Click and Get Owned on Android... Again
According to Google's monthly survey, Android versions prior to 4.4 are running on about 69% of the world's Android phones as of November of 2014. If we believe that Android accounts for 85% of the world's smartphones, and further posit there are about 1.84 billion phones in use by the end of 2014, that comes to a figure of about a billion (with a b) devices out in the world that are vulnerable to this bug, absent a patch.
As it happens, Google did patch this vulnerability for Android days after notification, which is great. Today, it's quite possible that handset manufacturers, carriers, aftermarket ROM developers, and even in-the-know consumers can now take Google's upstream patch and apply it to their own devices. Heck, they could write their own Android patches without Google's help. It's open source, after all.
The Metasploit Framework is open source, too, but luckily, we don't have a lot of intermediaries between Rapid7 and the end users. If (well, when) Metasploit ships with a security bug, you can bet that Rapid7 will write, validate and publish a fix, and then do what we can to make sure that Metasploit users have every chance to get at those fixes and apply them.
This direct-line relationship Rapid7 has with the devices running Metasploit doesn't appear to exist between Google and that vast majority of Android devices. Even though Google published a backport for this bug on September 30, it seems unlikely that the end user of the Android device will ever see that fix without buying a new phone first. For many, many people, buying a new phone just isn't practical; the people who are most likely affected by "legacy" Android bugs are the same people who couldn't afford a fancy "latest" Android handset in the first place.
In other words, it looks like a billion phones aren't going to see this patch any time soon, if ever. It's nice that the patch exists, but Google doesn't seem to have any practical way of getting it out to the world.
For a platform that's so integral to the human experience of the Internet, this seems kind of a huge problem, and I don't know how to fix it at this point, given the way the Android ecosystem works. Any suggestions?
In addition to the Android hotness, we've landed four other new modules this week.
- Citrix NetScaler SOAP Handler Remote Code Execution by juan vazquez and Bradley Austin
- X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution by Fernando Munoz and Juan Escobar
- Xerox Multifunction Printers (MFP) "Patch" DLM Vulnerability by Deral "Percentx" Heiland and Pete "Bokojan" Arzamendi exploits BID-52483
Auxiliary and post modules