Another Android Vulnerability to be Discovered

New vulnerability is called Man-in-the-Disk; popular apps are vulnerable
14 August 2018   409

Cyber ​​security specialists from Check Point have revealed a new type of attack called Man-in-the-Disk (MitD), which exploits vulnerabilities in managing external memory applications on the Android OS. Vulnerable are mobile versions of translators from Google and Yandex, as well as the popular browser from Xiaomi.

How does Man-in-the-Disk work?
According to researchers, there are several reasons for the of the MitD attack. First, every application on Android can access data from another program contained in external memory. Secondly, most applications ask the user for permission to work with memory, and they usually agree, without thinking about the possible risk.

Check Point employees were able to recreate two versions of Man-in-the-Disk:

  1. The first option interferes with the files of the target application, loading malicious data into external memory. It causes an error in the program and leaves gaps for further malicious actions. In addition, this type of MitD allows you to obtain the permissions that the victim application had without additional actions:

    Man in the DIsk Attack
    Man in the DIsk Attack
     

  2. The second version of the attack replaces the temporary update files that applications store in external memory before they are installed. An attacker can force the program to install its malicious version or third-party malware

    Man in the DIsk Attack
    Man in the DIsk Attack

Which applications are vulnerable to attack?
Among the vulnerable applications there are: Google Translate, Google Voice Typing, Yandex Translate and Yandex Search, as well as Xiaomi Browser. It is noteworthy that the solutions from Google and Xiaomi are pre-installed on a large number of Android-devices.

How to defend yourself?
Check Point experts say that application developers, including Google, do not follow such security practices as the Android security guidelines. They recommend using the following Man-in-the-Disk protection:

  • Verify input validation when processing files in external memory;
  • Do not store executable files or classes in external memory;
  • sign and cryptographically check files in external storage before dynamic loading.

In addition, the Check Point team believes that Android security should be strengthened at the system level, rather than software. Only low-level protection can help in preventing such attacks, the company believes.

After detecting the attack, experts sent letters to Google and Xiaomi with a description of the problem. The first quickly responded and already released security updates for vulnerable applications, while the latter preferred not to respond to the developers' letter.

Oracle to Announce Java SE 11 & Java Development Kit 11

As reported, support for Java 8 will end in December 2020, and Java 10 won't receive any updates
27 September 2018   407

Oracle developers announced the release of the Java 11 standard and its implementation of the JDK (Java Development Kit) with a long support period up to 2026. It is fully compatible with previous versions. Support for Java 8 will end in December 2020, and Java 10 won't receive any updates.

New in Java SE 11

  • Nest-Based Access Control system implemented
  • The .class format is complemented by the support for the CONSTANT_Dynamic forms, which are loaded by the creation of constants to the bootstrap method.
  • Added support for the latest version of the transport layer security protocol - TLS 1.3. It accelerates the loading of mobile web pages, and also filters out old, vulnerable cryptographic primitives, replacing them with more complex encryption algorithms.
  • Standardized support for the HTTP Client API, introduced in the Java 9 incubator.
  • Epsilon garbage collector is launched in a test mode.
  • The Java EE and CORBA modules are removed from the JDK and the Java SE platform, and the Nashorn engine and the Pack200 tools are declared obsolete.
  • The JavaFX module is excluded from the kernel and is shipped separately.
  • Existing APIs are updated to support the Unicode 10 format.
  • Added tools for streaming low-level data on errors and problems.
  • Added the ability to run single-file programs that contain the source code.

More information about the changes can be found on the Release Notes page of JDK 11.

The previous, intermediate version of the standard and JDK 10 came out in March 2018. A set of development tools has received three new variants of Java virtual machines, the sharing of application classes and the support of the experimental Just-in-Time compiler on Linux / x64.