Security Expert Warns of Android Browser Flaw 98
justice4all writes "Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. 'While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,' Cannon wrote. 'It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.'"
Sophos's Chester Wisniewski adds commentary on how this situation is one of the downsides to Android's increasing fragmentation in the mobile marketplace.
This is why I love iPhone (Score:4, Funny)
On iOS, vulnerabilities are only used for jailbreaks.
Re: (Score:1)
Yet every iPhone susceptible to that exposure could be updated within 2 weeks. I would like to see Android pull that one off...
If Apple gets around to it, of course.
They've been known to let vulnerabilities go until they can roll them all up into a nice 250MB-or-so patch. [pcworld.com]
Hey, what's the rush? They're not a target.
Re: (Score:1)
Re: (Score:2)
In all seriousness, this is vindication for Apple's integrated model. It's been pointed out for a while now that the Android experience is under control of the carriers [techcrunch.com], which is why they like Android so much. With iOS, you can get your updates directly from Apple the moment you connect your device to iTunes.
This could be just the beginning of the same kind of security headaches that Microsoft endured for years with Windows. The hassle isn't just responding to vulnerabilities; it's also getting those update
Re: (Score:2)
linkbait (Score:3, Informative)
1. Have to know full path to a file to view it.
2. Have to download a file, presumably from someone you don't know and trust.
3. This is in all browser versions, so how exactly does fragmentation factor in?
Like everything else, buzzwords like Android fragmentation guarantee hits.
Re: (Score:2, Informative)
You didn't read TFA did you?
1. Many file paths are standard and known, they are set by the OS or application.
2. The download is automatic, when you visit a malicious website
3. Fragmentation factors in because a fix can't be rolled out quickly (or at all) to the fragmented handsets which may or may not get updates from the OEMs/Carriers.
Re: (Score:2)
So the problem is not fragmentation. The lazy ass OEM is not gonna help you quickly after you purchased something from it. While in the fragmented world of linux distribution you get a fix issued quickly (at least on the major distros, which are not few).
So the real problem is "depending on lazy ass OEM", or "Not Having Control Of Your Device".
Re: (Score:3, Insightful)
Your description would naturally seem to be part of fragmentation.
If you have 20 vendors you can bet that some of them are going to be good about support, some are going to be ok, and some bad. If you have 50 android phones, you can bet some are going to be supported better than others. And so on. This, of course, has both positives and negatives, but it's absolutely part of being fragmented.
If google could rollout a patch to Android OSes that could be applied to any phone and any carrier instantly, then yo
Re: (Score:3, Insightful)
Since iOS and Android seem about diametrically opposed on this front, you can compare that there are a total of 4 models of iPhone -- iPhone, iPhone 3g, iPhone 3gs, iPhone 4.
And a few generations of iPod touch as well... and the iPads. Ok... so more like a total of 8 or 9 models... of ios device...
When Apple releases an update to iOS (eg the new 4.2.1), it applies to all phones except the original iPhone.
And the original ipod touch.
(which is now just shy of 4 years old)
It was launched almost 4 years ago, i
Re: (Score:1, Troll)
And a few generations of iPod touch as well... and the iPads. Ok... so more like a total of 8 or 9 models... of ios device...
Oh you're right, that's true, I wasn't thinking about them since Android is only now starting to expand beyond cellphones. However, my point absolutely stands -- of the 9(?) devices/generations, almost all run the exact same version of iOS.
It was launched almost 4 years ago, it wasn't DISCONTINUED almost 4 years ago.)
Given most people had to sign a 3 year contract to get one there are lots of original models still in use. There are lots of original models STILL UNDER CONTRACT.
What country are you in that requires people to sign a 3 year contract?? God, I thought American cellphone contracts were bad, and I've never seen one go beyond 2 years.
I can't say for sure, not knowing what country you are in, but for the US (and I would assume the rest
Re: (Score:2)
What country are you in that requires people to sign a 3 year contract?
Canada.
(and you would have read/understood if you weren't clearly just a android fanboi)
While I have plenty of issues with Apple as a company, I actually went with a 32GB iPhone 3GS. The fanboi comments are a bit misplaced.
Some may be supported better, some may be able to be community supported, but you can bet a lot of handsets are going to be neglected not too long after release.
Yep. But its really a question of each manufacturer, and
Re: (Score:2)
Canada
And 3-year contracts are really common in Canada? I had never heard this before...
While I have plenty of issues with Apple as a company, I actually went with a 32GB iPhone 3GS. The fanboi comments are a bit misplaced.
Fair enough. Usually when people make comments like "One is quite enough" re: Apple, they come across as fanbois. My mistake for assuming.
Yep. But its really a question of each manufacturer, and has very little to do with "Android".
That's my point, comparing iOS to Android is a false comparison. Compare Apple to Motorola to HTC to Samsung to LG to whatever. Its the manufacturer that decides what support is going to be like, not the platform.
I think that's utterly irrelevant. Think about windows. Who sells PCs? Not Microsoft -- think Dell, Gateway, Acer, Asus, HP, Compaq, and so on. Who does the support? Well, it's a little bit more complicated, but basically the vendors and not Microsoft. Yet Windows/Microsoft is what has a hor
Re: (Score:2)
And 3-year contracts are really common in Canada? I had never heard this before...
Yes. Very common. Usually you can take any of a 1 year 2 year or 3 year contract, but with iphone's it was 3-year only.
But even then the pricing structure is typically heavily skewed to induce the consumer into 3 year contracts. Here's an example from Telus:
529.99 - no contract
479.99 - 1 year
429.99 - 2 year
149.99 - 3 year
That's still pretty messed up.
http://www.telusmobility.com/en/BC/samsung_fascinate/index.shtml [telusmobility.com]
Well, it's a
Re: (Score:2)
I'm not saying fragmentation isn't occurring. It has occurred. Because it has occurred its invalid to say that android has a problem updating its software, because its not androids problem.
Ok, I think we're in almost complete agreement then. As I said in my original post, some Android phones are going to have great support, some ok, some bad, and so on. Having an Android doesn't guarantee bad support, but neither does it guarantee good support! MY feeling is that -- like MS Windows -- Microsoft is going to get blamed, as the most visible party, for such issues, rather than HTC, Samsung, LG, etc. And thus the problem with fragmentation. There's the potential for bad experiences with one vendor
Re: (Score:2)
And thus the problem with fragmentation. There's the potential for bad experiences with one vendor to sour the entire platform.
If there was a problem with webkit, we wouldn't buy it for a second if Microsoft tried to exploit the fact one vendor dropped the ball with updates to paint all the droids, and ios devices as a fragmented browser platform that was difficult to keep updated. Right?
Why do even entertain the notion that "Android fragmentation" is a "problem" in the first place? We should reject blaming
Re: (Score:2)
That's true, however the key difference is visibility. Is it unfair that Microsoft is blamed for slowed down systems when it's vendors that install bundles of crapware from day one? Sure. Is it unfair that a bad experience with one Android device might sour somebody on other Android devices? I guess?
Additionally, here's a huge difference between a rendering engine that most people have never heard and is totally behind the scenes, and a highly marketed operating system and brand. Google is very much interes
Re: (Score:1)
Here in Australia, the standard contract is 24 months. Given that I tend to keep my handsets for about double that term, I'm happy enough with that...
Wrong, just 1st gen Touch and iPhone (Score:3, Insightful)
Since your post was so rife with inaccuracies, I felt I had to correct the misconceptions you were attempting to spread.
And a few generations of iPod touch as well... and the iPads. Ok... so more like a total of 8 or 9 models... of ios device...
Where did you get that from? The iPad and iPhone and Touch all run the same OS version now, 4.2. The only iOS device that cannot run 4.2 is the first gen iPhone or the 1st (and possibly second) gen Touch. That's not eight, it's around two. And both of those can
Re: (Score:2)
No iPhone has ever had more than a two-year contract.
"Fido, Rogers to offer iPhone with 3-year contracts"
http://www.cbc.ca/technology/story/2008/06/12/fido-iphone.html [www.cbc.ca]
From first hand experience:
3 year contract, or you buy the phone outright.
1 and 2 year contracts were not options.
How would that be different than what you are getting? You already have a few different app stores, including Verizon. Who is to say that in a few years the situation will not be exactly as you describe?
It will never get -THAT- bad
Re: (Score:2)
Ok, I admit it, I had not heard Rodgers had three year contracts. I stand corrected. But I have not heard of three year contract lengths in any other country; I'm pretty sure that's an aberration and the original post said nothing about Canada, making the complaint sound generic.
I'd probably have to bite down an buy an unlocked phone before I went for a three year contract. That's pretty crazy. I can only hope Canadians got better iPhone prices as a result, but I doubt it.
Re: (Score:2)
You're assuming that the benevolent dictator model results in better security. But we have that in the desktop/laptop OS space in which Microsoft and Apple duke it out between them. Guess what - Apples track record of patching security flaws is absolutely atrocious. They have a reputation for leaving bugs unpatched for months. Microsoft do a lot better these days, but even then, there are so many exploits, and enough users who don't get the online updates, that the OS is a piece of Swiss cheese.
Today, HTC/M
Re: (Score:2)
You're assuming that the benevolent dictator model results in better security.
No, I'm not. I'm assuming only that the "benevolent dictator" model is better at being able to deploy security patches. And that is true.
Better security results in a better security model, with appropriate layers. I personally think the iPhone has a slightly better base model than Android does - here we see the effects of fragmentation on being able to patch an issue, but beyond that the iPhone would not have this risk because t
Re: (Score:2)
Re: (Score:2)
The Android platform is quite fragmented (many forks, without source available), because so many vendors have had so many different phones and they've generally all made CLOSED proprietary changes. The Apache license doesn't require the carriers to make their user-space code available to users or Google or anyone. (The Linux part is still GPLed, but that is only part of Android).
http://arstechnica.com/old/content/2007/11/why-google-chose-the-apache-software-license-over-gplv2.ars [arstechnica.com]
Users generally have crippl
Re: (Score:1)
Re: (Score:2)
>free FOSS...
and that constitutes the only part of your post that makes some sense.
care to troll in a more refined way?
And as best I can tell many cannot update (Score:1)
If I click on the update phone my Android phone fails to connect to the update site and demands that I wait another 24 hours to try.
At least my service provider is very nearly the beginning of the American alphabet which should put my up-date first in the list.
There are also a lot of files that normal permissions will not let me see to backup....
At least I do not have my personal TSA full body scan images on the phone.
Re:linkbait (Score:5, Informative)
Fragmentation affects the creation and distribution of the patch.
Re: (Score:2)
I would argue that Android fragmentation is caused by OEMs releasing handsets that are running old versions, with zero upgrade path.
Apple don't sell hardware that's running an older version of iOS with no upgrade path.
Re: (Score:2)
The GP is right, but you seem to be missing the big final point: Android phones come out with 1.6 when version 2.0 and 2.1 are out.
To most people fragmentation doesn't mean "security flaws" --it means "oh, no! I paid $200 and got stuck in a contract for many more hundreds, and now I can't run X new free app." Compare that to Apple, as the GP said: November 28, 2010 some new OS X comes out? not a single PC at the store will sell you a box with the old one.
Hmm, contrast that with Windows XP and see why it's
Re: (Score:2)
Re: (Score:2)
I got my phone less than a year ago, and it's running 1.5. And it's made by Samsung. And there's no plans on updating it. Samsung dropped all support for it as soon as they released a slightly newer version of the phone. It's not even supported in their "New PC Studio" software that's supposedly the only way to update the phone. Or at least it wasn't 3 months ago.
Re: (Score:2)
Update Woes (Score:2)
It could make it nearly impossible to patch, for off-brands that run Android.
not Linux (Score:2)
for the last time : Linux is a kernel.
this bug isn't in the kernel. Linux isn't afected.
this bug isn't even in the GNU userland which is used in most distribution (and which android lacks as it relies on busybix instead)
this bug is in the browser, which has nothing to do with your regular distributions. At most, it's a distant cousin from Chrome (another browser done by google) and perhaps Webkit (the frame work used by all browsers by Google, Apple and KDE)
luckily it's opensource (Score:2)
luckily androidbis free/open source under apache licence. So even if HTC and the like don't publish their own fixes, you can expect to find up-too-date firmware from 3rd parties like Cyanogen.
the only part i don't like is that replacing the firmware requires to root the phone. One shouldn't hack his/her *own* phone to replace free/libre open software !
(i type that on a palm pre running a custom kernel,which was installed using nothing more than the officially doocumented "dev mode", no exploit required).
Re: (Score:2)
You're a fanboy. We know this because you obviously didn't even read the article, where your points are refuted. Instead, you didn't like that Android was being criticized, so you immediately posted an anonymous comment to dismiss the story as linkbait.
I suspect you're one of the many anonymous posters who suddenly shows up in every article critical of Google or Google products.
Abuse of "zero-day" term? (Score:5, Informative)
"Zero-day" attacks are when the application developers had no awareness of the problem before the information got to people who might exploit the problem.
TFA says Cannon gave Google prior warning, so this isn't zero-day, right?
http://en.wikipedia.org/wiki/Zero-day_attack [wikipedia.org]
I think news agencies just stick "zero-day" to all virus/bug news because it sounds scary.
Chester Wisniewski's point is invalid, IMO (Score:2)
Chester says:
Now for the #fail. Android, like Windows Phone, is largely designed to be an open platform. Windows Phone does require licensing, but supports many handset makers similar to the Android strategy. What do I mean by this? Many carriers and manufacturers of handsets are encouraged and able to use the operating system and adapt it to just about any form factor they can imagine. HTC, Samsung, Motorola, Acer and others each can make interesting, innovative devices and customize the operating syste
Re: (Score:3, Interesting)
But you do go to Microsoft and ask for Windows patches for your Dell or HP (or even for your iWhatever, if your iWhatever is an iMac, and you're running Windows on it.)
This is a nightmare because you have to go to the company that sells you the gadget... and it can take months for the phone manufacturer to validate a new ROM for your phone based on Google's code, and then a few more months for your carrier to validate that ROM.
Re: (Score:2)
As opposed to what, Microsoft sitting on its hands for months or years because they won't fix or until they can't take the wailing and gnashing of teeth anymore?
How's that Windows Home Server goin' for ya?
"ANDROID HAS BUGS! BE AFRAID! BE VERY AFRAID! FRAGMENTATION! FRAGMENTATION! BOO!"
--
BMO
Re: (Score:2, Insightful)
As opposed to what, Microsoft sitting on its hands for months or years because they won't fix or until they can't take the wailing and gnashing of teeth anymore?
At least then you're only waiting on MS to get off it's ass, not MS and then the manufacturer..
Re: (Score:2, Informative)
Re: (Score:1)
One downloads updates from one's distro's repos. That will be Windows Update if you can't be bothered to choose an distro on your own.
Re:Chester Wisniewski's point is invalid, IMO (Score:5, Interesting)
Some things are inherently difficult in an environment with numerous hardware variations that cannot be depended upon(designing UIs that work nicely across multiple screen sizes/keyboards vs. softkeys only, etc, substantial differences in proccessing power, RAM, storage); but most security bugs, unless apocalyptically foundational in some ugly way, generally don't qualify. Nor are security fixes(unlike new features, or issues related to custom skins and other OEM differentiation crap) generally something that carriers are likely to be conflicted about from a marketing perspective. Lots of carriers are doing a lousy job of updating existing handsets to newer android versions because they would really rather just sell you the Model N+1 and another two year contract. Doing that with an obscure bug is harder.
Re: (Score:2)
You don't go to Apple and ask for Windows patches. You don't ask Windows to patch your iWhatever. Each company maintains its own patches. If the common point in between two devices happens to be Android, how can this be some kind of nightmare? It's SOP. The company that sells you the gadget gives you the patches. In short, so what?
However, you do go to Microsoft for windows patches even when your laptop is made by Acer. That's the point he's making, in previous OS situations you would go to Google for the patch, but you can't, you have to go to the device manufacturer instead.
Re:Chester Wisniewski's point is invalid, IMO (Score:5, Insightful)
So let's say you bought a Windows box. Maybe you got it from HP. Maybe you got it from Dell. Maybe from Sony.
Who do you expect to provide you with a patch when someone discovers a new Windows vulnerability? Microsoft, right? If it's really serious it'll probably pop up in the next Patch Tuesday. If it's hyper-serious then it might come out three or four days after the vuln was announced.
That's not the way it works in the Android world, annoyingly enough. Imagine if the version of Windows loaded onto that HP machine was a special HP version, full of HP customizations like a proprietary HP window manager and a proprietary HP web browser. MS can't give you any patches because the HP customizations are a fork of MS's source; when MS does bugfixes, someone at HP has to take a diff of the new MS tree, merge it with the HP tree, and run it all through QA. Oh, and the store you bought it from? Some of them have their own variant source trees too, so the same machine bought from Best Buy rather than direct from HP has its own fork of the OS.
Now multiply this by a different fork for every damn model they sell. Oh, and because they only have so much money, HP/Dell/Sony/Best Buy/whoever typically only bother merging in the OS updates for computers they made in the last year. If you're lucky.
Oh, and some of them have implemented DRM that will trash your computer if you try to install vanilla MS Windows. And nobody makes the drivers for their custom hardware available anywhere outside of the binary blobs they distribute. Pretty much everyone except the hardcore nerds is just gonna be running whatever release of the OS came with their computer, or maybe the one update they got - even if they keep the machine for five years. Even if they want to try and update it.
So tell me, why is this a problem?
Re: (Score:1)
Yes we will. We'll distribute custom images and install them onto our phones.
First one buys the phone, then one buys the OS. Android seems like a fine choice.
The only problem is manufacturers not specifying interfaces to the hardware. Do not buy hardware for which full specifications are not available as you won't be able to utilize the hardware is you wish.
Re: (Score:1)
That's why everything is standardized. That way you can patch your kernel and win32 and unix subsystems without braking your window manager and web browser.
Imagine if OEMs bundled Opera and dwm with their hardware.
I'm sorry, but if you've bought a computer that brakes horribly when you try to use it and make it execute code, you've been ripped off. Check if your warranty's expired.
Re: (Score:3, Informative)
They just don't want to spend any more money on it. Android code gets released, then the OEM customizes it, and then the carrier finally customizes it. That's a lot of work -- the 10 or so current phones they've got out, plus their entire back catalog. They've already got your money. So long as it doesn't affect their network, why do they need to bother? It only takes one of the OEM or carrier to decide it's not important.
Chester was entirely wrong about Windows Phone, too, unless he is confusing it wi
Re: (Score:1)
Slightly unique? (Score:2)
I wish people would learn what unique actually means.
Android cloud computing rates (Score:5, Funny)
Standard on-demand instances:
Small (1000 Android cellphones): $0.05 per hour
Large (5000 Android cellphones: $0.20 per hour
Extra large: call
Get a 10% discount if you sign up before zero day is over.
The real problem is... (Score:5, Interesting)
The real problem is that there is no easy way to patch this. Seriously, Android/Google should have long ago known that this situation (i.e. vulnerability with no quick way to patch) could be possible.
Re: (Score:2)
It's sort of like knowing that you are going to die. The number of things you can do isn't zero; but you can never really "react usefully" to this knowledge because there just isn't anyt
Re: (Score:1)
> but how do you respond to such knowledge?
You implement a Patch Tuesday solution, at least.
Re: (Score:3, Funny)
Shouldn't they think outside of the box? Why not have a patch Monday so they can be one step ahead of microsoft?
Re: (Score:2)
Unfortunately, patching embedded devices is something of a problem industry wide: many of them are weird/customized enough that 1st party patching would be truly heroic, for any issues that aren't isolated near the top of the stack, and many of the 3rd parties who made them are basically uncaring, incompetent, or both. PCs, by contrast, are both fairly heavily standardiz
Re: (Score:1)
Re: (Score:2)
There is a very easy way to patch it. Don't let public pages redirect to "content://com.android.htmlfileprovider/*".
While it is fully intended that public pages be able to access other content providers, there is no valid need for them to be able to access html files stored on the device, especially since local html files are trusted higher than public html files.
In the attack, the server forces an html page to be downloaded by using an incorrect content-type. It then redirects to that local page via the co
Re: (Score:2)
Still easy for the vast majority of devices. Just place a patch in the market. The trick would be distributing different versions of the new browser executable to each android version. However, the way the market works makes that entirely possible.
Then the only devices that remain are those without the market. Google can contact the OEMs of such devices, and give them the source code patch. It is then no longer Google's responsibility, but rather the OEM's responsibility to actually issue the patch.
Hope it hits a lot of users (Score:2)
If it hits big enough maybe the carriers will wake up and offer a stock image with all the various crap as add ons. Seriously, I don't want Sprint TV, or sprint Nascar's app. But I do want my few months old phone to be upgradable past 2.1.
If enough pages hit that make it unusable then either the phone companies will have to push an update or give new phones to anyone claiming breach of contract.
Re: (Score:2)
Why cant google offer... (Score:1)
What about an app? Is not root cause SD access? (Score:2)
I don't see how downloading a file has anything to do with the exploit other than being a means to trigger file access Javascript.
What I'd like to know is, can any app read any file from an SD card if it knows the path of an existing file? From a previous Slashdot story (a few months back, cannot find the link) I had thought each Android application directory on an SD card was somehow isolated, but for this flaw to work at all that cannot be the case. What is to stop a rogue app from accessing any arbitrary
Whoa.. (Score:1)
Re: (Score:1)
What I'd like to know is, can any app read any file from an SD card if it knows the path of an existing file? From a previous Slashdot story (a few months back, cannot find the link) I had thought each Android application directory on an SD card was somehow isolated, but for this flaw to work at all that cannot be the case. What is to stop a rogue app from accessing any arbitrary application data at a known path on the SD card?
When you put applications on the SD card, their binary directories are isolated from each other, yes. (Through encrypted loop-mounts, I believe)
But the actual data on the sdcard is completely open to all applications. It's basically a large dumping ground for data.
The issue of this exploit is that you never need to grant anything permission to become vulnerable, whereas a rouge app does need to be given permission to be installed, and (I believe) permission to access data on the SD card.
Re: (Score:2)
When you put applications on the SD card, their binary directories are isolated from each other, yes. (Through encrypted loop-mounts, I believe)
That's how I understood things from before...
whereas a rouge app does need to be given permission to be installed, and (I believe) permission to access data on the SD card.
Right, I can see an app needing to ask for access to be installed, possibly the SD card access - but who would think twice about granting that, if for no other reason than to store preferences?
The
OH NO (Score:1, Troll)
Android's main weakness is the carriers (Score:2)
Personally, I know I can get the latest fixes and updates fairly quickly, but that is only because I have rooted my phone and installed a few utilities and follow the updates and fixes provided by some pretty smart people. That's just about as up-to-date as I can hope to be. But that won't work for the rest of the users out there. They have to wait for a very long time, forever or even longer (such as never) before t-mobile, at&t, sprint or verizon to push out an update to fix a vulnerability. And w
Android going to be like microsoft? (Score:1)
What makes this special? (Score:2)
So what?
I do not understand what makes this an "interesting piece of news"
We see Windows security updates weekly.
IOS? regularly.
Is this some "special" weakness?
Re: (Score:2)
It's special because most Android phones are NOT getting a security update for the known flaw.
Re: (Score:2)
Most phones on most OS types do not get security updates.
Not a function of the OS, and Is a function, or lack thereof, by the phone provider, who are usually the telco for wireless services.
And their argument often is:
"We provided the phone, as is, and "free" to you.
We owe you nothing."
Again, not unusual.
Re: (Score:2)
Whether or not you think it's unusual, it's still news.
Nice info (Score:1)