Have you updated to 4.4(Kitkat) yet? If not, now may be the time! A critical code-execution vulnerability has been found, that can affect the lower versions of the popular operating system. This vulnerability was disclosed to the Android Security team back in September by IBM researchers, and was patched in Android version 4.4 immediately. They have just now released the information to the public.
Considering Android’s fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure,” stated Roee Hay, a security research group leader at IBM.
According to their blog, the team at IBM discovered a stack-based overflow vulnerability in the Keystore service, which stores and secures a device’s cryptographic keys. If taken advantage of, a device could be taken over completely, compromising any data, such as a device’s lock-screen credentials, encrypted and decrypted master keys, data and hardware-backed key identifiers from the memory. Not only that but a hacker could gain the ability to carry out cryptographic operations like the signing of data on behalf of the users. The team at IBM states that while this is a definite vulnerability, exploiting it is not exactly simple. The only way to exploit it is with a malicious app. That app would have to bypass Android’s DEP ad ASLR protection features, as well as the stack canaries and the encoding.
According to their developer site, it is believed that only about 14% of all Android users have upgraded from 4.3(Jelly Bean) to 4.4(Kitkat), which leaves the other 86% vulnerable.