Ping to dayglored and Shadow Ace for your lists. . .
Android Security
Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 08/13/2015 9:27:48 PM PDT by Swordmaker
Faulty Stagefright patch and newly reported sandbox bypass leave users exposed.
Link only due to copyright infringement issues from Ars Technica. Read more at the link.
Ping to dayglored and Shadow Ace for your lists. . .
If you want on or off the Mac Ping List, Freepmail me.
Well, at least we need to consider starting up an Android ping list.
It's beginning to look as if there is a dire need for one.
Thanks to Swordmaker for the heads-up.
Anybody want to start up an Android Ping List???
Don't you all rush forward to volunteer, now, we just need one good person who loves Android and wants to help their fellow Android Freepers. . . There is a need on FreeRepublic. We'd be glad to help you learn the ropes.
M4L Android
I’ll bite, I’m an android enthusiast and FR addict. How hard is it to run a ping list?
First!!!
http://www.theverge.com/2015/8/5/9099627/google-stagefright-android-vulnerability-protect-patch
Stagefright has had trouble getting around Android’s Address Space Layout Randomization protections (commonly known as ASLR). The bug can still be used to trigger unauthorized code — a troubling result under any circumstances — but ASLR system has made it difficult to reliably run any specific piece of code across a range of devices, a difficulty acknowledged by Drake himself.
from Twitter:
Hey guys! Instead of redoing/reproducing my work, why don’t you see if you can bypass ASLR via Stagefright!
— Joshua J. Drake (@jduck) August 3, 2015
Not as easy an exploit on the Android to execute, Ars Technica has lots of hype.
Huge PR hit for Android, and it is speeding up security updates to phones from months to weeks.
If you do start an Android Ping list, please add me to it.
No, Ars Technica doesn't hype. . . they report factual data. Hype is picked up by people who don't know what they are talking about and exaggerate it. An app seeking specific data can run tests across the sandboxes, once they've been breeched, seeking for what they're looking for until they find it. There will not be that many apps running.
This second exploit released yesterday does exactly that. . . combine the two and you have the perfect means of breaking security. The people who came up with it took up Drake's challenge and found it. OOPS.
Yes, it is a huge PR hit for Android, but even worse is that not all Android devices will be updated to patch the vulnerabilities this exploit uses so it will remain in the wild from now on. I have no doubt that future versions of Android will be safe from this exploit, and current Android devices that RUN the patch that eventually gets sent out will be also, but it is dependent on carriers and manufacturers being willing to follow through, and some just are not willing. Other than that, it's dependent on users themselves hearing about it and then finding it and applying it. . . and again some won't hear about it and some who do won't update, being convinced of their devices' current invulnerability.
You have your first list member, ThunderSleeps
link video of this attack being demonstrated without knowing anything out about the target phone. In other words, random target.
That’s the point, sorry if you don’t get it.
Its yet to be demonstrated in a blind attack on a random phone.
Theoretically, if you attack a enormous number of phones you will get a few.
Many exploits are very bad in effect, but the attack success rate is very low. This happens to be one of them.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.