Friday, 12 July 2013

CyanogenMod 10.1.2 Is Another Small Security Update, Patches Second Master Key APK Vulnerability

Second verse, same as the first. Two days ago the CyanogenMod ROM team announced a security update to the CM 10.1 platform, incorporating the "Master Key" security patch that Google had already issued back in February. Yesterday another, more intricate exploit in the same vein wasposted by a Chinese blog, and again, Google has rapidly moved to patch the problem in Android... which won't be much comfort to those running an older release. Being the security-minded folks that they are, the CyanogenMod team has already patched the vulnerability in an even newer version of the ROM, CyanogenMod 10.1.2.
Untitled-4
It's an easy fix if you know what you're doing: nine lines of code prevent malicious apps from skipping the signature verification built into Android. But it's a significant enough bug for the version bump in CyanogenMod, and the 10.1.2 initial release includes only this fix. Builds have already appeared on the CyanogenMod download page for dozens of devices, and should propagate through all the officially-supported phones and tablets throughout the day. The immediate risk is relatively minor (unless you're in the habit of installing shady apps on your device) and Google has probably already incorporated the patch for this exploit into its Play Store vetting procedure, but it's nice to see the most visible of the major community ROMs respond so quickly.
From the CyanogenMod Google+ account:
Some of you may have noticed some details emerging yesterday about a new apk-level issue in Android (bug 9695860) . Google has already released a patch for it, so 10.1.2 is a minor upgrade on top of 10.1.1 to add that change.
Even though it's minor, all users running 10.1.0.x or 10.1.1 are advised to upgrade. Stay safe!
New builds are appearing on Get.CM, and should be available through the CM10.1 integrated over-the-air update function as well.
Source: CyanogenMod Download Page via CyanogenMod Google+

No comments:

Post a Comment