Thursday, September 18, 2014

A security flaw in Android that is a “disaster for the … – The Confidential

It was discovered two weeks ago and reported without receiving much echo, but has been in the last few hours when the problem has taken all its dimensions. This is a security flaw in the web browser that many Android powered devices are installed by default. According to the Metasploit security project, that detects and tests computer security failures, could be a “disaster for the privacy” of users.

Android Browser The browser has a fault, named CVE-2014-6041, which allows third parties to execute JavaScript code on any window that the user has open, being able to read cookies and passwords and therefore access and send emails or any other type of identity theft.

This means that any random web (eg controlled by a ‘spammer’ or a spy) can snoop the contents of any other page

“This means that any random web (eg, a controlled by a spammer or a spy) can snoop the contents of any other page. Suppose you’ve entered a infected while you had your email open in another browser window anywhere. attacker can get the information from your email and see the same as your browser. Or worse, you can get a copy of the cookies of your session and pirate it, even read and write emails in your name. ”

Who is affected and how to avoid

The scope of the decision is unclear. They could affect all users using the Android versions prior to 4.2. It was in that operating system when switched to Google Chrome as default, although parts of the code continued to be used in Android Browser web functions within applications. The Android 4.4 version was the definitive and complete change.

According to Google data, 24.5% of Android devices now work with version 4.4, so that would be out of danger unless you have elected to install it yourself. All others will be exposed to the failure of one form or another.

Although it is possible to never be affected, the easiest way to protect against this ruling is to install and use a browser that is not based on this code, such as eg Chrome, Firefox or Opera.

“You need to fix, and fast”

It was security analyst Rafay Baloch the first to raise the alarm about this problem, originated from a mechanism called Same Origin Policy security (SOP). Browsers follow this policy, which basically means that the JavaScript code from a source can only be read or modified elements (such as parts of a web) derived from the same source that code. Although there are exceptions, the rule is that a code can not access to another of different origin.

Due to the nature of this measure and their potential impact, browsers are very strict models and rarely found a bug in the SOP. However, occasionally occurs

Baloch found that the JavaScript code built in a certain way I could skip the SOP and free access to other sites without restrictions. “Due to the nature of this measure and its potential impact browsers models are very strict and rarely found a bug in the SOP. Yet occasionally happens.”

“This means that potentially any web view from the browser may be stealing sensitive information. It’s a bug that needs fixing, and fast, “says Peter Bright, journalist Arstechnica .

Something the Baloch own alerting Google tried to get the problem had been detected, to which they responded that they were unable to prove the existence of this ruling and proceeded to close the claim. “When I published the post with the information I received a new response saying that they finally were able to check and they were working to fix it.”

LikeTweet

No comments:

Post a Comment