[gizmo21]

Android Security Advisory—2016-03-18 | Android Open Source Project - Android Security Advisory?2016-03-18 | Android Open Source Project

Anyone know if this is mitigated by PRIVs own anti-rooting kernel enhancements or if BB has to patch this too asap.

Update: http://support.blackberry.com/kb/art...mber=000038108

-- Sent from my Palm Pre using Forums

[thurask]

Dunno, guessing the latter.

[ToniCipriani]

The first thing I was thinking is that why hasn't anyone claimed the root bounty on XDA yet.

[howarmat]

it will still need patched even with the safeguards that BB provides

[donnation]

The first thing I was thinking is that why hasn't anyone claimed the root bounty on XDA yet.

I would guess that it's the effort vs reward. It looks like it's sitting at a little over $1000 which isn't much.

[Wezard]

Wonder if BB will consider this serious enough to invoke the OTA update to All devices.
Wonder if they will consider it serious enough to issue an immediate security update, or wait for the next 'scheduled' one.
Interesting to note that the article refers to an April 2, 2016 update

" Android devices with a security patch level of March 18, 2016 are not vulnerable. Android devices with a security patch level of April 2, 2016 and later are not vulnerable to this issue."

Wonder if it can even be exploited on BB.

Guess we'll know soon.

[ToniCipriani]

I would guess that it's the effort vs reward. It looks like it's sitting at a little over $1000 which isn't much.

Well the bulletin suggests the root app is already in the wild, so I would imagine script kiddies already grabbed it and tried.

[shabbs]

What version is the PRIV kernel?

FTA: "This advisory applies to all unpatched Android devices on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices. Android devices using Linux kernel version 3.18 or higher are not vulnerable."

Considering this is in the wild already, I'd say this gets pushed out quickly if PRIV is vulnerable.

[Uzi]

What version is the PRIV kernel?

FTA: "This advisory applies to all unpatched Android devices on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices. Android devices using Linux kernel version 3.18 or higher are not vulnerable."

Considering this is in the wild already, I'd say this gets pushed out quickly if PRIV is vulnerable.

[shabbs]

Thanks usman_hidayat19 - I should have known where to find that. Heh. So the PRIV does fall into the category. Curious if it can actually be exploited considering the added security measures.

[crucial bbq]

The first thing I was thinking is that why hasn't anyone claimed the root bounty on XDA yet.

because...

I would guess that it's the effort vs reward. It looks like it's sitting at a little over $1000 which isn't much.

Beat me to it.

Well the bulletin suggests the root app is already in the wild, so I would imagine script kiddies already grabbed it and tried.

Procedures vary by device. If someone were to exploit an LG G4, that same exploit might not work on the G5. Or Priv.

Thanks usman_hidayat19 - I should have known where to find that. Heh. So the PRIV does fall into the category. Curious if it can actually be exploited considering the added security measures.

I'm on Verizon. *hoping Verizon takes their sweet time as usual...

[gizmo21]

Android devices with a security patch level of March 18, 2016 are not vulnerable.

So a hotfix patched device will get an updated "security patch level" date in the "About"-screen, and this particular one will be "March 18, 2016" compared to the now on PRIV available level "March 1, 2016".

Wonder if BB will consider this serious enough to invoke the OTA update to All devices.
Wonder if they will consider it serious enough to issue an immediate security update, or wait for the next 'scheduled' one.

That's what BB always said they will have Android Monthly Security Updates, Hotfixes, Enterprise-Managed Updates: Managing Android Security Patching for PRIV | Inside BlackBerry

Hotfix

Some critical Android vulnerabilities – for example, one that can be easily and remotely exploited with a publicly disclosed method to execute “root” privileged malware – simply can’t wait for a monthly update cycle. Depending on the severity of the problem, complexity of the fix, and timing relative to the monthly update cycle, BlackBerry will opt to perform a hotfix, where the code to address only the specific critical problem is pushed to customers. Because a hotfix is typically limited in scope, the balance between a longer testing and approval process and the risk from the critical flaw makes this approach an important addition to helping keep users safe and secure. While BlackBerry will work with its go-to-market partners on approval and delivery of hotfixes, BlackBerry has the ability to directly patch all PRIV variants and will do so when necessary to protect users and enterprises.

"Rooting" is named there explicitly.

[Uzi]

So a hotfix patched device will get an updated "security patch level" date in the "About"-screen, and this particular one will be "March 18, 2016" compared to the now on PRIV available level "March 1, 2016".




That's what BB always said they will have Android Monthly Security Updates, Hotfixes, Enterprise-Managed Updates: Managing Android Security Patching for PRIV | Inside BlackBerry


"Rooting" is named there explicitly.

I guess this time we will see BlackBerry action or talk only.

[Wezard]

Correct me if I'm wrong, but BB is using a hardened kernel, so it's not your basic 3.10. It may invulnerable to this one, and a hot patch, may not be needed.

If a Priv were shown to be exploited this early, it would be a huge black eye for BB, so I'm willing to give BB the benefit of doubt. I'm also willing to change my mind if anybody has evidence to the contrary.

Also still wondering to the reference to an April 2 patch.

" Android devices with a security patch level of March 18, 2016 are not vulnerable. Android devices with a security patch level of April 2, 2016 and later are not vulnerable to this issue."

Does that mean that an April 2 patch is out there somewhere? Or that the next patch will be released on April 2, and the fix will be in it? I've never known them to announce in advance when a patch will be released. ( Not that I really keep up with it )

[ToniCipriani]

because...

Beat me to it.

Procedures vary by device. If someone were to exploit an LG G4, that same exploit might not work on the G5. Or Priv.

I'm on Verizon. *hoping Verizon takes their sweet time as usual...

I think that was the original question... if the exploit applies to the Priv in light of all the security changes.

[howarmat]

we will never know really but it will be applied in the monthly update anyway so i wouldnt bother worrying at all

[dpeters11]

Looks like a mitigation is that you would need to disable Verify Apps and allow install of apps from outside the Play Store.

But we really don't know if the Priv is actually affected with it's extra hardening to the bootloader and kernel.

[Wezard]

Don't think anybody here is worried, just curious.
The device owner would have to really try in order to be exploited.

[dpeters11]

Google says that this will be included in the April update, scheduled for release on April 2. So IF the Priv is affected, at worst it will be patched once devices get that update.

[IEatBlackBerries]

How do we get the root app to check if Priv is exploitable or not???

[anon(2325196)]

Can't exploit my PRIV. Guaranteed.

Posted via the CrackBerry App for Android

[anon(2325196)]

If somebody wanted to "exploit" my PRIV they would have to find me first, kill me, and even then they probably still couldn't exploit it.

Posted via the CrackBerry App for Android

[shabbs]

Got a notice for an update this morning... 20.9MB... wonder if it's this hotfix? Rebooting now...

Seem to be as per other threads in the PRIV forum. Security date is upped to April 2nd, 2016.

Check yer phones!

[shabbs]

My about phone after the update:



Security patch date: April 2, 2016
Build: AAE298

[Wezard]

Had to do a check for update, somethings there 20.9Mb - Taking a while to install

-
Well that took a long time, and ate 40% of my battery, didn't get anywhere hot though, only slightly warm.

Now same as screen shot above, shabbs