Establishing Digital Trust: Don't Sacrifice Security for Convenience
Some vendors take longer than others to update for critical vulnerabilities - case in point is Google's Android mobile operating system. On Nov. 6, Google released an Android update, patching a vulnerability that IT vendors have known about for months.
On Oct. 16, security researcher Mathy Vanhoef, working at Belgian University KU Leuven, publicly disclosed the KRACK Wi-Fi vulnerability that affected all Wi-Fi devices that use WPA2 encryption, including every Android device ever built.
KRACK is an acronym for Key Reinstallation Attacks and is attack that is able to replay and reuse in-use encryption keys in order to give an attacker unauthorized access. Vanhoef worked with CERT/CC to responsibly disclose the issue and provide vendors with time to patch. The initial private disclosure was sent out to impacted vendors, including Google, on Aug. 28.
Multiple vendors, including Microsoft, Aruba, Cisco, Red Hat, Juniper Networks, ZyXEL and Intel, had KRACK patches available on Oct. 16. Apple was a laggard to the KRACK patch, releasing an update on Oct. 31, though Apple was still able to release a patch a week before Google.
Google's November Android update finally includes multiple patches for KRACK, though they are not specifically identified as KRACK patches by Google. Rather Google has included the KRACK updates under the System category of the Android November security updates.
"The most severe vulnerability in this section could enable a proximate attacker to bypass user interaction requirements before joining an unsecured Wi-Fi network," Google's advisory warns.
In total Google is patching nine different vulnerabilities that are KRACK related including: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088. Google has simply labelled the vulnerabilities has being EoP (elevation of privilege) with high severity.
"The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations," Vanhoef wrote in his original KRACK advisory. "Therefore, any correct implementation of WPA2 is likely affected."
In addition to the KRACK patches, Google is once again patching for multiple flaws in Android's much-maligned media framework library. In the November update, there are seven different media framework related issues being patched, five of which are rated as critical and the remaining two as high severity.
"The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process," Google warned in its advisory.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.