lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAA4i3gYDE4aies_eTU3Mx0tu31SDkkrmLMaodLdsNwEEYKv6LQ@mail.gmail.com> Date: Tue, 10 Dec 2013 23:48:53 +0200 From: Roee Hay <roeeh@...ibm.com> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Android Fragment Injection vulnerability Hi, We have recently disclosed a new vulnerability to the Android Security Team. The vulnerability affected many apps, including Settings (the one that is found on every Android device), Gmail, Google Now, Dropbox and Evernote. To be more accurate, any App which extended the PreferenceActivity class using an exported activity was automatically vulnerable. A patch has been provided in Android KitKat. If you wondered why your code is now broken, it is due to the Android KitKat patch which requires applications to override the new method, PreferenceActivity.isValidFragment, which has been added to the Android Framework. Important links: 1. Blog post: http://ibm.co/1bAA8kF 2. Whitepaper: http://ibm.co/IDm2Es Roee Hay IBM Application Security Team Lead _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists