Recently, some media reported that in September last year, Professor Yang Min from the School of Computer Science and Technology of Fudan University and his colleagues discovered more than 400 high-risk vulnerabilities that could brick "all alive Android devices on the market" and submitted them to Google.
What's "outrageous" is that at the time, the Google security team claimed to fix it in 2 months, but it actually took 16 months. In other words, these high-risk vulnerabilities have been "crossed" with everyone for a year, and have not been completely repaired until recently.
On December 29, Professor Yang Min posted a previous email with the Android security team on Weibo through the account @杨珉_Fudan University, and posted a post saying that he has received multiple delays since these vulnerabilities were submitted to Google for repair in September last year. Notice, and joked that "I don't know if it is going to block Google's Android security team."
After this blog post was released, it also caused a lot of heated discussion. Everyone has expressed curiosity about these more than 400 vulnerabilities. What are the vulnerabilities that made Google "pigeon" again?
According to reports, these more than 400 vulnerabilities were discovered by Professor Yang Min’s team based on the systematic research of Android system resource management mechanism. Included in S&P 2022.
According to the abstract of the paper, this design defect related to the data storage process is called "Straw", which can affect 474 related interfaces through 77 system services. The resulting Straw vulnerability can lead to various temporary or even permanent DoS attacks, which permanently crash the user's Android device, can have serious consequences. By then, all vendors using Android code will be affected by the vulnerability.
It is reported that when Professor Yang Min’s team discovered these vulnerabilities, they immediately submitted them to Google, which also rated them as “high severity” at the time. I thought that Google should be able to properly resolve the vulnerability, but in the end, it has been receiving Delay notifications from Google. It was delayed until the end of this year. In the past few days, Google finally sent an e-mail that "issue patch is about to be announced".
In the email, Google "named" the CVE ID of the vulnerability CVE-2021-0934, but it is currently on the CVE official website and the latest Android security bulletin board ( https://secsys.fudan.edu.cn/04/3d/ c26976a394301/page.htm), no CVE-2021-0934 was found.
Of course, after 16 months of repair time, everyone’s Android devices don’t need to be "bricked". This is also good news.
Regarding why it took more than a year for Google’s “pigeon” to fix the vulnerability, in Google’s reply to Professor Yang Min’s email, we learned that “because it is necessary to develop a solution to this problem without introducing compatibility issues. The solution to the problem, so the time required is longer than expected." For this answer, I don’t know what you think?
No matter how you look at it, in the eyes of Professor Yang Min and his colleagues, they are almost "suffocated" by this incident. In the blog post, Professor Yang Min "tucao" said: "During this period, Google has been delaying the release of patches because it is difficult to fix such vulnerabilities, and repeatedly greeted us to keep it secret."
Professor Yang discovered the problem from the perspective of a professional researcher and conducted research on it, and at the same time kept it strictly confidential, otherwise we would not know now that the Android device in our hand has escaped the high-risk consequences of "bricking".
So here, we must not only remind technology giants to get rid of the "procrastination", but also call on technology companies to treat and encourage developers, white hat hackers (White Hat) to find bugs and join the project to maintain network security. Go, pay tribute to the majority of security researchers!
android
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。