ross549 Posted July 30, 2014 Share Posted July 30, 2014 https://securityledger.com/2014/07/old-apache-code-at-root-of-android-fakeid-mess/ The vulnerability was disclosed on Tuesday. It affects devices running Android versions 2.1 to 4.4 (“KitKat”), according to a statement released by Bluebox. According to Bluebox, the vulnerability was introduced to Android by way of the open source Apache Harmony module. It affects Android’s verification of digital signatures that are used to vouch for the identity of mobile applications, according to Jeff Forristal, Bluebox’s CTO. He will be presenting details about the FakeID vulnerability at the Black Hat Briefings security conference in Las Vegas next week. In an email statement to The Security Ledger, a Google spokesman acknowledged working with Bluebox to fix the vulnerability. “After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP,” he wrote. “Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability.” Hopefully this gets pushed out FAST. Adam 3 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted July 30, 2014 Share Posted July 30, 2014 Thanks for the head's up Adam Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted July 30, 2014 Share Posted July 30, 2014 Yes, let's hope this gets pushed out quickly. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted August 2, 2014 Share Posted August 2, 2014 That and of course, Nexus devices get the updates right away.. Or you can run AOSP(Android OpenSource Project) roms and get the updates as well. Quote Link to comment Share on other sites More sharing options...
ross549 Posted August 2, 2014 Author Share Posted August 2, 2014 but aren't phone companies notorious for never or rarely patching their os? (yes, android does other things besides phone...) Yes, LG, Samsung, and others are generally slow to push major updates. Making it harder are the cellular carriers that have their own specific configuration and software. I am not sure about security fixes, though. Adam Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.