Researcher blames vulnerable code re-use for zero-day in Android’s CyanogenMod | #android | #security


If you installed CyanogenMod on your Android, then your device is purportedly vulnerable to a zero-day blamed on code re-use. At the Ruxcon Security Conference in Australia, an unnamed security researcher revealed that CyanogenMod developers “copy-pasted” Oracle’s “sample code for Java 1.5” and that’s what puts Android devices with CyanogenMod at risk of man-in-the-middle attacks.  

The Register reported that the security researcher does not want his name used, but he warned that CyanogenMod and a “ton of others” have reused code that was reported to have SSL vulnerabilities back in 2012. He said:

“If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the ‘organization name’ field you put the ‘value,cn=*domain name*, it will be accepted as the valid domain name for the certificate.”

“Cyanogenmod uses this implementation for its browsers so you can go now and MitM someone’s phone.” 

There had been over 10 million installs as of December 2013, but that number was derived by users leaving the CyanogenMod stats enabled on their Android phones and tablets. The CyanogenMod stats map certainly is active, but there is no current stats number for how many total installs there have been in the last 10 months. Nevertheless, a zero-day vulnerability in the Cyanogen build of Android allegedly puts millions upon millions of users at risk. The newest version CM 11.0 M11 was just released last week on Oct. 8; the CyanogenMod blog has yet to respond to the zero-day allegation.

Although the security researcher “responsibly disclosed the flaw to affected vendors,” CyanogenMod did not respond; he then mentioned the zero-day that allows MitM attacks at Ruxcon. He described the fix as “fairly simple,” adding that “the exposure served as an academic exercise in the perils of code reuse.”

Code re-use is exceedingly common and some variation of repackaged code generally makes the top 10 list of cybersecurity threat predictions every year. According to The Stack, of the 3,000 previously “unidentified malware entities” that “flood the network every day, many are old ‘friends’ repackaged to generate hashes unfamiliar to the databases of BitDefender, Symantec and other anti-malware companies, and this guarantees them at least an hour in the wild, if not a whole ‘zero’ day.”

“But others are genuinely evolutionary” and “mimic the behavior patterns of benign software, in an attempt to avoid wasting its payload behavior on a sandbox or virtualized environment.” Giovanni Vigna, CTO of Lastline and Director of the Center for Cybersecurity at the University of California, Santa Barbara, spoke about the evolution of evasive malware at IP Expo Europe. This “new” malware “wants to know is if it is running in front of a real user and in a real system, and to this end it has developed an ever-growing map of tell-tale signs that it might not be in Kansas after all.”

Copyright © 2014 IDG Communications, Inc.



Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

thirty five − = twenty five