Tag Archives: google project zero

Google Android Zero Day Vulnerability Disclosed

Late last Thursday Google disclosed information concerning a zero-day (defined) vulnerability being used to exploit Google Android powered smartphones e.g. Google Pixel and phones from Huawei, Samsung and Xiaomi.

================
TL DR
================
Be cautious of the apps you download in advance of a patch being made available. The web browsing means of exploitation requires a pre-existing exploit. A list of vulnerable phones is provided below. Update your smartphone to the October 2019 patch when it becomes available.

What details of this vulnerability have been released?
The following smartphones have been confirmed as vulnerable:

1) Pixel 1 and 2 with Android 9 and Android 10 preview

2) Huawei P20

3) Xiaomi Redmi 5A

4) Xiaomi Redmi Note 5

5) Xiaomi A1

6) Oppo A3

7) Moto Z3

8) Oreo LG phones (run same kernel according to website)

9) Samsung Galaxy S7, S8, S9

====================
Not Vulnerable: Google Pixel 3 and 3a
====================
The vulnerability is a local privilege escalation vulnerability (defined) making use of a use after free (defined) issue in the Android binder driver (defined) which has the potential to provide an attacker with full control of the device. The first means of exploiting this vulnerability is via a rogue app. Google Project Zero researcher Maddie Stone adds further details for the second means of exploitation: “If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox”.

In other words, in order to use the second means of exploitation an attacker would already need to have loaded an exploit on your phone that they know the device is vulnerable, making this avenue of attack less likely.

How can I protect my device from this vulnerability?
Try to only download your apps from the Google Play store in advance of a patch becoming available. Read the reviews of the app to make certain it is a genuine app that works as intended. Scan any new app with trusted anti-malware software before you open it (while I acknowledge anti-malware software is not 100% accurate it can provide further protection over not using it).

Install the October 2019 security update when it becomes available for your smart device.

Thank you.

Apple KeyChain Vulnerability Disclosed

Last week a security researcher publicly disclosed a vulnerability within Apple macOS’ Keychain (Apple’s password management system). The exact proof of concept code has not been released.

TL DR:  This vulnerability is currently unpatched by Apple. Be cautious of the links you click on, email attachments and applications you download/open. Keep your system current with already released updates. Watch for updates from Apple in the near future.

Why should this vulnerability be considered important?
This vulnerability affects all versions of Apple macOS up to the most recent 10.14.3 (Mojave). Apple Keychain is used to store passwords for application, websites and servers. This information is encrypted by default blocking access via other means without your permission.

However; the exploit allows an attacker to access this information from a standard user account (thus not requiring root (defined)(privileged) access) without generating a password prompt. The keychain must first be unlocked but it is when you are logged into the system. The System keychain which contains (among other items) is not affected. Thus, if the attacker can persuade you to run an application of their choice (e.g. substituting an app that looks like an app you regularly download manually); they could obtain your passwords/sensitive information. A YouTube video demonstrating the custom application designed to exploit this is provided below:

https://youtu.be/nYTBZ9iPqsU

How can I protect myself?
Please see the TL DR above. You should also consider manually locking your keychain or setting a keychain specific password (further details below).

===========

Lock your Keychain:
Open Keychain Access in the Applications: Utilities folder. Select your keychain (usually your user name) in the drawer (click on Show Keychains in the toolbar if it’s not visible). Then choose Edit: Change Settings For Keychain keychain name. Select Lock After 5 Minutes Of Inactivity (or lower according to your preference).

Password Protect Your Keychain:
Open the Keychain Access application, and select your keychain in the drawer. Select Edit: Change Password For Keychain keychain name, and then enter a new password.

With thanks to MacWorld:

===========

Why did the researcher not disclose this to Apple privately?
The researcher, Linus Henze chose not to privately disclose this to Apple since while Apple have a bug bounty for iOS which is by invite only; they don’t have such a program for macOS. The researcher wishes to highlight this omission. A quote from the researcher is included below (my thanks to Sergiu Gatlan of BleepingComputer.com) for this:

“Please note that even if it looks like I’m doing this just for the money, this is not my motivation at all in this case. My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers. I really love Apple products and I want to make them more secure. And the best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program (like other big companies already have)”

Separately he is not the only researcher to be criticising Apple’s approach to vulnerability remediation. Ian Beer of Google Project Zero publicly criticised Apple last August for simply fixing vulnerabilities rather than thinking of them in an exploit context namely “Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could have found [the bug] earlier? Who had access to this code and reviewed it and why, for whatever reason, didn’t they report it?”

Thank you.