.

the attack has no effect on devices running versions from 2.2 to 4.0, 5.0 and 5.1, the company said.

According to NorthBit company, the attack works “best” in Google Nexus 5 devices and some modifications to the HTC One, G3 LG and Samsung S5.

the attack is an extension of other developed for CVE-2015-3864, a remote code execution vulnerability that Google had already noticed two times.

Zimperium security company found the first flaws in Stagefright in early 2015, when millions of devices were affected. Since then, Google has repeatedly targeted patches for holes in Stagefright analysts continued to find.

NorthBit published a video which showed a successful attack, which requires a bit of knowledge in social engineering. The victim is taken to click on a link and stay in a specific Web page for some time while the exploit wheel. It can take from a few seconds to two minutes to exploit finish your work.

In the video, the victim using a Nexus 6, opens a link that directs you to a page with pictures of cats, while the NorthBit shows the performance of the exploit.

the company estimates that around 235,000 Android devices run versions 5.0 and 5.1 and about 40 million run version 2.2.

Chris Eng , vice president of research at Veracode, said it is likely that Google resolve the issue quickly. But the distribution of Stagefright patches has been uneven.

“Repair application vulnerabilities is especially challenging for the Android community with a number of different manufacturers and responsible operators with the responsibility of directing the repairs to the devices” said Eng.

Google was not found immediately send for comment.

LikeTweet
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)