Latest security "threat" in reality how serious is it???

[pbike908]

According to this link, Most Android phones are vulnerable:

Linux TCP flaw lets attackers hijack web traffic and inject malicious code remotely

And unlike most Android vulnerabilities, it doesn't require a "side loaded" App.

I am not a tinfoil type. And almost all off my secure stuff is done through HTTPS. But for stuff not done over HTTPS, how likely/easy it for someone to infect my phone with something malicious because of this vulnerability?

I do not run a 3rd party security program because it has been my experience with Windows that 3rd party security products cause more trouble then they are worth. Oh, and I am on Verizon Prepaid so their "bloatware" security program doesn't run on Verizon prepaid.

Not trying to stir up trouble. I am just curious.

 

[Aquila]

In the wild it's almost impossible for someone to hit you with this. They need to know which sites you're visiting first, and know that while you're there. From there, they have to hijack the TCP communication, which means they need to know the port number and the sequence number. Since there are billions of possibilities for sequence numbers and tens of thousands of port numbers, there are over 100 trillion possibilities to target at random - and the user would have to get the right time while you're at the site that matches that combination and then they have to create a successful clone of that site's rendering so that you think you're in the right place while they're highjacking the connection to insert malicious code - and that malicious code would also be impacted by Android's other security measures, meaning they can't do much with the connection, even if it is established.

In short, they're trying to use this as a way to gain access to exploit other vulnerabilities. A successful attack would have to be perpetrated by someone who knows your browsing habits, not just which sites you frequent, but when you frequent them and for how long. This would mean you're the specific target of a highly skilled "hacker" who probably either knows you personally or has other access to your browsing history with enough data to predict when and where you'll be on the web.

Wild rate of risk: 0%.

 

[Aquila]

Also will add that it's already been patched in Linux, should be patched in operating systems based on Linux shortly.

 

[pbike908]

Also will add that it's already been patched in Linux, should be patched in operating systems based on Linux shortly.

I am not really that worried based on your prior detailed post. But as we all know unfortunately the track record of timely Android security updates on non Google phones is not good. And the article said (or another article that referred me to this one) that Nougat thus far hasn't been patched for this.

Again, I'm not really worried, just curious.

Perhaps other more technical folks than I will also chime in.

 

[Golfdriver97]

Aquila raises a good point on how plausible this is. It leaves me with a question, that is sparked by what Aquila pointed out? Say, in the example that they had showing the hacker and the victim (target), and halfway through the process, the target leaves the site, or better yet, stays on the same site, but moves to a different article, therefore slightly changing some of the parameters, what happens? I get that news articles can be long and cause you to stay for more than a minute, but often, that isn't the case.

Also will add that it's already been patched in Linux, should be patched in operating systems based on Linux shortly.

Theoretically, this is the good part about monthly security updates.

 

[Aquila]

Based on the date of the CVE, I'm expecting this to be in the September security patch, which I believe will be the patch on the first phones that ship with Android 7.0 Nougat.

For people who want the latest security protection I cannot in good conscience recommend any phone that isn't a current model Nexus except perhaps for BlackBerry. But as I have expressed elsewhere, the fact that the exec team at BB is willing to pull the plug on the project at any moment if things don't remain profitable makes me nervous on that front which is why they earn a perhaps, rather than a definite buy recommendation. Their current performance is really good IMO, their future makes me worry. So for my personal phones, for now it's Nexus only.

 

[pbike908]

It is unfortunate for the Android ecosystem that the only phone that gets RAPID and timely updates is the Google Nexus. Please note that I created this thread in the Droid Turbo 2 thread -- meaning obviously that I have a Droid Turbo 2 which DOES NOT receive monthly security updates.

Shaming other manufacturers and saying "buy a Nexus" is NOT THE ANSWER. Unless one also wants to add "or buy an Iphone" in the same sentence as Apple also has a solid reputation for timely patching of security holes.

Google and their partners really need to address this.

 

[Aquila]

It is unfortunate for the Android ecosystem that the only phone that gets RAPID and timely updates is the Google Nexus. Please note that I created this thread in the Droid Turbo 2 thread -- meaning obviously that I have a Droid Turbo 2 which DOES NOT receive monthly security updates.

Shaming other manufacturers and saying "buy a Nexus" is NOT THE ANSWER. Unless one also wants to add "or buy an Iphone" in the same sentence as Apple also has a solid reputation for timely patching of security holes.

Google and their partners really need to address this.

Please don't take my statement as attacking moto; the buy a nexus part is only stating what I'm personally doing, not what others should do. Google did address the security problem; now it's time for the OEM's to decide if they're going to take the threats seriously or not.