Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Android Cellphones Communications Google Network Privacy Security The Internet

Android Phones Can Be Hacked Remotely By Viewing Malicious PNG Image (csoonline.com) 149

An innocent-looking image -- sent either via the internet or text -- could open your Android phone up to hacking. "While this certainly doesn't apply to all images, Google discovered that a maliciously crafted PNG image could be used to hijack a wide variety of Androids -- those running Android Nougat (7.0), Oreo (8.0), and even the latest Android OS Pie (9.0)," reports CSO Online. From the report: The latest bulletin lists 42 vulnerabilities in total -- 11 of which are rated as critical. The most severe critical flaw is in Framework; it "could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process." Although Google had no report of the security flaws being actively exploited, it remains to be seen if and how long it will take before attackers use the flaw for real-world attacks. Android owners were urged to patch as soon as security updates becomes available. But let's get real: Even if your Android still receives security updates, there's no telling how long it will be (weeks or months) before manufacturers and carriers get it together to push out the patches.
This discussion has been archived. No new comments can be posted.

Android Phones Can Be Hacked Remotely By Viewing Malicious PNG Image

Comments Filter:
  • Since the carriers are no longer providing updates.

    • by tsqr ( 808554 )

      I have a 6 uear old Galaxy tablet that still gets security updates from Samsung. I've never kept a phone for longer than two years or so, so I can't speak to that.

      • You're lucky - I have a Galaxy tablet that stopped getting updates 18 months after I bought it (about 2 years after it came out - not enough sales, so not worth looking after those of us that bought it). It's not a problem though, I've just bought any-brand-except-Samsung ever since, and get updates all over the place when I need them. My little Doogee phone might not get an upgrade, but then it cost about £40, so I'll just throw it out and buy a new one instead.

  • let's get real: Even if your Android still receives security updates, there's no telling how long it will be before manufacturers and carriers get it together to push out the patches

    ...I still prefer an iPhone.

    • by subk ( 551165 )

      let's get real: Even if your Android still receives security updates, there's no telling how long it will be before manufacturers and carriers get it together to push out the patches

      ...I still prefer an iPhone.

      Don't believe the hype about update lag, it's not reality. de facto, per se. I'm using an Essential PH-1. I got the patch today.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        I have an LG from 2016 and they haven't released any OS updates since 2017.

    • by sjames ( 1099 )

      If we're hoping to ever see those updates, we better invest in cryogenics.

    • by AmiMoJo ( 196126 )

      Because Apple ignores critical security flaws like he Facetime bug?

      In this case TFA is wrong. While the patches fix the underlying issue, mitigations are already available to all Android users via the Play Store and component updates which have already rolled out to users regardless of manufacturer.

    • iPhones prior to 5S don't get the OS update that is for some reason required to fix Apple's recent "FaceTime as spy tool" bug, even though that's a bug in an app, and not in the OS. Tell us again how smug you are about Apple's support strategy.

  • Privileged Code? (Score:5, Interesting)

    by crow ( 16139 ) on Monday February 11, 2019 @09:50PM (#58107548) Homepage Journal

    You can use this bug to execute privileged code? I assume that means as root. If someone publishes example code at some point, we could get a really convenient way to root phones. Maybe I should avoid updates for a while.

  • Memory Access Bugs (Score:4, Interesting)

    by mentil ( 1748130 ) on Monday February 11, 2019 @10:08PM (#58107590)

    More OS memory access bugs [slashdot.org], yay.
    According to this breakdown [openhub.net], 88% of Android OS is written in Java, C, and C++ -- all of which are notorious for memory access bugs (in the runtime environment, in the case of Java). Perhaps the #1 security best practice should be to use a language designed to be memory safe. Right below that would be "don't try to bolt on security to insecure software."

    • "don't try to bolt on security to insecure software."

      Oh you mean, like the TCP/IP protocols we all use today? Security wasn't even close to on the minds of the original specs.

      Kind of shows.

    • all of which are notorious for memory access bugs (in the runtime environment, in the case of Java).

      Android does not run a JVM as far as I know, but Dalvik. And the only famous JVM memory access bug a five-second search gave me was from 2002.

  • Google has been EXTREMELY self-destructive by allowing Android to be a method of abusing customers, in my opinion.

    Android generally gets NO updates. That policy is intended to make more money for cell phone providers.
  • by WaffleMonster ( 969671 ) on Monday February 11, 2019 @11:19PM (#58107818)

    Why can't non-x86 world ever get its shit together? One unified Windows or Linux image installs on countless hundreds of different x86 things.

    Meanwhile everywhere else it's always bake a custom rom specific to each and every variant of every device. Why is it still tolerated? The old excuses of abstraction costing too much made sense 20 years ago. Today it's a joke/lame excuse for tolerating the indefensible.

    Wwwwaaaaayyyy past time to fire the cooks.

    • by Anonymous Coward on Tuesday February 12, 2019 @01:15AM (#58108028)

      The x86 - or rather, the IBM-compatible - world is vastly different to the ARM world when it comes to system design. The entire family tree of x86-derived machines have gravitated towards open, or at least easily-licensed and inter-operable, hardware standards over the decades. Manufacturers want to keep their hardware reasonably compatible with everyone else, lest they be shut out of the market for being too 'niche'.

      ARM, on the other hand, is almost the exact opposite. An ARM computer is often a custom-built hodge-podge of licensed hardware modules fitted around whatever ARM core the manufacturer licensed and etched onto silicon. Sound, graphics, memory. and other functions are not plug-and-play replaceable add-ons, but a custom chipset that the system designer picked out and configured. These bespoke system configurations will also have to contend with limitations on driver support and possibly the need to hand-configure settings.

      Google has tried to correct this, and pull manufacturers to a more standardized system that would let Google handle a lot of the hard work, but this was never the norm in the embedded space.

      • by phantomfive ( 622387 ) on Tuesday February 12, 2019 @01:41AM (#58108106) Journal
        All of those ARM chips (in Android) use GCC, an open compiler, so it isn't the chip that's causing problems. Most of the drivers are all open-sourced (the kernels is GPL, so they more-or-less have to), so it's not the hardware that's a problem.

        The main problem is locked boot-loaders. If you can't install a custom ROM on a phone, that's probably the reason.
        • by AmiMoJo ( 196126 )

          Actually drivers are the problem. Particular drivers for radios.

          In order to pass certification for things like FCC the drivers need to be certified too. If they were open source then the user could just crank up the transmit power on their cellular modem or wifi to illegal levels, and I imagine that the network operators wouldn't be too happy about it either.

          This affects the x86 world too. Some laptops have a list of acceptable wifi cards baked into the BIOS. If you try to fit a non-certified one it won't w

          • I am sure you read that somewhere, but wherever you read that, I would not trust them as a source anymore. What phone can get past the bootloader, have a custom ROM installed, and then can't use the radio?
          • In order to pass certification for things like FCC the drivers need to be certified too. If they were open source then the user could just crank up the transmit power on their cellular modem or wifi to illegal levels

            This is what RIL is for. Cell phones communicate with baseband processor using a standardized interface so the argument makes no sense on its face as the OS does not have the capability to command baseband to do something it isn't willing to.

            The argument is further frustrated by the fact anyone can buy a USB stick with a GSM radio in it or a laptop with similar hardware to communicate over cellular networks. Yet the presence of such hardware does not preclude the successful installation of generic Linux d

      • by segin ( 883667 )

        Android also requires device maps to give you state-of-the-1980s base memory addresses for device MMIO.

        There's no PCI(e) interface on your phone, or any other "safe" means of software discovering what hardware is in the device. Just like any 8-bit microcomputer you grew up with, hardware control is done by writing memory values to various hardcoded memory addresses. If the sound driver, for example, doesn't know the exact base address of the sound controller, it won't init the sound at all and may even acc

    • Because custom ROMs serve the interests of the people selling the phones, allowing them to issue the phone with undeletable adware or bloatware that they're paid to ensure is on every phone (and which is also undeletable). The fact that they do not serve the interests of the people using the phones is of no concern to them.

    • Dude, your comment is 4 years too late. Google released its Hardware abstraction layer with Android version 8, it's now on Version 9, and yes, current phones get security updates very quickly from reputable vendors.

      This month, my non-google phone got the February patch update a few hours before the Pixel release was available.

      • Dude, your comment is 4 years too late. Google released its Hardware abstraction layer with Android version 8, it's now on Version 9, and yes, current phones get security updates very quickly from reputable vendors.

        This month, my non-google phone got the February patch update a few hours before the Pixel release was available.

        In what year I will be able to install a generic Linux or Android distro on my cell phone?

  • by aberglas ( 991072 ) on Monday February 11, 2019 @11:55PM (#58107882)

    Obviously we need complex multimedia formats that are decoded by C code complete with buffer overflows all running in Kernal mode.

    But what would be even better is if the PNG could contain JavaScript inside it. Why limit the output to just a few algorithms? With JavaScript running actually inside the PNG much greater compression could be achieved for many applications. More importantly, a whole new plethora of animation techniques could be developed.

    Indeed, if that JavaScript within the PNG was used to implement a Virtual Machine, a whole sub operating system could run inside that image. Just think of the possibilities!

    We need more, Lots more. Of stuff.

    • You thinking of this? https://linux.slashdot.org/sto... [slashdot.org]

    • I know you joke, but I really want to see more details on this. I've gotten older and I don't know the internals of android, but maybe someone can help. The article is just vague.

      1. How does this get root access? If your app or webbrowser views an image, isn't that in some kind of 'user-space' running with the rights of the application?

      2. I'd really like to see the actual source flaw. I remember a JPEG bug a long time ago with arbitrary code execution. How does this happen exactly. What is the exact lack of

  • by jfdavis668 ( 1414919 ) on Tuesday February 12, 2019 @01:27AM (#58108076)
    Malicious PNG
  • How do these things keep happening? What happened to sanity checking your input? Geezus, this is inexcusable.

    • How: C, C++, and Java making errors easy.

      It's early days & we trade for speed with grossly unsafe situations. It's like a shortcut though a warzone.

      We need contacts requiring:
      - provably zero: buffer overflows, use-after-free, double-free, stack overflows, memory race conditions
      - Malloc failures must crash if unrecoverable.

      Then we could begin to have software with greater peace of mind.

      Rust does this, as does JavaScript without extensions. Go does most and can be limited to a subset that does all. Some p

  • Not sure what's up with all the FUD about Android security patch irregularity. My Sony Xperia and One Plus phones are 3 years old and they are still receiving the monthly security updates from the manufacturer, so lag time is at most 2 months. It shouldn't be much different for Samsung and the other more popular brands and models.

    It's true that updates between the major versions of Android are slow or even non-existent, but security updates are different. You can remain on an older version of Android and st

    • by xonen ( 774419 )

      In this topic only Samsung and Sony are mentioned receiving regular updates.
      From own experience i can assure you most phones from less respected brands don't receive updates at all, or at most one or two updates right after the release to fix some vendor bugs - and typically introduce new ones. Like how i had a phone receiving an update to fix a battery charging issue. It broke the front camera functionality. No way to uninstall the update either.
      It makes me seriously consider my next phone to be a Samsung,

    • Counter-example: I have an Alcatel Idol phone, and while I love it for the form factor, the value/price, and the original functionality, I had to roll back and *disable* system updates, because Alcatel chose to push some horrible, intrusive bloatware with them, which pops up annoying dialogs at inconvenient moments, and slows the phone to a crawl. You know, those "optimizers" and "inspectors" trying to upsell you to some antivirus or "über-optimizer". Exploits like this one scare the hell out of me. I

  • by Anonymous Coward

    my vendor never pushed update beyond 6.0

  • this just sucks, as we all know a lot of phones are not going to get any fix for this and even the ones that do will have to wait for a longer then normal time. i'm used to almost always same-day fixes on my linux desktop/servers, which is nothing more then normal.

    how do we fix this for devices other then pc's/servers?

    in this case i see no other way but to make it a law. if, for example, the EU can dictate the standard connector to use for phone-chargers, they should be able to do the same for something way

  • So my Galaxy S5 is still safe? ...

    Android is so shit. With all this spying. Touch interface (on the whole surface too) and with the lack of updates.

    Where's the PC equivalent?
    20 years of support rule yourself.

  • One of the Firefox for Android developers confirmed that they're using their own built-in libpng (with a link to its place in the source), so Firefox is likely unaffected. I didn't check separately on Firefox Focus, but I suspect it shares much of the code base.

    I saw a reference to Chrome also having its own built-in PNG code (how could it not given its 51+MB download size?) but don't have the same details on it.

    This mostly leaves email, messaging and social media as likely vectors for a malicious PNG.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...