Wednesday, November 18, 2015

Android: new major vulnerability in Chrome – ZDNet France

Last week, Google held in PacSec conference in Tokyo its bug bounty MobilePwn2Own: during this type of event organized regularly by the society, cybersecurity researchers can attempt to defeat the security measures taken up by Google on its various products. And this year was an opportunity for a researcher of Qihoo 360 company to shine: it has indeed presented a flaw, 0day, so unknown to the editor, able to execute malicious code on the terminal.
 

The details of the flaw have yet been made public, to let Google time to propose a fix for its software, but some information is known. It exploits a flaw in the V8 JavaScript rendering engine used by Chrome and other browsers including Opera.

As reported by The Register, the demonstration given by the researcher Guang Gong especially easy to operate: when the user visits a website trapped by the exploit developed by the researcher, just opening the page allows the attacker to execute code on the target machine. As part of the demonstration, and the researcher is able to install an application on the target phone, without requiring any special interaction from the user in addition to the simple opening of the page. The fault can then allow the attacker to take control of the unit.

 The demonstration was carried out on a Nexus phone S6. The vulnerability still affects the JavaScript rendering engine of Chrome, leaving the researcher suggests that it is able to work on all smartphones using this browser. Google promises a fix shortly to address the problem. The most worried can fall back on another browser, preferably those having recourse to another rendering engine other than the one used by Chrome.

LikeTweet

No comments:

Post a Comment