A security researcher has found another flaw in the Android browser that a cybercriminal could use to steal sensitive data.
The latest same-origin policy (SOP) bypass vulnerability is the second discovered by researcher Rafay Baloch, who discovered the first, CVE-2014-6041, last month.
The vulnerability is in how Javascript is handled by the Android function responsible for loading frame URLs. The SOP is supposed to prevent JavaScript from one Web page accessing content from another page.
However, the flaw enables that barrier to be bypassed, so an attacker can read the content of browser tabs, when the user visits a page controlled by the attacker.
“The POC is very easy to understand for individuals having some JavaScript background,” Baloch said in his blog.
Google no longer supports the Android browser, which it has replaced with Chrome in Android 4.4. However, the company told ThreatPost, the Kaspersky Lab blog, that a patch was released for Android 4.1-4.3. Users of older versions are apparently out of luck.
The vulnerability is a “major issue,” Ted Eull, vice president of mobile services for security vendor viaForensics, said.
“Because the browser was included by default on many devices pre-KitKat (version 4.4), there are potentially hundreds of thousands of affected users,” he said.
Victims
Phones that are likely vulnerable include the Samsung Galaxy S3, the Samsung Galaxy Note 2, the LG Optimus G, the LG G2 and the Motorola Droid RAZR, Eull said.
ViaForensics is advising customers to download either Chrome or Firefox from the Google Play store and use it as the default browser. People should uninstall the Android browser, if their device lets them.
While Chrome and Firefox sometimes have their own vulnerabilities, “they are very actively updated and generally patched quickly when security issues are discovered,” Eull said.
Security experts have criticised wireless carriers for failing to work with device manufacturers in pushing out Android updates and patches quickly in order to protect customers.
But in the last couple of years, there has been a significant improvement, Jeremy Linden, senior security product manager at Lookout, said. People with popular phones from major manufacturers, such as Samsung and Motorola, are getting updates regularly.
However, people with older, less popular phones are unlikely to receive updates and will have to upgrade, if they are worried about security, experts say.
CSO Online
Subscribers 0
Fans 0
Followers 0
Followers