I wouldn't think for a second that exploit would work with Dalvik VM. I was just wondering about the security update for Android as a system.
Let's imagine a hypothetical Dalvik VM 0-day. My question is still: would the fix for this patch have to go through the cell phone provider too, or it can reach all devices directly? I think cell phone providers would delay such a fix for some time. They customize their Android. That's why you simply cannot upgrade. Csaba ________________________________________ From: [email protected] [[email protected]] On Behalf Of andrew mcelroy [[email protected]] Sent: Saturday, September 08, 2012 9:07 PM To: [email protected] Subject: Re: [nlug] Java security issue? On Sat, Sep 8, 2012 at 10:43 PM, andrew mcelroy <[email protected]> wrote: > On Sat, Sep 8, 2012 at 9:44 PM, Toth, Csaba <[email protected]> wrote: >> That's not a straight forward scenario either. >> Some OS-X Java vulnerabilities were exploited because the release of the >> OS-X version of JVM lags behind. >> >> I don't have an android phone, so I'm wondering how vulnerability patching >> works with Android. > > http://immunityproducts.blogspot.com.es/2012/08/java-0day-analysis-cve-2012-4681.html > > I don't think the exploit would even work on Android. The reason is > because this depends on java and sun namespaces. > Also, be warned that there is now a metasploit module to exercise this: > https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day > > Some time before my next class I'll look into if this does impact > android at all. When that happens, I'll report back. > > Again my money is on this being a non issue for Android. My money is pretty safe. You would need to make applets work on android. Until that happens, this is a non issue. > >> Because the cell phone service providers usually modify the Android a >> little, so does Dalvik VM patch needs to go through the providers too, >> or it can go directly from Google onto the device. I have a feeling that the >> providers hold back patches and there's a lag, >> which creates opportunities for attack vectors. >> >> Not even talking about upgrading to new versions of Android in case of >> devices: in that case I certainly know that this >> is seriously hold back by the cell phone service providers. (Ok, I had a >> dead-battery HTC for a while for play, and I needed >> to install Cyanogen to get Android 2.2 on it instead of the 1.6). >> >> Csaba >> ________________________________________ >> From: [email protected] [[email protected]] On Behalf Of >> Tilghman Lesher [[email protected]] >> Sent: Saturday, September 08, 2012 7:33 PM >> To: [email protected] >> Subject: Re: [nlug] Java security issue? >> >> On Sat, Sep 8, 2012 at 9:14 PM, John R. Dennison <[email protected]> wrote: >>> On Sat, Sep 08, 2012 at 08:39:51PM -0500, Toth, Csaba wrote: >>>> I'm involved with Java, and it's sad to see that some big technology >>>> sites advise to uninstall Java completely. >>> >>> Oracle sat on at least 2 root-able vectors for a long time. Disabling >>> or uninstalling in the face of their security mismanagement is prudent >>> considering that at least one 0-day in the wild was dropping root kits. >> >> Google's decision to build it's own virtual machine looks smarter all >> the time. I wonder when we can expect to see Dalvik packaged for >> desktop use. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
