Critical Vulnerability Put Billions of Android Device Under Threats

Security of the mobile device is also major issue of today's days, and if we talk about the most popular mobile Operating System Android then we all know that it is the most targeted (attacked) mobile OS. But Google team continues their efforts to make is secure.

Security researcher Jann Horn, have discovered a critical security vulnerability on the Android Operating System which effects almost 99 percent Android users. The vulnerability was addressed CVE-2014-7911 and resides in java.io.ObjectInputStream, which fails to check whether an Object that is being deserialized is actually a serializable object.

The Bug was critical because it effects billions of the users and allows the attacker (hacker) to bypass the Address Space Layout Randomization (ASLR) defense and execute arbitrary code of their choice on a target device under required environment (scenario) .

Researcher Horn describing the bug say, android apps can communicate with system_service, which runs under admin privileges (UID 1000) and using Intents with the attached Bundles, these are "transferred as arraymap Parcels and arraymap Parcels can contain serialized data," in this way, any android app can attack the system_service.

On the security advisory note Horn noted that -

"When ObjectInputStream is used on untrusted inputs, an attacker can cause an instance of any class with a non-private parameterless constructor to be created,". "All fields of that instance can be set to arbitrary values."