Popular apps on Google Play linked to old remote code execution bugs

The latest versions of popular apps hosted on Google Play are harboring known vulnerabilities that could subject users to Remote Code Execution (RCE) attacks. 

When we download apps from official repositories, we may assume that security updates have already been applied -- or once installed, software updates will make sure the app is up-to-date with fixes. However, on Thursday, cybersecurity researchers from Check Point said that patches issued to resolve years-old flaws for popular applications may not have been applied to versions available in Google Play. 

In a blog post, Check Point documented the results of a month-long study, conducted in May, into the presence of known vulnerabilities in popular mobile applications. The results suggested that the use of third-party components and open source resources, including libraries, may have led to old, vulnerable code still being present in apps.

"When a vulnerability is found and fixed in an open source project, its maintainers typically have no control over the native libraries which may be affected by the vulnerability, nor the apps using these native libraries," Check Point says. "This is how an app may keep using the outdated version of the code even years after the vulnerability is discovered."

Specifically, the researchers examined the mobile apps in question for three RCE vulnerabilities dating from 2014, 2015 and 2016. Each bug was assigned two signatures and hundreds of apps were scanned in the Google Play Store. 

The first vulnerability scanned for, tracked as CVE-2014-8962, is described as a stack-based buffer overflow problem in libFLAC before 1.3.1 which permits attackers to achieve RCE via a crafted .flac file.

发表评论 / Comment