I've posted a follow-up on my Zero-Permission Android findings. > > http://www.leviathansecurity.com/blog/archives/18-Zero-Permission-Android-Applications-part-2.html
In that posting, I discuss a vulnerability in the ping binary as it exists in the 2.3 branch. The vulnerability is that ping can be executed without being in the "inet" or similar group. As such, an app with no permissions is able to have limited network access, capable of performing DNS lookups and sending ICMP Echo packets. As I mention in the blog post, this was patched in the 4.0 branch. My question to the folks on this list is whether this vulnerability was ever discussed, or if it was just silently patched. Further, am I correct in assuming that security vulnerabilities like this don't get backported? Considering that more than 90% of devices are running 2.3.x or below (as of May 1, according to android.com), this seems like a terrible patch policy. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/xRcfTpG0MfAJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
