Android security on the ropes with one-two punch from researchers

by
Dan Goodin
from Ars Technica - All content on (#HATW)

Android security woes got worse on Thursday, with two separate reports of code defects that put millions of end users at risk.

The first involves the update Google released last week fixing a flaw that allowed attackers to execute malicious code on an estimated 950 million phones with nothing more than a maliciously crafted text message. Seven days later, security researchers are reporting that the patch, which has been in Google's possession since April, is so flawed that attackers can exploit the vulnerability anyway.

"The patch is 4 lines of code and was (presumably) reviewed by Google engineers prior to shipping," Jordan Gruskovnjak and Aaron Portnoy, who are researchers with security firm Exodus Intelligence, wrote in a blog post published Thursday. "The public at large believes the current patch protects them when it in fact does not."

Read 6 remaining paragraphs | Comments

index?i=R5QKzspVVW4:dKNGc4hvqo4:V_sGLiPB index?i=R5QKzspVVW4:dKNGc4hvqo4:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zAR5QKzspVVW4
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments