We found that some of Android 4.1.1 and 4.2.2-equipped terminals may be affected by Heartbleed


It exists from 2012 and it became clear in 2014OpenSSL bug "Heartbleed"Affected sites areApproximately 500,000It is seen. On the other hand, we found that some Android devices, such as Android 4.1.1 and Android 4.2.2, may be affected by vulnerabilities. Also, other terminals need to be careful.

Heartbleed disclosure timeline: who knew what and when

Vicious Heartbleed bug bites millions of Android phones, other devices | Ars Technica

Regarding Heartbleed, according to the summary of The Sydney Morning Herald so far, I first noticed the existence of Heartbleed that it was in 2012 from Google securityNeil MeterMr. It is believed that the time is on March 21 or earlier in local time (PDT), 10 o'clock 23 minutes of this day (2:23 pm on March 22, Japan time), with Google's Bode Meller Adam Langley wrote a patch for vulnerabilitycommit, Patches were sequentially applied to Google services and servers and also sent to OpenSSL at the same time, so it was transferred from OpenSSL to RedHat etc.

With the existence of Heartbleed not revealed, with content distribution network (CDN) around March 31CloudFlareThere is a story saying "There is vulnerability" from someone under the ground. By doing this, CloudFlare will succeed in taking vulnerability measures ahead of other companies.

I am free for a while and I am an Finnish IT security companyCodenomicon DefensicsIs 9:30 on April 4th (EEST: 15:30 on April 4, Japan time) reached the same vulnerability as found by Neil Meta. On the evening of the same day (Japan 4th night night), I will report to the National Security Center of Finland. At this time, Codenomicon took actions based on the confidentiality agreement, so we did not give customers advance notice of vulnerabilities and their customers learned about vulnerability revealed Heartbleed existence It is said that it was timing.

On April 4 (PDT), Akamai of the same CDN as CloudFlare applied the patch based on the "vulnerability information brought from the community although the source can not be disclosed". There was rumor that at this time there was a vulnerability that something was not clear in OpenSSL, but details were unknown, so it was ignored as rumor to the last.

1:13 on April 6 (Japan time April 6, 7:13), Codenomicon says "Heartbleed.com"We released vulnerability information without interruption. At least until two weeks elapsed since Google responded secretly, the presence of Heartbleed was finally announced.

The impact of Heartbleed is Facebook · Instagram · Pinterest · Tumblr · Yahoo! Such as calling the user to change the password, even to people who are not familiar with IT relations have come to the point where it is said that "pretty bad things are happening" alreadyCanada Revenue ServiceOkay.Social security number for 900 people leakedThen, the tax return filing site is closed.

According to Symantec researchers, since major browsers do not rely on OpenSSL cryptographic library with cryptographic protection of HTTPS, there is no fear that general PC users will be stolen with personal information by malicious server attack Thing.

However, according to Mark Rogers, Lookout mobile security researcher, people using Android terminals including a part of Android 4.2.2 are affected by Heartbleed, so there is a danger that information will be stolen And that.

The assumption that Mr. Rogers is a highly likely scenario is that it does not perform unintended action just by accessingCSRFBy introducing the user to the site where you purchased the site etc, it will be possible to extract the input information to the highly important site where an independent tab such as online banking opens. As a simpler thing, it is possible to pour malicious commands into the browser simply by exploiting the vulnerability and to extract important information etc. being recorded.

AndroidsandboxAlthough malware is designed so that it can not access the storage area of ​​individual application, although most of current mainstream Android 4.2.2 is safe, there is a fear that vulnerability can be broken Android 4.1.1 The 4.1.x line containing 34% of the Android's share, and "a part of 4.2.2" will also be affected. Android is said to be vulnerable because it is customized for each carrier and manufacturer, it is unclear which terminal this "part" is, and it is also clear how it affects 4.2.1 and other versions Because it is not done, it is better for people using Android devices to avoid accessing or logging in to sites containing important information in the browser for the time being.

By the way, experts point out that not only Android terminals, but also all types of terminals that rely on OpenSSL, such as routers and modems used in homes and small offices, are dangerous and will continue to be affected by Heartbleed The disturbance is likely to continue.

in Note,   Mobile, Posted by logc_nt