Android Phones Can Be Hacked Remotely By Viewing Malicious PNG Image (csoonline.com) 149
An innocent-looking image -- sent either via the internet or text -- could open your Android phone up to hacking. "While this certainly doesn't apply to all images, Google discovered that a maliciously crafted PNG image could be used to hijack a wide variety of Androids -- those running Android Nougat (7.0), Oreo (8.0), and even the latest Android OS Pie (9.0)," reports CSO Online. From the report: The latest bulletin lists 42 vulnerabilities in total -- 11 of which are rated as critical. The most severe critical flaw is in Framework; it "could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process." Although Google had no report of the security flaws being actively exploited, it remains to be seen if and how long it will take before attackers use the flaw for real-world attacks. Android owners were urged to patch as soon as security updates becomes available. But let's get real: Even if your Android still receives security updates, there's no telling how long it will be (weeks or months) before manufacturers and carriers get it together to push out the patches.
Re: (Score:3, Funny)
This is no big deal. Since there is no hope of getting any security updates for my Android devices from the fantastic hardware vendors and network providers, I'll just browse the web on my Android devices using lynx [wikipedia.org] from now on. Thanks guys! Thanks a lot! Really appreciate ya'll locking down these devices so hard to prevent malicious third-party open source developers from flashing custom boot ROMs over your fantastic OEM build.
Re: So not Flash? (Score:2)
Lesbian porn is gay.
Re: (Score:1)
So older Androids need to upgrade to LineageOS? (Score:2)
Since the carriers are no longer providing updates.
Re: (Score:2)
Or at least if it does, they'll be slow. The security level for LineageOS 14.1 on Samsung Galaxy S4 (jfltexx) only got bumped to the January 2019 level in the past couple of days (and this only in the source code tracker, no new build yet), just as these February updates were released. They're building about one nightly a month for the device now, so I'd have to compile my own to even be just one patch level behind.
No snark intended at LineageOS. They're doing what they can with the resources (develope
Re: (Score:3)
I have a 6 uear old Galaxy tablet that still gets security updates from Samsung. I've never kept a phone for longer than two years or so, so I can't speak to that.
Re: (Score:2)
You're lucky - I have a Galaxy tablet that stopped getting updates 18 months after I bought it (about 2 years after it came out - not enough sales, so not worth looking after those of us that bought it). It's not a problem though, I've just bought any-brand-except-Samsung ever since, and get updates all over the place when I need them. My little Doogee phone might not get an upgrade, but then it cost about £40, so I'll just throw it out and buy a new one instead.
Re: (Score:2)
Re: (Score:2)
It turns out riddles aren't the same as software engineering. Who knew?
This is one reason (Score:2, Informative)
let's get real: Even if your Android still receives security updates, there's no telling how long it will be before manufacturers and carriers get it together to push out the patches
...I still prefer an iPhone.
Re: (Score:2)
let's get real: Even if your Android still receives security updates, there's no telling how long it will be before manufacturers and carriers get it together to push out the patches
...I still prefer an iPhone.
Don't believe the hype about update lag, it's not reality. de facto, per se. I'm using an Essential PH-1. I got the patch today.
Re: (Score:2, Informative)
I have an LG from 2016 and they haven't released any OS updates since 2017.
Re: (Score:2)
If we're hoping to ever see those updates, we better invest in cryogenics.
Re: (Score:2)
Re: (Score:2)
Because Apple ignores critical security flaws like he Facetime bug?
In this case TFA is wrong. While the patches fix the underlying issue, mitigations are already available to all Android users via the Play Store and component updates which have already rolled out to users regardless of manufacturer.
Re: (Score:2)
iPhones prior to 5S don't get the OS update that is for some reason required to fix Apple's recent "FaceTime as spy tool" bug, even though that's a bug in an app, and not in the OS. Tell us again how smug you are about Apple's support strategy.
Re: (Score:2)
Those devices also didn't get iOS 12, thus they never had group Facetime and hence weren't affected by the bug. Your point is irrelevant.
Genuine LOL. Those devices couldn't have a mere app upgrade because they couldn't get the OS upgrade that Apple made a deliberate decision not to bring to them in order to drive sales of newer models, and my point is supposed to somehow be irrelevant? The situation is actually worse than I imagined. How Applethetic.
Re: (Score:2)
Wait, so the fact that phones 6+ years old now (you said "prior to the iPhone 5s") should still be supported? Can you name one single phone, Android or otherwise, that gets updates that far out?
You can install most current apps (especially google apps) on JellyBean, from 2013. Play Services was still supported on ICS (from 2011) until December of last year [slashdot.org] . Looks like decoupling all that stuff into Play Services was a savvy move for Google. And their support for older hardware is going to be even better going forward, since they've adopted a HAL.
Privileged Code? (Score:5, Interesting)
You can use this bug to execute privileged code? I assume that means as root. If someone publishes example code at some point, we could get a really convenient way to root phones. Maybe I should avoid updates for a while.
Re: (Score:2)
Re: (Score:2)
Not unless for some reason Android is decoding PNG files as root... which it doesn't. This bug cannot be used to escalate privileges.
It's usually SYSTEM, not root. (Score:2)
That can still get you far, though.
Memory Access Bugs (Score:4, Interesting)
More OS memory access bugs [slashdot.org], yay.
According to this breakdown [openhub.net], 88% of Android OS is written in Java, C, and C++ -- all of which are notorious for memory access bugs (in the runtime environment, in the case of Java). Perhaps the #1 security best practice should be to use a language designed to be memory safe. Right below that would be "don't try to bolt on security to insecure software."
Re: (Score:2)
"don't try to bolt on security to insecure software."
Oh you mean, like the TCP/IP protocols we all use today? Security wasn't even close to on the minds of the original specs.
Kind of shows.
Re: (Score:3)
all of which are notorious for memory access bugs (in the runtime environment, in the case of Java).
Android does not run a JVM as far as I know, but Dalvik. And the only famous JVM memory access bug a five-second search gave me was from 2002.
Google has been EXTREMELY self-destructive! (Score:2, Insightful)
Android generally gets NO updates. That policy is intended to make more money for cell phone providers.
Baking roms for each device needs to be outlawed (Score:5, Insightful)
Why can't non-x86 world ever get its shit together? One unified Windows or Linux image installs on countless hundreds of different x86 things.
Meanwhile everywhere else it's always bake a custom rom specific to each and every variant of every device. Why is it still tolerated? The old excuses of abstraction costing too much made sense 20 years ago. Today it's a joke/lame excuse for tolerating the indefensible.
Wwwwaaaaayyyy past time to fire the cooks.
Re:Baking roms for each device needs to be outlawe (Score:5, Insightful)
The x86 - or rather, the IBM-compatible - world is vastly different to the ARM world when it comes to system design. The entire family tree of x86-derived machines have gravitated towards open, or at least easily-licensed and inter-operable, hardware standards over the decades. Manufacturers want to keep their hardware reasonably compatible with everyone else, lest they be shut out of the market for being too 'niche'.
ARM, on the other hand, is almost the exact opposite. An ARM computer is often a custom-built hodge-podge of licensed hardware modules fitted around whatever ARM core the manufacturer licensed and etched onto silicon. Sound, graphics, memory. and other functions are not plug-and-play replaceable add-ons, but a custom chipset that the system designer picked out and configured. These bespoke system configurations will also have to contend with limitations on driver support and possibly the need to hand-configure settings.
Google has tried to correct this, and pull manufacturers to a more standardized system that would let Google handle a lot of the hard work, but this was never the norm in the embedded space.
Re:Baking roms for each device needs to be outlawe (Score:5, Insightful)
The main problem is locked boot-loaders. If you can't install a custom ROM on a phone, that's probably the reason.
Re: (Score:3)
Actually drivers are the problem. Particular drivers for radios.
In order to pass certification for things like FCC the drivers need to be certified too. If they were open source then the user could just crank up the transmit power on their cellular modem or wifi to illegal levels, and I imagine that the network operators wouldn't be too happy about it either.
This affects the x86 world too. Some laptops have a list of acceptable wifi cards baked into the BIOS. If you try to fit a non-certified one it won't w
Re: Baking roms for each device needs to be outlaw (Score:2)
Re: (Score:3)
The custom ROMs use the binary blob radio drivers from the official ROMs.
Re: (Score:2)
In order to pass certification for things like FCC the drivers need to be certified too. If they were open source then the user could just crank up the transmit power on their cellular modem or wifi to illegal levels
This is what RIL is for. Cell phones communicate with baseband processor using a standardized interface so the argument makes no sense on its face as the OS does not have the capability to command baseband to do something it isn't willing to.
The argument is further frustrated by the fact anyone can buy a USB stick with a GSM radio in it or a laptop with similar hardware to communicate over cellular networks. Yet the presence of such hardware does not preclude the successful installation of generic Linux d
Re: (Score:2)
Android also requires device maps to give you state-of-the-1980s base memory addresses for device MMIO.
There's no PCI(e) interface on your phone, or any other "safe" means of software discovering what hardware is in the device. Just like any 8-bit microcomputer you grew up with, hardware control is done by writing memory values to various hardcoded memory addresses. If the sound driver, for example, doesn't know the exact base address of the sound controller, it won't init the sound at all and may even acc
Re: (Score:2)
Because custom ROMs serve the interests of the people selling the phones, allowing them to issue the phone with undeletable adware or bloatware that they're paid to ensure is on every phone (and which is also undeletable). The fact that they do not serve the interests of the people using the phones is of no concern to them.
Re: (Score:2)
Dude, your comment is 4 years too late. Google released its Hardware abstraction layer with Android version 8, it's now on Version 9, and yes, current phones get security updates very quickly from reputable vendors.
This month, my non-google phone got the February patch update a few hours before the Pixel release was available.
Re: (Score:2)
Dude, your comment is 4 years too late. Google released its Hardware abstraction layer with Android version 8, it's now on Version 9, and yes, current phones get security updates very quickly from reputable vendors.
This month, my non-google phone got the February patch update a few hours before the Pixel release was available.
In what year I will be able to install a generic Linux or Android distro on my cell phone?
PNG needs JavaScript internally. (Score:4, Funny)
Obviously we need complex multimedia formats that are decoded by C code complete with buffer overflows all running in Kernal mode.
But what would be even better is if the PNG could contain JavaScript inside it. Why limit the output to just a few algorithms? With JavaScript running actually inside the PNG much greater compression could be achieved for many applications. More importantly, a whole new plethora of animation techniques could be developed.
Indeed, if that JavaScript within the PNG was used to implement a Virtual Machine, a whole sub operating system could run inside that image. Just think of the possibilities!
We need more, Lots more. Of stuff.
Re: (Score:2)
You thinking of this? https://linux.slashdot.org/sto... [slashdot.org]
Re: (Score:2)
Re: (Score:2)
I know you joke, but I really want to see more details on this. I've gotten older and I don't know the internals of android, but maybe someone can help. The article is just vague.
1. How does this get root access? If your app or webbrowser views an image, isn't that in some kind of 'user-space' running with the rights of the application?
2. I'd really like to see the actual source flaw. I remember a JPEG bug a long time ago with arbitrary code execution. How does this happen exactly. What is the exact lack of
Sounds like a rapper's stage name (Score:5, Funny)
HOW? (Score:2)
How do these things keep happening? What happened to sanity checking your input? Geezus, this is inexcusable.
Safety Proof (Score:2)
How: C, C++, and Java making errors easy.
It's early days & we trade for speed with grossly unsafe situations. It's like a shortcut though a warzone.
We need contacts requiring:
- provably zero: buffer overflows, use-after-free, double-free, stack overflows, memory race conditions
- Malloc failures must crash if unrecoverable.
Then we could begin to have software with greater peace of mind.
Rust does this, as does JavaScript without extensions. Go does most and can be limited to a subset that does all. Some p
Android security updates (Score:2)
Not sure what's up with all the FUD about Android security patch irregularity. My Sony Xperia and One Plus phones are 3 years old and they are still receiving the monthly security updates from the manufacturer, so lag time is at most 2 months. It shouldn't be much different for Samsung and the other more popular brands and models.
It's true that updates between the major versions of Android are slow or even non-existent, but security updates are different. You can remain on an older version of Android and st
Re: (Score:2)
In this topic only Samsung and Sony are mentioned receiving regular updates.
From own experience i can assure you most phones from less respected brands don't receive updates at all, or at most one or two updates right after the release to fix some vendor bugs - and typically introduce new ones. Like how i had a phone receiving an update to fix a battery charging issue. It broke the front camera functionality. No way to uninstall the update either.
It makes me seriously consider my next phone to be a Samsung,
Re: (Score:2)
Counter-example: I have an Alcatel Idol phone, and while I love it for the form factor, the value/price, and the original functionality, I had to roll back and *disable* system updates, because Alcatel chose to push some horrible, intrusive bloatware with them, which pops up annoying dialogs at inconvenient moments, and slows the phone to a crawl. You know, those "optimizers" and "inspectors" trying to upsell you to some antivirus or "über-optimizer". Exploits like this one scare the hell out of me. I
Good (Score:1)
my vendor never pushed update beyond 6.0
simple solution (Score:2)
this just sucks, as we all know a lot of phones are not going to get any fix for this and even the ones that do will have to wait for a longer then normal time. i'm used to almost always same-day fixes on my linux desktop/servers, which is nothing more then normal.
how do we fix this for devices other then pc's/servers?
in this case i see no other way but to make it a law. if, for example, the EU can dictate the standard connector to use for phone-chargers, they should be able to do the same for something way
Android 5 (Score:1)
So my Galaxy S5 is still safe? ...
Android is so shit. With all this spying. Touch interface (on the whole surface too) and with the lack of updates.
Where's the PC equivalent?
20 years of support rule yourself.
Likely doesn't affect most browsers (Score:2)
I saw a reference to Chrome also having its own built-in PNG code (how could it not given its 51+MB download size?) but don't have the same details on it.
This mostly leaves email, messaging and social media as likely vectors for a malicious PNG.
Re: In before smug Apple fans (Score:1)
Truly sorry that you have to be suspicious about all the anime pictures on your Android phone
Re: (Score:3, Insightful)
Re: (Score:3)
Dude, it's Android: you can choose any one of zero security patches provided by your OEM.
I got one update to my phone, once, to 5.5.1.
Re: (Score:2)
Dude, it's Android: you can choose any one of zero security patches provided by your OEM.
I get regular patches for mine (Xioami Mix).
Re: (Score:1)
Sure, if your phone is older than the iPhone 5S (from 2013).
Re: (Score:1)
And at least you'll be able to get the bug fix with a simple security update, without having to also "upgrade" the rest of the phone's OS and accept random UI changes and new software designed to throttle the speed of old phones "for battery reasons" that, strangely, no phone from any other manufacturer suffers from.
The problem with modern android phones is most of them have some variant on stock android that won't get many updates. PCs are the same way, but then I haven't bought a new PC with windows on it, um, ever I think. (They come with so much crap, that an update may be challenging, to say nothing of just using them..) I've bought windows separately a half dozen or so times, but try to stick to Linux where possible. With Linux Mint lately I can image a system over what 20 minutes top?
We need that kind of th
Re: (Score:3)
As an Android user, this is pretty shitty. If it allows arbitrary code execution in privileged context, that means your phone can be rooted just by looking at a web page. Once that happens, you need to restore a clean firmware image or you simply can't trust the phone. That's far worse than being able to access camera/mic if a feature isn't disabled.
Re:In before smug Apple fans (Score:4, Informative)
If, as the summary suggests, this allows arbitrary code to run with elevated permissions simply by viewing a PNG image, then this could be exploited to install malware that runs as root with access to all the data on your device, all your accounts, ability to modify any app, etc. That's pretty fucked up. (Yeah I know summaries can be misleading, but I have a relatively low UID so I've been conditioned over years to never RTFA.)
Re: (Score:2)
It's not. It's a theoretical exploit that may lead to actual exploits, but even then, they likely have to be crafted for the specific phone.
Apple's issue is already patched for all devices that it can occur on (that support Group FaceTime). Millions (hundreds of millions?) of Android devices have this exploit that will never see this patch.
And on top of that, the Apple bug affected only people who received a FaceTime call and did not answer, and the attacker knew the secret combo to activate the bug. In
Re: (Score:3)
Reading the bulletin though it only works when the process that triggers it is privileged in the first place. So there is no privilege escalation. So there isn't a way that this exploit could root a phone.
I'm sure there are things that this could be used for. But it can't get out of the particular sandbox the application that views the PNG is sitting it.
Re: In before smug Apple fans (Score:2)
So if they email you a malicious PNG then they can read all your emails? That's not good. Plus who knows how many privilege escalation zero days may be out there?
Does this apply to all Android apps or just Google Chrome based ones?
Re: (Score:2)
No I don't think so. My reading is that it ONLY works if the process that triggers it is already privileged. It won't work on an unprivileged process at all.
Re: (Score:2)
Re: (Score:2)
Android people like you that defend this inexcusable flaw are the worst kind of scum.
Laying it on a bit thick don't you think? Being a platform apologist is bad, but I wouldn't rank it as "worst kind of scum", even if just limiting to the tech industry or even more so to just mobile OS platforms. Save some room for the real criminals who are making money off your data.
Re: In before smug Apple fans (Score:5, Informative)
But youâ(TM)re not smug at all right?
You don't know if it 's being exploited. You don 't know if it has to be crafted for a specific phone. You don 't know how many phones will actually get that update.
The FaceTime bug was mitigated very soon after disclosure for every single device simultaneously.
Most Android users would love to have the "problem " of having to have the latest OS. Any iPhone user susceptible to the bug already had iOS 12.
All phones suffer when their batteries are old. It's harder to notice when the device runs like shit out of the box.
Re: (Score:2)
Hm. My iPhone 3GS didn't get the update to ios12. As a matter of fact, I think I had to stop updating it around IOS 5 or so. The newer versions of IOS slowed it down to unusability.
Yeah, yeah. I know. I didn't buy hardware, I bought access to ios and the hardware that came along with that purchase was not fit for duty 3 years after purchasing said access to ios. I was supposed to know even if it wasn't printed on the side of the box: This hardware will become unusable after 3 years and there is NOTHING (oth
Re: In before smug Apple fans (Score:2)
iOS 12 runs on 5 year old hardware. Being smug is not necessary to understand the benefits of that.
Your 3GS is not susceptible to this bug.