New Bug Leaves Over a Billion Android Vulnerable (And Unpatchable)

A vulnerability affecting over a billion Android devices was disclosed recently under the name CVE-2014-7911. The vulnerability was discovered by a security researcher Jann Horn.

It allows any potential attacker to get around the Address Space Layout Randomization (ASLR) defense layer. ASLR helps protect against buffer overflow attacks. Once the ASLR is no longer in the way, the attacker can, under certain circumstances, run any arbitrary code on the device.

When asked how he discovered the bug, Jann said:

“There was a talk at university about a vuln[erability] in a PHP web app that involved de-serializing attacker-provided input data, which got me thinking about serialization in other contexts. I already knew that Java ensures that the classes used are actually serialized and that untrusted inputs are therefore sometimes given to ObjectInputStream, and I figured that the android dev[eloper]s might have forgotten the check given that they had to re-implement all this stuff and that you’d never run into this bug during normal testing as long as the check in ObjectOutputStream works properly. Went home, checked, the vuln[erability] was there.”

It appears there is no way to patch this vulnerability on devices running Android versions 4.4.4 and lower. When asked about whether he thinks there is any way of mitigating, besides using CyanogenMod, Jann replied: “I can’t think of anything apart from binary patching.”

Therefore, unless you like to fiddle with your device’s firmware and are willing to risk “bricking” it, you might just have to accept it, or hope that a an Android 5.0 update will come to your device eventually.