And nobody considered...
...a lock screen that crashes to the home screen might not be the best of architectures?
If you've got an Android 5 smartphone with anything but the very latest version of Lollipop on it, it's best to use a PIN or pattern to secure your lock-screen – because there's a trivial bypass for its password protection. The vulnerability, details of which were published here by University of Texas researchers on Tuesday, …
Seriously... Sensitive security processes like that should take the kernel with it if it crashes and force the device to reboot. Any time a process like that crashes, then it should be assumed that the whole OS is compromised. Besides, a buffer overflow like this could be used as a handy code-injection method, especially since it'd be running under root and all...
Even NT4 would do that (if lsass.exe crashed, the system would immediately bluescreen)
It took a lot more than 32 characters - in the video, copy & paste are used to repeatedly double the password length. It starts with 10 characters, then gets doubled 10 times in the dialler, (an eleventh attempt is abandoned - it isn't copied), which makes 10240 characters. Then this is pasted four times into the password entry field, so the total is 40960 characters. I expect someone even more pedantic than me will correct me if I've miscounted.
Obviously it's stupid to allow entry of so many characters, so I'll join you on the Guinness.
security issues happen, it's about how you handle it, not about its excistence
the only difference being, apple fixed it in 1-2 days with an update, where as android needs months to bring all their users to that update via the carriers who hold back on them.
isn't it fun to own an android device :D
Unfortunately Google gave other manufacturers a nice phone OS to use for free, with very little tie in... In hindsight it might have been better to have a little more control, such as enforcing timely upgrades for at least a couple of years after a phone model stops being sold. They didn't, and Android as a whole cops the bad press, when the delay is with the OEMs.
But that's hindsight for you... Reality is get a Nexus, and get updates, or go to HTC/LG/Samsung etc, and hope.
"...Most Android users don't get security patches however long they wait...."
Beat me to it. Samsung Galaxy Note 3 with 5.0 shoehorned onto it. As much as Apple can be castigated for, they do at least push out updates in a timely fashion.
It's time Google did the same for the underlying OS. Indeed, isn't it time we all had a simple, centralised, way to put a bare-bones OS on?
I've had both iPhones in the past an now Android - luckily I am a light-weight user so can hop between pretty much anything I fancy as long as it covers very basic bases.
>It's time Google did the same for the underlying OS
Why blame Google for the shortcomings of your phone manufacturer? I think the poster who recommended getting a Nexus nailed it, at least for Android. Time to vote with your wallet and abandon manufacturers who can't be bothered to issue patches in due time. Or get cyanogen phones if the manufacturers commit to patching quickly.
Much as Google deserves some criticism, seems they can't win. If they are pushy, then they are Apple-bad control freaks. If they allow the vendors too much leeway, then it's their fault, not Samsung's (just to take an example).
For the techies at least, it seems obvious that having a non-patching vendor is not a good thing. Buy somewhere else, don't throw money at the lazybone patch-by-buying-new-phone vendors.
The word is PROBABLY, you semi-literate, ill-educated, fucktard!
Shibboleth rant of the day!
(Personally, I'm happy to overlook "prolly" as a stylistic fillip. It's the homophone errors - its/it's, of/have, etc - that generally irk me. But I do enjoy the occasional usage flame regardless.)
K&R should be burning in hell for their stupidity.
Well. You make Poul-Henning Kamp seem the very soul of reason by comparison.
That doesn't happen here but the default on this LG is to activate the camera, while locked,press volume up & down, that does it. Or it used to. I whacked that setting while I went spelunking after the vulnerability was announced.
I haven't rooted it yet. I really should since more than a few paid applications need it. Right now I'm just playing with it as is. Pretty nice tablet actually.
Buffer overflows are *the* reason why use of C or C++ for anything remotely security-sensitive should be punished by whipping.
And yes, I know that "correct" use of safe strings mitigates it. But that approach relies on programmers always doing the right thing. Which, as human beings, they are unlikely to do.
Indeed, they can afford a code review or two. And they have a code review process.
And still there are buffer overflows. Which just reinforces my point - if even Google can't avoid shooting themselves in the foot with C (++), what does that say about the language?
C / C++ should be taken out back and shot. It's time to stop using them.
I don't know what language you're competent in, but check the diff first before posting the usual "C/C++ is the root of all evil" kneejerk reaction...
https://android.googlesource.com/platform/frameworks/base/+/8fba7e6931245a17215e0e740e78b45f6b66d590
By the way, it's a pretty shoddy framework that takes "no limit" to mean "shit all over the memory if it's too long".
"check the diff first "
I decided to, and noticed the date: Tue Jul 21 13:27:22 2015 -0700
So Google have kept hush about this while knowing about it for a couple of months. I wonder if they have put any effort at all into getting older devices patched. i.e. did they tell their hardware partners about it?
It's fucking Google, they can afford a code review or two.
They can also afford to sit down and think of an update mechanism for Android N that actually works.
But...but....everyone knows that the chocolatey company hires the best talent that individually know more than everyone else combined, ever! I mean...look at their recruiting video...what was it called now...? Had Vince somebody in...The Internship or something? </sarcasm>
Buffer overflows are *the* reason why use of C or C++ for anything remotely security-sensitive should be punished by whipping.
It's certainly far too easy to overflow a buffer in C, and I'd support your whipping motion there.
Don't lump C++ in with C here, though. In C++, when it it used properly, string handling is performed at a higher level that absolves the programmer from any direct manipulation of data buffers and eliminates the possibility of a buffer overflow.
Unfortunately, there are a lot of bad C++ programmers who still think in C.
"It's certainly far too easy to overflow a buffer in C"
Which is why competent C programmers didn't allow it to happen.
"Unfortunately, there are a lot of bad C++ programmers who still think in C."
No, there are just a lot of bad C++ programmers. Those good ones who still think in C wouldn't touch ++ with a bargepole.
What is it about buffer overflow that makes it the WTF for pretty much every OS
Back when everyone was coding in C, we all knew about buffer overflows. YOu got slapped for writing code that was susceptible to it.
Now, of course, everyone uses more "modern" languages that aren't susceptible to such things. Except, of course that they are - the overflow merely manifests itself in a different manner. But by convincing the newcomer programmers that they don't have to worry about buffer writes by virtue of the language they're using, we have created a large problem where previously it was tiny...
TL;DR: Complacency kills.
Vic.
I'm running 5.0.1 and it limits my characters for password input. If you just pound at the keyboard it'll only allow a max of 12 characters, not sure why but that's me. The copy and paste attempt doesn't crash my phone so I don't know if touchwiz has been set up slighty differently?
I've just tried this on my Note 3, and it doesn't work there either. I don't have the background camera app enabled by default but I turned it on for this and it made no difference, so I assume that Samsung have (presumably inadvertently) fixed this bug during their Touchwiz-ification process. Just as well, really, as it's unlikely Samsung would issue a fix.
Could other Reg readers with different varieties of mudblood Android give it a go and let us know how it works? From his bug report I suspect that it might only work on pure Android devices, which are of course the most likely to be patched.
Samsung SIIx(t989) - CM 5.1.1 (Tesla kit) - not affected
a) no cut and paste on the password screen so my numbers are ..... rough - but at ~36k characters with camera running it did not crap out - that took 11 minutes with 'faked' bluetooth keyboard device to generate the string
b) interestingly - from the logs, CM *might* be throwing the characters after the 257th is typed, will try again later with more time on my hands and an improvement to the fake keyboard script.
You'll need access to the physical device, obviously. And enough time to type/paste in that long string.
But any ne'er-do-well will have all the time in the world once your device's been blagged...
I'm using PIN's on all my devices. Wonder if these are also susceptible to these kinds of shenanigans and ne'er-do-well tomfoolery?
Bleh.
No, really.
After the latest improvements to an OS or program have been tested and approved, it should be installed on devices and handed off to a crew of the most tech clueless people they can find, and let them use it.
Guaranteed they'll uncover all sorts of flaws like this, because they'll be trying to use it the way they want/believe it works, and not "the way it's designed to" that in house testers familiar with the process usually test it.
Not trying to downplay the severity of this, but is it actually a C-style memory-corruption buffer overflow?
The patch to fix it just adds a maxLength to an XML file describing a screen layout. Maybe the lock screen just runs out of memory and is killed. There are plenty of badly written webapps that would crash if you put too long a string into an input field, but you're not exploiting a buffer overflow by doing that.
but I have an app that allows you to choose between three password types
Standard
Shapes
Colours
Shapes and colours can also be mixed (so you could have red triangle, green square, blue hexagon, pink flower, orange sun for example)
Now, I'm autistic and I find random character strings (or even words partially composed of letter-esque symbols) almost impossible to memorise, which is why many of my passwords are identical (not exactly the safest person on Earth).
I do, however, find colours and shapes easy and I'm sure I can't be alone in this. I just don't understand WHY after so many years companies still require people to use traditional alphanumeric passwords…?
Show me a string of 8 (for example) random characters and ask me to recall them say 30m-1hr - or longer - later, and I'd struggle; show me a string of 8 colours, 8 shapes or 8 coloured shapes, and I'd have very little difficulty. I struggle to recall words, my mind is very visual; I can recall faces, or what someone was wearing the last time I saw them, but names…?! Forget it. Same with LPs. Unless it's a band I know intimately, I recall LPs by the art's main colour or image, rather than its name, which is difficult when some (New Order spring instantly to mind) dispense with art altogether. Least with NO it wasn't on every release!