[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Beware of employees' cheap Android phones
From: InfoSec News <alerts () infosecnews ! org>
Date: 2014-02-21 7:22:11
Message-ID: alpine.DEB.2.02.1402210721550.6908 () infosecnews ! org
[Download RAW message or body]
http://www.csoonline.com/article/748548/beware-of-employees-cheap-android-phones
By Antone Gonsalves
CSO Online
February 20, 2014
An Android vulnerability known since 2012 has recently been found to be
more serious than previously thought, particularly in phones that cost
less than $150.
When first discovered, the vulnerability in the WebView class used to
embed a browser component to display online content in an app was thought
to require an ongoing man-in-the-middle attack to be exploited. Security
vendor Rapid 7 recently found that not to be the case.
Researcher Joe Vennix found that the vulnerability in Android versions
below 4.2, which is early Jelly Bean, could be exploited by clicking on a
link in a text message, which would send the recipient to a malicious
website. At that point, the attacker could throw up whatever Web page they
like, while JavaScript is downloaded in the background to exploit the
vulnerability.
"In our exploit, it's just a blank page. There's nothing there," Tod
Beardsley, engineering manager at Rapid7, said. "But by the time you hit
the blank page, the gears are in motion."
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic