Over 86 percent of all Android devices remain vulnerable
The flagrant fragmentation that has come to be associated with Android is once again in focus, with IBM Security researchers shedding light on a major vulnerability (CVE-2014-3100) affecting the all-important Android KeyStore service, which is used for storing cryptographic keys and other sensitive credentials. Although the said vulnerability has been fixed in the latest version of the operating system (Android Kitkat 4.4), the problem is that the vast majority of Android users don’t have the latest version.
According to the security advisory issued by the IBM security researchers, they discovered this Android KeyStore stack buffer overflow vulnerability over nine months ago, and in keeping with their responsible disclosure policy, quietly reported it to the Android security team. They refrained from going public for so long mainly due to the seriousness of the vulnerability and “Android’s fragmented nature.”
Per the advisory, an attacker can use the vulnerability to execute malicious code under the KeyStore process on devices running Android 4.3 or lower (around 86 percent of all Android devices), with the successful exploitation having the potential to expose the device’s lock credentials, leak cryptographic keys, and enable unauthorized “crypto operations (e.g., arbitrary data signing).”
However, the advisory notes that exploiting the flaw isn’t exactly a cakewalk, as Android has a number of built-in safeguards against such malicious code execution, including data execution prevention (DEP) and address space layout randomization (ASLR).