Android 4.3 and Earlier affected by Critical Code-Execution Flaw

Pierluigi Paganini June 28, 2014

A serious code-execution vulnerability in Android 4.3 and earlier was patched with latest KitKat Android Operating System version.

Are you using the Android 4.3 version and you are convinced to be secure? You are unfortunately wrong, because this version of Android and earlier are affected by a critical code-execution vulnerability.

An attacker can theoretically exploit the vulnerability in the Android 4.3 and earlier versions with a malicious application, but as explained by the experts at work exploit is hard to realize due to the presence of numerous difficulties likes the need to to bypass memory-based protections native to the operating system, including Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
The Data Execution Prevention is an exploit mitigation that is used to prevent execution of malicious code, but the attackers have had success to bypass it using the Return Oriented Programming (ROP) attacks. The ASLR is used to mitigate buffer overflow attacks randomizing the memory locations used by system files and other programs, implementing this technique it is hard to guess the location of a given process.

“However, the Android KeyStore is respawned every time it terminates. This behavior enables a probabilistic approach; moreover, the attacker may even theoretically abuse ASLR to defeat the encoding” states the post.

The experts confirmed that they haven’t seen the flaw being exploited in the wild yet.
Currently Google is distributing the Android KitKat 4.4.4 with build number KTU84P (branch kitkat.-mr21-release), the new update was mainly issued to fix the CCS Injection Vulnerability (CVE-2014-0224).
Don’t waste time update your device when new version will be available for your mobile.

Pierluigi Paganini

(Security Affairs –  Android 4.3,Code-Execution Flaw)

you might also like

leave a comment