Trend Micro Discovers New Android Vulnerability

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Trend Micro has discovered a vulnerability in Debuggerd, the integrated Android debugger, that can be used to expose the contents of the device’s memory.

A specially crafted ELF (Executable and Linkable Format) file can crash the debugger and expose the memory content via tombstone files and corresponding logd log files. This information can be used in denial of service attacks, as well as to help bypass ASLR for arbitrary code execution. By itself, the vulnerability cannot be used for code execution. However, the information leaked here may be combined with other flaws for that purpose.
Click to expand...
 
But you can customize the phone to the point that is only limited by your imagination...so you know, this is pretty much a moot point.
 
Had this been an iOS vulnerability this thread would already be 6 pages long of android users bashing overpriced apple devices.
 
I've tried time and time again to make that point...I only end up being told I'm stupid. =\
 
Frozen8950 said:
Had this been an iOS vulnerability this thread would already be 6 pages long of android users bashing overpriced apple devices.
Click to expand...

If it were about Windows Phone it would be several pages longer of Android and Apple users saying "Microsoft should just give up". After all everyone knows how the saying goes, "if at first you don't succeed....give up." lol
 
Frozen8950 said:
Had this been an iOS vulnerability this thread would already be 6 pages long of android users bashing overpriced apple devices.
Click to expand...

But since this is an Android vulnerability, it's undoubtedly going to be a thread with bitter Apple users whining.
 
techrat said:
But since this is an Android vulnerability, it's undoubtedly going to be a thread with bitter Apple users whining.
Click to expand...


Thread is four hours old, this is post 7.

You're wrong.
 
Frozen8950 said:
Had this been an iOS vulnerability this thread would already be 6 pages long of android users bashing overpriced apple devices.
Click to expand...

This likely has more to do with the number of Android vs Apple users on this board than it does with the discontent for the opposing fanboi teams products.

Both sides are equally as whiny.
 
OEM said:
Thread is four hours old, this is post 7.

You're wrong.
Click to expand...

I do believe the post I responded to is an example of what I was speaking of, sweetcheeks.
 
OEM said:
But you can customize the phone to the point that is only limited by your imagination...so you know, this is pretty much a moot point.
Click to expand...

Good news though, everyone can rest assured that Google is hard at work on the next version of its OS to fix the issue for anyone buying new phone.
 
When will Android phone users get this update?
I'm still waiting for Android Lollipop for my phone.
Lollipop came out in 2014.
 
sounds to me like you need to contact your carrier or check out xda.
The nexus line of phones has the updates before it hits officially.
 
This vulnerability can be exploited by a malicious or repackaged app downloaded onto the device, although the impact would be relatively limited (as no code execution is possible by itself). No malicious code can be executed if this vulnerability is exploited.
I'm shakin in mah boots. Guess I'll delete all those cat pic apps with no reviews.
 
Hypergreatthing said:
sounds to me like you need to contact your carrier or check out xda.
The nexus line of phones has the updates before it hits officially.
Click to expand...

I checked on Motorola's website about Lollipop support for my phone.
Motorola says "This device will be upgraded to the Android 5 Lollipop release of Android, pending partner support."

Lollipop was released in 2014. I should have been able to update to Lollipop the day it came out. Instead, I am stuck waiting possibly indefinitely for Lollipop. I also get stuck using an obsolete version of Android OS.

If I had an iPhone, I would have gotten the new iOS on release day.

I don't have to use a laptop made by Microsoft to get Windows 10 on release date (7/29/2015). So, I should not have to use Google's own phone to get their new OS on release date.

I just got the KitKat 4.4.4 update. So I got that update about a year too late. The whole time, my phone was vulnerable to an OpenSSL man-in-the-middle vulnerability.

My friend has a Samsung Galaxy S III Mini (Verizon). Not only has he not gotten Lollipop yet, but he's still using an outdated version of KitKat from 2013 that has known security vulnerabilities. When he tries to update his phone, it tells him "your Samsung SM-G730V is up to date. Your device configuration has been updated. No update to software is necessary at this time." That is simply unacceptable.
 
OEM said:
But you can customize the phone to the point that is only limited by your imagination...so you know, this is pretty much a moot point.
Click to expand...

Frozen8950 said:
Had this been an iOS vulnerability this thread would already be 6 pages long of android users bashing overpriced apple devices.
Click to expand...

So I should be upset about a vulnerability that can't do remote code execution? It's an exploit that needs another vulnerability to do anything with. This is absolutely nothing compared to the XARA exploit on iOS and OSX. This is about as useful as the Unicode crashing bug on iOS that was just patched in iOS 8.4.

Let's not even talk about how Google patched it in less then a month. I guess I should be upset about that too? Oh wait let me guess you're OK with Apple sitting on the XARA exploit for 6 months. :rolleyes:

This is a bug. It can't do much. So why care too much? I don't.

iOS Unicode was a bug. It couldn't do much. So why care too much? I didn't and my wife and her iPhone 6 didn't.

XARA exploit is a bug. It can't do nasty things. So why care too much? Because it's a huge exploit that Apple ignored for 6 months.

thundermitty said:
I checked on Motorola's website about Lollipop support for my phone.
Motorola says "This device will be upgraded to the Android 5 Lollipop release of Android, pending partner support."

Lollipop was released in 2014. I should have been able to update to Lollipop the day it came out. Instead, I am stuck waiting possibly indefinitely for Lollipop. I also get stuck using an obsolete version of Android OS.

If I had an iPhone, I would have gotten the new iOS on release day.

I don't have to use a laptop made by Microsoft to get Windows 10 on release date (7/29/2015). So, I should not have to use Google's own phone to get their new OS on release date.

I just got the KitKat 4.4.4 update. So I got that update about a year too late. The whole time, my phone was vulnerable to an OpenSSL man-in-the-middle vulnerability.

My friend has a Samsung Galaxy S III Mini (Verizon). Not only has he not gotten Lollipop yet, but he's still using an outdated version of KitKat from 2013 that has known security vulnerabilities. When he tries to update his phone, it tells him "your Samsung SM-G730V is up to date. Your device configuration has been updated. No update to software is necessary at this time." That is simply unacceptable.
Click to expand...

Yes it is but let's lay blame where it belongs. The carriers and OEMs. If Samsung and HTC didn't put so much of their own crap in it they could roll out new Android versions far faster. Motorola with the Moto X line has been doing a pretty damn good job updating their devices is a very timely matter. The difference? Motorola doesn't do a ton of under the hood changes.

You mention a Galaxy S 3 Mini. Release date November 2012. Almost 3 years old. It will NEVER get Lollipop. Period. Things are so much different when it comes to mobile devices. This isn't the desktop world anymore. People need to stop looking at it that way.
 
You must log in or register to reply here.
Back
Top