Researchers with IBM have said smartphone users not running the Android 4.4 KitKat OS are more open to vulnerabilities.
IBM went public and said there’s critical security vulnerabilities in Android version 4.3. The bug was discovered about nine months ago but IBM made their findings public on Monday, according to security expert Graham Cluley.
“The vulnerability affects Android 4.3 only. Thanks for the Android Security Team for correcting our advisory,” the researchers wrote on an IBM website, Security Intelligence.
“Nine months ago, my team came across a classic stack-based buffer overflow in the Android KeyStore service,” it said. “As always, we adhered to our responsible disclosure policy and privately reported this issue to the Android Security Team; the result is a patch that is now available in KitKat. Considering Android’s fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure.”
The website notes there are difficulties that exist in how Android rolls out patches.
“Considering Android’s fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure,” the website writes.
Security Intelligence posted a run-down of the problems:
“Leak the device’s lock credentials. Since the master key is derived by the lock credentials, whenever the device is unlocked, ‘Android::KeyStoreProxy::password’ is called with the credentials.
Leak decrypted master keys, data and hardware-backed key identifiers from the memory.
Leak encrypted master keys, data and hardware-backed key identifiers from the disk for an offline attack.
Interact with the hardware-backed storage and perform crypto operations (e.g., arbitrary data signing) on behalf of the user.”
According to a recent report, Google said only 13.6 percent of all Android users are running KitKat. The majority of users are running Jelly Bean, which encompasses 4.1 to 4.3.