Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

WebView Exploit Affects Most Android Phones

Critical bug affects devices running Jelly Bean (4.2) and earlier Android OSs, including fully updated versions of Google Glass, says Metasploit.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

An exploit for a vulnerability that affects an estimated 70% of all Android devices has been added to the Metasploit open-source penetration testing framework.

The "single-click" Metasploit exploit targets a vulnerability in a WebView component that's used by the native Android browser, although the component can also be used by other apps. Although the vulnerability has been present in some devices for nearly two years, it wasn't publicly disclosed until 14 months ago.

"This vulnerability is kind of a huge deal," said Tod Beardsley, the technical lead for the Metasploit Framework, in a blog post. "I'm hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93+ weeks in the wild."

The underlying privilege-escalation flaw, which involves a Java reflection API vulnerability, exists in versions of WebView prior to 4.2, and results from that component -- in some cases -- allow untrusted JavaScript code to be executed. As a result, an attacker could exploit the flaw to execute arbitrary commands.

[Major sites continue to fall victim to hackers. Read Yahoo Ads Hack Spreads Malware.] 

According to Google, at least 73% of in-use Android devices run version 4.1 or earlier of the mobile operating system.

The Metasploit module was created by Rapid7 developer Joe Vennix and Accuvant Labs security researcher Joshua Drake. Drake reported on Reddit that the vulnerability has been successfully exploited -- via the built-in Android browser -- on pre-4.2 devices, including Google Glass. "I can confirm it not only affects the stock browser but it affects Google Glass in its fully updated form (Android 4.0.4)," said Drake.

According to an attack-demonstration video published by Rapid7, the bug can be exploited by tricking a user into scanning a malicious QR code that includes the attack code, which then triggers the vulnerability in the Android browser and gives the attacker command-shell access to the device.

(Source: Wikipedia)
(Source: Wikipedia)

But the vulnerability can be exploited in other ways, too. "A secondary attack vector involves the WebViews embedded inside a large number of Android applications," says an overview published by Rapid7. "Ad integrations are perhaps the worst offender here." In particular, if an attacker could gain man-in-the-middle access to a vulnerable application's HTML connection, or to the cross-site scripting code used by the application, then the attacker could inject the malicious JavaScript code and gain command-shell access to the device.

How can Android users protect themselves against the vulnerability? That's an open question. "Who do you lean on to get this patched? The big box retailer who sold it to you? The manufacturer of the phone hardware? The cellphone service provider? Google?" said Rapid7's Beardsley. "It may seem a little spurious, but it's a question that's going to be asked by journalists, wonks, and -- hopefully -- consumer protection groups in the coming weeks."

The problem of device manufacturers that ship products with Android installed and then fail to update them in a timely manner led the American Civil Liberties Union to file a complaint with the Federal Trade Commission last year. The ACLU requested that the agency investigate the country's four major wireless carriers for unfair business practices, on the grounds that they hold customers to long-term contracts, yet often fail to keep those customers' devices secure.

Pending patches from handset manufacturers and carriers, what else could be done to arrest these types of vulnerabilities? Cutting down on the fragmentation of the Android ecosystem would be a good start.

On that front, a leaked memo that surfaced Sunday suggests that Google is aiming to prevent handset manufacturers from releasing devices that don't sport the latest version of the Android operating system, Mobile Bloom News first reported.

Google's carrot -- and stick -- for handset makers is that by using the latest version of Android, their devices will have access to Google Mobile Services (GMS), meaning the Google Services Framework and Google Play Store.

Or in the words of the memo: "Starting February 2014, Google will no longer approve GMS distribution on new Android products that ship older platform releases. Each platform release will have a 'GMS approval window' that typically closes nine months after the next Android platform release is publicly available. (In other words, we all have nine months to get new products on the latest platform after its public release.)"

That push for handset vendors to build the latest, or at least a very recent, version of Android into their devices would carry information security benefits, too, because newer versions of the operating system include patches for a number of well known vulnerabilities.

That said, Google still faces an uphill battle when it comes to getting device manufacturers to issue timely security updates -- or in some cases, any patches at all -- for devices they have already sold.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Number 6
50%
50%
Number 6,
User Rank: Apprentice
2/20/2014 | 2:16:52 PM
Re: Android's uphill battle
They already have your money and unless you root your phone, they're in full control. Samsung seems more interested in updating its Push Service, whatever that does.
Number 6
50%
50%
Number 6,
User Rank: Apprentice
2/20/2014 | 2:15:21 PM
Re: 93 weeks?
I haven't seen these companies, other than antivirus/firewall manufacturers, saying they put security first. It's like when car companies didn't want to advertise safety features because they feared the ads would remind drivers that their cars could crash. Volvo showed them that safety sells. But so far Samsung, Apple, ATT, Verizon, etc don't sell security except for your house. Irony noted.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
2/19/2014 | 4:59:51 PM
93 weeks?
Has this vulnerability really been left untended for 93 weeks? That's a pretty dismal response from companies that claim to put security first.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/19/2014 | 4:59:41 PM
Android's uphill battle
 You would think device manufacturers would know that timely patching is critical to the success of their products. Or am I missing something? 

 
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.