このように、セキュリティーの研究者たちは、既存のシステムの脆弱性を次から次へと発見してくれています。
これは、とてもありがたいように見えます。
しかし、同時にとても恐ろしいようにも感じます。
ハッカー(つまりネット犯罪者)はいろいろな種類あります。
おそらく、普通の人は、ハッカーを高度な知識と技術を持っている人だ等連想しています。
しかし、知識を普及するか、注意喚起のつもりで書かれた本によって、ハッカー行為を始めるか行うハードルは著しく低くなってきています。おまけに無料のソフトや、ソースコードまで簡単に入手できます。
極論を言うと、やろうと思えば、小学生でもできるようになっています。
このような社会情勢の中で、このシステムにはこのような脆弱性があるよと、安易に公表すると、何か「面白い」ことをしようと、うずうずしている(死ぬほどいる!)人たちはすぐハッキングに利用しかねません。しかも、楽々とです!
関連会社はすぐに脆弱性を回避するためのパッチを出しますが、かななずしもすべてのデバイスに反映されると限りません。
それで、一部パッチが当てられていないデバイスはハッカー立ちのおいしい餌食になります。
ハッカーにとっては、餌食そう沢山要らないことは多いです。
ごく少数の被害者さえ見つけられれば、恐ろしいことを実現できてしまいます。
これは、IT社会の現状です。
結論としては、このような「脆弱情報」を安易に、大々的に発表するのを控えたほうはいいです。
セキュリティーが大事で、重視しているユーザ(法人を含む)は常に更新しているし、そうではない人は、いずれ被害者の候補になるのは変わらないです。そのような情報を大々的に公表しても、しなくてもです。
Just One Photo Can Silently Hack Millions Of Androids
http://www.msn.com/en-us/news/technology/just-one-photo-can-silently-hack-millions-of-androids/ar-AAiB6z0
Google released a bunch of Android patches today, covering off some previously-disclosed issues including the worrying Quadrooter bugs that affected 900 million phones. But another, previously-unknown critical weakness has been covered too and you’ll want to download the patch now because the hack can be delivered hidden inside an innocuous-looking photo in a social media or chat app. A victim wouldn’t even have to click on the evil photo: as soon as its data was parsed by the phone, it’d quietly let a remote hacker take over the device or simply brick it.
The problem, according to the researcher who uncovered the vulnerability, resided in the way images used by certain Android apps parsed the Exif data in an image. Any app using a slice of Android code – the Java object ExifInterface – is likely vulnerable, said Tim Strazzere, from security firm SentinelOne.
Strazzere told me that as long as an attacker can get a user to open the image file within an affected app – such as Gchat and Gmail – they could either cause a crash or get “remote code execution”; ergo they could effectively place malware on the device and take control of it without the user knowing.
The problem was made even more severe as a malicious hacker wouldn’t even need the victim to do anything. “Since the bug is triggered without much user interaction – an application only needs to load an image a specific way – triggering the bug is as simple as receiving a message or email from someone. Once that application attempts to parse the image (which was done automatically), the crash is triggered,” Strazzere said. That’s not dissimilar to how the Stagefright exploits of last year ran.
“Theoretically, someone could create a generic exploit inside an image to exploits lots of devices. However, due to my skill level, I had to specifically craft each one for the devices. Though once this is done, Gchat, Gmail, most other messengers or social media apps would likely allow this to trigger.” The researcher wouldn’t reveal the names of the other, non-Google apps affected, other than to say they included “privacy-sensitive” tools.
Prior to the today’s update that provides patches for all versions of Google’s operating system from 4.4.4 up, older Android devices would have been in greater danger of an image-based hack. “Most of the newer mitigations in place made it quite difficult for me to get a stage working exploit that could work on multiple devices,” Strazzere said. “With this said, it was incredibly easy to cause the phone to become unusable (due to the mitigations) and go into endless reboots. There were even a few phones that somehow go bricked in this process, all from just receiving the corrupted image over Gmail.”
Another warning: Strazzere successfully tested his exploits on phones stretching back to a handful of Android 4.2 and Amazon devices. They may well remain unpatched, leaving users exposed. As Strazzere told me, if you’re not running an up-to-date operating system and/or device, it’s probably time to invest if worried about security.
Google gave Strazzere $4,000 as part of its Android bug bounty and added another $4,000, as the researcher had pledged to give all $8,000 to Girls Garage, a building program and workspace for girls aged 9-13.
Android manufacturing partners were advised about Strazzere’s find – and the scores of other vulnerabilities detailed today – on 5 August or before. If concerned, check with your device maker to see when an update is on the way. Google Nexus phones running Android 4.4.4 and above should receive an over-the-air update today.
