Blog

Calendar Bites Google Security in the Ass

By Rich

Well, this is embarrassing:

Blowing hash and signing functions so that the underlying code can be changed without the hash and sigs changing is horrifyingly atrocious. This is the code equivalent of impersonating a person with a mask so good nobody, not even the real person themselves, can tell the difference.

Google espouses 60 days to fix exploitable bugs and going public one week after private notification. According to Bluebox they told Google about this via bug 8219321 in February 2013. That’s a little bit more than 60 days ago. Seeing as it’s now July, I think (and I’m not very good at math, so bear with me here) that’s at least twice as many. It’s especially more than 7 days. I’m not sure how Google are following their own disclosure policy.

I suspect the people motivated to publish Google’s disclosure policy were all or mostly on the web side. It is a much different problem when you are dealing with software updates, especially on a platform that often you cannot update. I have yet to find a ROM past Android 4.0 (current is 4.2) that I can get running on my test phone. HTC certainly isn’t providing it, which means many millions of phones will be vulnerable… forever.

There was little doubt that publishing that policy wouldn’t eventually haunt them.

No Related Posts
Comments

Rich I feel your pain, HTC has not updated the rom on my phone past 2.2.  Which is a primary reason, when I upgrade it won’t be to another HTC.

This must be a bigger issue than Google thought, or someone seriously dropped the ball,  But they should have released something about the bug.

By tkrabec on


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.