More technical users should also be aware that revoking CALL_PHONE permissions would serve to block this attack within any HTML-rendering app (via chrisfu at XDA).
On waking this morning we see there have naturally been further developments overnight in relation to this issue.
Firstly, it has become clear that for the most part only handsets running TouchWiz are affected. That said, users have replicated it in CM7 based ROMs, and a number of HTC devices also. It does seem quite solid at this point that if you're happily running a more recent version CM/AOSP/AOKP you're unaffected. Furthermore, it seems the vulnerability is tied at least as much to the dialler as it is to the browser, as the optimistic early advice to just use Chrome appears flawed, with users able to replicate the exploit from within Chrome also. There are also reports that recent Samsung firmwares, such as the DLIB official Jelly Bean build from Poland are unaffected for this, but it seems slightly premature to suggest this is confirmed. Bottom line is that the full extent of this vulnerability is not presently known.
To put of this in context lets not forget that the Galaxy SII is affected here: this means the exploit has likely been available for over a year now, and there are ZERO affected users. This could just end of being the a typical "Android security scare" non-event. That said, now that the exploit is widely known that may change, and as always it's better to take preventative measures than suffer the potential consequences.
With that in mind, the best information presently to hand suggests installing Dialler One as a workaround, which doesn't automatically open the codes (also, if you do not set the default dialler after installation you will be offered a choice of which dialler to invoke giving you an opportunity to back out of opening the link).
Source: XDA-Developers
im sorry but its not in the handsets them selves, its in samsung touchwiz based roms only. Anyone who has flashed cyanogen mod or aokp (aosp roms) is completely safe. Please edit the article.
ReplyDeleteIn actual fact even that is known to be incorrect now.
DeleteArticle updated on waking this morning with developments overnight.
We'll be staying on this one and reporting back until resolution is reached.
I did just find this blog about the issue: http://dylanreeve.posterous.com/remote-ussd-attack#comment
ReplyDeleteHe has created a webpage to simulate the problem but rather than wipe your phone it instructs it to open the dialler and display the IMEI code. If it doesn't display the IMEI, your phone should be okay. Apparently the SGS3 running ICS 4.0.4 has been patched (certainly worked okay on mine).
Dylan has come out with some of the best commentary on this, however reports about whether it works on devices is still mixed - there are reports that the exploit works on 4.0.4 devices despite the fact that it looks like it should have been patched. I think the best advice is still to install another dialler like Dialer One for maximum safety.
Delete...although http://www.stuff.co.nz/technology/gadgets/7732438/Security-risk-for-millions-of-Android-users says 4.0.4 is still exposed and you need 4.1.1 to be safe. Hmmm.
ReplyDeleteI wouldn't trust Stuff coverage of anything tech, much less this issue, which still seems quite unclear even to techies.
Delete