Page 51 - index
P. 51
CVE-2014-7911: Why the ObjectInputStream Serialization
Vulnerability Continues to Wreak Havoc
In November 2014 security researcher, Jann Horn, disclosed the ObjectInputStream Serialization
vulnerability, also known as CVE-2014-7911. This vulnerability results in a privilege escalation and
is easily exploited, which allows hackers to gain administrator level permissions and access to data
in any application. What does this mean? If a device is vulnerable to the ObjectInputStream
Serialization vulnerability, attackers can easily acquire higher-level privileges than the app that runs
the exploit should. This allows attackers to access any data that is stored within any app on device,
therefore putting critical user information at risk.
Although disclosure of this vulnerability coincided with the release of Android 5.0 Lollipop, allowing
Google to patch the bug, it continues to wreak havoc. Most recently, this vulnerability made
headlines after hackers began using it as a means to root Sony Android devices.
This vulnerability allows an app to bypass restrictions by failing to serialize data, which enables an
attacker to run code under system privileges and leaves Android devices exposed. It’s important to
note that hackers can use this vulnerability to root all Android devices, not just Sony ones.
The Details
This vulnerability made the vector of exploit easier and was only patched in Lollipop (released in
late 2014), making every device running anything prior to Android 5.0 vulnerable. This leaves a
large population of devices exposed since, according to Google’s Android stats, Lollipop only
makes up 1.6 percent of the ecosystem . However, the Bluebox research team, Bluebox Labs,
found that manufacturers have begun to backport a fix. This means they are taking the fix and
applying it to older versions of Android. From this we can infer that manufacturers realized this
vulnerability was serious enough to patch, based on the fact that a patch to this vulnerability is
appearing before vendors issue Lollipop updates. Additionally, some devices may never receive the
Lollipop update so backporting a fix makes even more sense in those cases to ensure the security
of those devices.
Despite these efforts, a large number of Android devices remain unpatched and unprotected. This
means that on those devices an attacker can still:
• Gain full control of your Android device
• Access your personal or sensitive corporate information without you knowing
• Install malicious software
• Bypass important security restrictions you or an administrator places on the device
51 Cyber Warnings E-Magazine – February 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
