Researcher wait with releasing dangerous exploit for Android bug




Still a working exploit for a dangerous bug in the video framework of Android will not be released this week. The researcher who discovered the problem, would present the exploit at the Black Hat security conference.

Security researcher Joshua Drake of security Zimperium now plans to release the exploit later than 24 August, he tells Tweakers at the Black Hat security conference in Las Vegas. “Friday I met representatives of mobile operators, who have asked me to wait,” said Drake. Initially he planned to present the exploit Wednesday at Black Hat.

The vulnerability in Android came to light last week. The bug in the video Stage Fright framework of Android makes it possible to run native code on a vulnerable Android device by someone sending a video. This may, inter alia, with the aid of an MMS: in this case is to send a message sufficient, because the video is then directly loaded into Android. However, the bug can also be exploited in other ways, for example from the browser or other chat apps. It is not clear whether other chat apps are just as vulnerable as MMS.

Almost all Android devices are vulnerable to the security issue, including the Nexus 5 of Google. The Nexus 6 is partially patched, but not enough, says Drake. Cyanogen does have released a patch for CyanogenMod. The severity of the vulnerability varies by Android version: newer versions have better measures against abuse on board. Older versions such as Android 4.1 are particularly vulnerable, because an attacker on those devices can easily get root access. Especially budget phones often run on older Android versions, and no longer provide updates.

According to Drake feared the telecom providers in the United States for a worm, which itself would spread among the contacts of affected users. The exploit that Drake would release makes it easy for attackers to design such a worm. Yet he still wants to release the exploit. “I’m not going to set off again,” said Drake. If someone else comes in addition to a previously working exploit, he gives his own version free. Chinese researchers have already been closed in the area, but have not yet complete exploit.

Drake says it wants to create awareness with the exploit. The exploit can actually help to prevent combat the problem: According to Drake, for example makers of security software and intrusion detection systems are interested in the details.


In: Technology & Gadgets Asked By: [15446 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »