Information Security News
Millions of Android phones, including the entire line of Nexus models, are vulnerable to attacks that can execute malicious code and take control of core functions almost permanently, Google officials have warned.
The officials have already uncovered one unidentified Google Play app that attempted to exploit the vulnerability, although they said they didn't consider the app to be doing so for malicious purposes. They are in the process of releasing a fix, but at the moment any phone that hasn't received a security patch level of March 18 or later is vulnerable. The flaw, which allows apps to gain nearly unfettered "root" access that bypasses the entire Android security model, has its origins in an elevation of privileges vulnerability in the Linux kernel. Linux developers fixed it in April 2014 but never identified it as a security threat. For reasons that aren't clear, Android developers failed to patch it even after the flaw received the vulnerability identifier CVE-2015-1805 in February 2015.
"An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code in the kernel," an Android security advisory published Friday stated. "This issue is rated as a critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system."
Over the past decade, there's been an explosion of bug bounty programs that pay hackers big cash rewards for finding vulnerabilities in applications and Web services. On Tuesday, ride-hailing service Uber became the latest company to embrace the trend with the unveiling of its own program.
In most respects, the program is similar to those offered by Google, Facebook, and so many other companies. It pays as much as $10,000 for the most critical vulnerabilities and provides a public forum to acknowledge the smarts of researchers who privately report bugs that no one inside the company was able to identify. Still, there are a few features that its designers say make it stand out from what's been done so far.
For instance, the Uber bounty program comes with a technical treasure map of sorts that's intended to help researchers find high-severity bugs quickly. The treasure map included with Tuesday's announcement enumerates some of the company's most security-sensitive subdomains, along with a brief description of types of assets that are at stake and the types of vulnerabilities that might threaten them. A description of partners.uber.com, for instance, describes it as the place driver partners visit to access private driver documents, payment statements, tax information, and other highly sensitive data.