Some Google Android Security Bugs will not solve because it can lead to other difficulties, some bugs is in no hurry to fix because it not consider serious enough to warrant a patch quickly.
Vulnerability in the latter camp has emerged this week. Core Security has reported a bug Google last September and released details on Monday flaw after disagreeing with Google's vulnerability assessment. The flaw is in a Wi-Fi Direct, Wi-Fi standard adopted in Android that allows devices like smartphones, game consoles and laptops to connect to each other directly.
Disclosure of Core Security of the fault this week was the final phase of an ongoing dispute between the two organizations to see if the bug is really critical.
According to Core Security, an attacker could hit vulnerable Android smartphones when they are looking for other Wi-Fi devices Direct, and a successful attack could trigger a restart or "denial of service".
"An attacker could send a 802.11 Probe Response frame designed Dalvik causing the subsystem to restart because of the WiFiMonitor Unhandle Exception class," said Core Security on its board.
Core Security reported the problem to Google Android security team on September 26, and after confirmation from Google that it had received the report, Core Security said it would publish details of the bug on October 20.
Just before the deadline of October, the Android security team said Core Security bug was "less serious" and that he had no timetable for when it would release a fix. The security cabinet decided to refuse to publish the details of the bug if he tried to convince Google that it was more serious than the search giant believed. However, Google has maintained its position and reiterated that there was no timeline for a fix.
Core Security notified Google intends to publish its Board on January 26, which he did.
The bug has been confirmed to affect a subset of Android devices, including the Nexus 4 and Nexus 5 running Android 4.4.4 KitKat; The D806 model LD and Samsung SM-T310, both running Android 4.2.2; and the Motorola RAZR HD Android 4.1.2. However, devices running Android 5.0.1 and Android 5.0.2 are not.
The bug is related to the use of Android with a modified version of wpa_supplicant * * Wi-Fi component to manage the exchange of information on Wi-Fi Direct.
"On some Android devices during the processing of a probe response frame with a WiFi-Direct information element (P2P) that contains a device name attribute with specific bytes generates a chain of events begging malformed that eventually throw IllegalArgumentException, "said Core Security. "As this exception is not handled the system reboots Android."
One factor that reduces the severity of the bug is that direct Wi-Fi devices are not always scanning for connections, Jon Oberheide, founder of Duo Security, told the post threat. While the flaw can be exploited remotely, The Attacker Would Also Need To Be Nearby, he added.
-------------------------
Posts
0 Comments:
Post a Comment