[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Beware of employees' cheap Android phones
From:       InfoSec News <alerts () infosecnews ! org>
Date:       2014-02-21 7:22:11
Message-ID: alpine.DEB.2.02.1402210721550.6908 () infosecnews ! org
[Download RAW message or body]

http://www.csoonline.com/article/748548/beware-of-employees-cheap-android-phones

By Antone Gonsalves
CSO Online
February 20, 2014

An Android vulnerability known since 2012 has recently been found to be 
more serious than previously thought, particularly in phones that cost 
less than $150.

When first discovered, the vulnerability in the WebView class used to 
embed a browser component to display online content in an app was thought 
to require an ongoing man-in-the-middle attack to be exploited. Security 
vendor Rapid 7 recently found that not to be the case.

Researcher Joe Vennix found that the vulnerability in Android versions 
below 4.2, which is early Jelly Bean, could be exploited by clicking on a 
link in a text message, which would send the recipient to a malicious 
website. At that point, the attacker could throw up whatever Web page they 
like, while JavaScript is downloaded in the background to exploit the 
vulnerability.

"In our exploit, it's just a blank page. There's nothing there," Tod 
Beardsley, engineering manager at Rapid7, said. "But by the time you hit 
the blank page, the gears are in motion."

[...]



--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
[prev in list] [next in list] [prev in thread] [next in thread]