Jump to content



Photo

  • Please log in to reply
6 replies to this topic

#1 Max Norris

Max Norris

    Neowinian Senior

  • 4,211 posts
  • Joined: 20-February 11
  • OS: Windows, BSD Unix, Occasionally OSX or Linux
  • Phone: HTC One (Home) Lumia 1020 (Work)

Posted 28 June 2014 - 17:07

Note this doesn't apply to 4.4 or higher as it's been patched, the issue is with the older versions.
 

Researchers have warned of a vulnerability present on an estimated 86 percent of Android phones that may allow attackers to obtain highly sensitive credentials, including cryptographic keys for some banking services and virtual private networks, and PINs or patterns used to unlock vulnerable devices.

The vulnerability resides in the Android KeyStore, a highly sensitive region of the Google-made operating system dedicated to storing cryptographic keys and similar credentials, according to an advisory published this week by IBM security researchers. By exploiting the bug, attackers can execute malicious code that leaks keys used by banking and other sensitive apps, virtual private network services, and the PIN or finger patterns used to unlock handsets. The advisory said Google has patched the stack-based buffer overflow only in version 4.4, aka KitKat, of Android. The remaining versions, which according to Google figures run 86.4 percent of devices, have no such fix.


http://arstechnica.c...-86-of-devices/


#2 Enron

Enron

    Windows for Workgroups

  • 8,825 posts
  • Joined: 30-May 11
  • OS: Windows 8.1 U1
  • Phone: Nokia Lumia 900

Posted 28 June 2014 - 17:17

Why don't they patch old Android versions?



#3 Buttus

Buttus

    Neowinian Senior

  • 3,264 posts
  • Joined: 07-September 05

Posted 28 June 2014 - 17:23

"Attackers would also have to have an app installed on a vulnerable handset."

 

if you're letting people have access and install apps on your phone, you've already lost the battle.....



#4 MillionVoltss

MillionVoltss

    Neowinian Senior

  • 2,273 posts
  • Joined: 21-May 04

Posted 28 June 2014 - 17:52

Why don't they patch old Android versions?

 Cost, Why develop and test patches for hundreds of versions



#5 BobSlob

BobSlob

    Neowinian

  • 167 posts
  • Joined: 07-May 07

Posted 28 June 2014 - 17:56

 Cost, Why develop and test patches for hundreds of versions

 

Because something ridiculous like 8% of handsets run the newest version of Android...



#6 Enron

Enron

    Windows for Workgroups

  • 8,825 posts
  • Joined: 30-May 11
  • OS: Windows 8.1 U1
  • Phone: Nokia Lumia 900

Posted 28 June 2014 - 18:15

 Cost, Why develop and test patches for hundreds of versions

 

Because they created it? At least support more than just the latest version.



#7 FloatingFatMan

FloatingFatMan

    Resident Fat Dude

  • 15,364 posts
  • Joined: 23-August 04
  • Location: UK

Posted 29 June 2014 - 14:51

Because they created it? At least support more than just the latest version.

 

Because it's not them who roll out updates to handsets, it's either the telco's themselves... or the OEM's.





Click here to login or here to register to remove this ad, it's free!