Some tips from me regarding handling servicing your "stuff"...via nakedsecurity.sophos.com: Android devices hit by zero-day exploit Google thought it had patched

by John E Dunn

Google has admitted that some Android smartphones have recently become vulnerable to a serious zero-day exploit that the company thought it had patched for good almost two years ago.

The issue came to light recently when the Google’s Threat Analysis Group (TAG) got wind that an exploit for an unknown flaw, attributed to the Israeli NSO Group, was being used in real-world attacks.

Digging deeper into the exploit’s behaviour, Project Zero researcher Maddie Stone said she was able to connect it to a flaw in Android kernel versions 3.18, 4.14, 4.4, and 4.9 that was fixed in December 2017 without a CVE being assigned.

Somehow, that good work was undone in some later models – or never applied in the first place – leaving a list of vulnerable smartphones running Android 8.x, 9.x and the preview version of 10.

The flaw is now identified as CVE-2019-2215 and described as a:

Kernel privilege escalation using a use-after-free vulnerability, accessible from inside the Chrome sandbox.

The result? Full compromise of unpatched devices, probably served from a malicious website without the need for user interaction, in conjunction with one or more other exploits. It also requires that the attacker has installed a malicious app.
Powerful, business-grade protection at home.
Play Video Try for Free

Affected models:

Google – Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL
Samsung – S7, S8, S9
Xiaomi – Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1
Huawei – P20
Oppo – A3
Motorola – Moto Z3
LG – Oreo LG phones

This official list is probably not exhaustive, so just because your phone isn’t on the list doesn’t mean it isn’t vulnerable. However, Google has confirmed that the Pixel 3 and Pixel 3a are not affected. Google added:

We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a 7 day disclosure deadline. After 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

For most users, a fix will ship with the October Android security update next week after phone makers have checked it works on their devices.

The unusual element of this story is the alleged involvement of the NSO Group, a commercial organisation connected to an attack in May affecting Facebook’s WhatsApp.

Many of the attacks involve campaigns against Non-Governmental Organisations (NGOs) using a spyware tool called Pegasus popular with nation-state intelligence services.

NSO has, of course, claimed that its tool is used legitimately although how it can be certain it hasn’t fallen into the wrong hands has never been made clear.

Link to original article

---

My two sats on this...

People should give up the false security feeling because they are using Android, like NOW!

Again and again I'm confronted with the urban legends around Android being more secure than the competition because of all the different Android flavors out there reducing the attack surface so much that the likelihood of being an victim is close to 0.

So absolutely not true!

We will again and again see vulnerabilities that blanket cover most of the popular Android distributions.

Do yourself a favor and try to keep up to date with infosec/opsec news for all of the devices you have in use!

I know this needs some attention, effort and maybe even love to do this adequately but once you've gotten the hang of it it'll become "muscle memory" to check on the recent flaws, vulnerabilities and available patches or workarounds.

*Start by making an inventory of your computers, smartphones, tablets, routers, access points, smart home devices and so on.

• Research the relevant sources for patches and updates for your "stuff"

• Research the relevant information sources for bugs, vulnerabilities, flaws

• Drop all that into an spreadsheet for instance... and voila, you have kick started a little CMDB (configuration management database)

• Try to visualize the communication/connection relations in your environment, for instance fire up any given paint/drawing/sketching app or even take a pen and try to sketch out your stuff. This is very helpful to identify your possible attack surface and attack vectors.

• Set up an realistic checking protocol that you feel comfortable with and that has a high likeliness to not be breached by laziness or other "higher" priorities. Maybe a weekly interval if you can bring up the time or even a 4 weekly interval is more than most other users do!

• Keep in mind, most stuff can be subject to attacks but "blanket" attack campaigns for instance mostly utilize well known and "old" flaws and vulnerabilities. So every step you take to protect yourself from these reduces the probability of damages significantly. 0-day vulnerabilities/flaws are much more rare but of course they exist also. Depending on the nature of these manufacturers will most likely try to fix these quickly be providing a patch or a configuration workaround suggestion. If no information is available you can use your CMDB and your infrastructure sketch to identify possible alternative ways to close a possible attack vector (for instance by closing a port on your router/firewall) or by possibly take the device or service offline until a fix/patch/workaround becomes available.

---

Definition - What does Zero Day Vulnerability mean?

A zero day vulnerability is a type of unknown or unanticipated software flaw or security hole in an IT system that can be exploited by hackers. On a given day, IT professionals may refer to a number of zero day vulnerabilities.

---

So, how are you handling the maintenance and servicing of your environment?

Do you think that my little "howto" on going about these recurring tasks is doable for you?

Please let my know what you think and drop me an comment!

Cheers
Lucky