Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Android 4.3 and Earlier affected by Critical Code-Execution Flaw

A serious code-execution vulnerability in Android 4.3 and earlier was patched with latest KitKat Android Operating System version. Are you using the Android 4.3 version and you are convinced to be secure? You are unfortunately wrong, because this version of Android and earlier are affected by a critical code-execution vulnerability. According to data proposed by the Android […]

Android 4.3 and Earlier affected by Critical Code-Execution Flaw

A serious code-execution vulnerability in Android 4.3 and earlier was patched with latest KitKat Android Operating System version.

Are you using the Android 4.3 version and you are convinced to be secure? You are unfortunately wrong, because this version of Android and earlier are affected by a critical code-execution vulnerability.

An attacker can theoretically exploit the vulnerability in the Android 4.3 and earlier versions with a malicious application, but as explained by the experts at work exploit is hard to realize due to the presence of numerous difficulties likes the need to to bypass memory-based protections native to the operating system, including Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
The Data Execution Prevention is an exploit mitigation that is used to prevent execution of malicious code, but the attackers have had success to bypass it using the Return Oriented Programming (ROP) attacks. The ASLR is used to mitigate buffer overflow attacks randomizing the memory locations used by system files and other programs, implementing this technique it is hard to guess the location of a given process.

“However, the Android KeyStore is respawned every time it terminates. This behavior enables a probabilistic approach; moreover, the attacker may even theoretically abuse ASLR to defeat the encoding” states the post.

The experts confirmed that they haven’t seen the flaw being exploited in the wild yet.
Currently Google is distributing the Android KitKat 4.4.4 with build number KTU84P (branch kitkat.-mr21-release), the new update was mainly issued to fix the CCS Injection Vulnerability (CVE-2014-0224).
Don’t waste time update your device when new version will be available for your mobile.

Pierluigi Paganini

(Security Affairs –  Android 4.3,Code-Execution Flaw)