When I told you the reasons why you ought to seek to have the latest version installed on your Android device, you quoted security and used as an example the recent CVE-2014-6041 . browser vulnerability found in any version other than 4.4 KitKat, which is a brutal failure Privacy
Read why we return to the security breach, when we had already done? The reason is simple: failure goes far beyond what we thought , and an attacker could exploit the vulnerability to form a botnet of all Android devices. In other words, our Android would become a zombie at the mercy of the attacker
Before describing everything we have to stop a moment to give credit to Miguel Angel Garcia.: has been the developer who has been playing with vulnerability and discovered what to do with it. We have also talked about other discoveries that have been made since A computer on the side of evil , so from here we thank them for their tremendous work.
In any case, we have come here today to talk about safety, and is able to tell you what an attacker when using this vulnerability. For you to put yourselves in a situation, the problem is in the AOSP browser, specifically in PCOS (Same-Origin Policy), a piece of the browser that restricts when you can load or execute code it is of a different origin to the website where we are.
The problem specifically is that by simply including a null byte in the code to execute, and we can skip the protection of that responsible PCOS. Y if we access a page containing this null byte, page (and thus the attacker) can run the code you want in our Android, without ever going . at any time by the security measure
this has many uses for the attacker : extracting information from both the HTML content and the user, send forms without permission, remove our cookies session (something called session hijacking) to use our accounts without password … all faults I discussed privacy the last time, in short. But the worst is that, with almost ridiculous ease, can turn your Android device into a zombie .
And how to make my Android into a zombie, you may ask? It’s pretty simple: with a spam campaign, users of a vulnerable version of Android access a web page that looks normal but is designed to exploit this vulnerability. Y page has a BeEF script that will spend our Android a JavaScript Botnet , a network of Android devices to complete disposal of the attacker (you can see how an attack with this system here works.)
The advice we can give here are the usual: not use the AOSP browser or web browsers based on AOSP, and caution when entering unknown websites , more if they are behind a link shortener. Anyway, and until the problem is resolved, it seems that the surprises keep coming in this direction.
No comments:
Post a Comment