Jump to content
Welcome to MyDroidWorld.com, the friendliest Android site!!! We would like to invite you to browse our Forums, and not only browse, but REGISTER...share your wealth of knowledge, learn and, most of all, have fun!!! We appreciate and value every member that joins, and as Android is becoming more and more popular, we hope that MyDroidWorld.com becomes your #1 resource for ALL your Android needs!!! Don't forget to visit our Android devices section, and our Android apps/media place!!! Welcome again...and please bring your friends along too
Android Security Hole of the Week: Researchers ID New, Severe DoS Attack
Google to patch Android DoS exploit
This week's Android security hole of note is a newly discovered flaw in all versions of Google's Android OS for that could let Bad Guys execute Denial of Service (DoS) attacks and disable users' smartphones and tablets in two minutes or less.
The "previously unknown" exploit was identified by a handful of Italian professors and security researchers representing the Artificial Intelligence Laboratory at the University of Genoa, Italy, and it supposedly "allows a malicious application to force the system to fork an unbounded number of processes…thereby mounting a Denial-of-Service (DoS) attack that makes the device totally unresponsive. Rebooting the device does not necessarily help as a (very) malicious application can make herself launched [sic] at boot-time."
The exploit was tested and verified on a number of devices including Samsung's Galaxy S and Galaxy Tab 7.1, LG's Optimus One and the HTC Desire HD, according to the researchers. The group has reportedly notified Google of the security flaw, and the hole will be patched, using one of the fixes described in the research paper, in an upcoming Android software update.
From the research paper:[indent]
"We presented a previously undisclosed vulnerability on Android devices which is the first vulnerability on Android that leads to a DoS attack of this severity. We also developed a sample malicious application, (i.e. DoSCheck) which exploits the vulnerabilities, and we proposed two fixes for securing the Android OS against the vulnerability. We reported such vulnerability to Android security team which will include a patch in an upcoming update of the Android OS. Furthermore, we plan to publicly release both DoSCheck code and patched systems in the very near future, accordingly with a responsible disclosure policy we are discussing with Android group and Open Handset Alliance."
The team offered two fixes, the first of which checking if the specific process comes from a legal source, one being the System Server, and the second restricting the permissions on the target socket at the Linux layer.
Google, faced with the need to ensure the bug was fixed soonest, had to use the fix provided in the paper. The Next web said Google will roll out the fix in future Android OS updates.
Source; The Next Web