DIY Security Fix For Android [43 year old vulnerability]

Wi-Fi security software chokes on network names, opens potential hole for hackers by Paul Ducklin.

Paul details a bug that has been found in wpa_supplicant. The bug arises only when using Wi-Fi Direct, which is supported by Android. 🙁

The bug?, failure to check for buffer overflow. This must be what Dave Merkel, chief technology officer at IT security vendor FireEye, means by:

testing [software] for all things it shouldn’t do is an infinite, impossible challenge.

According to the Wikipedia article Buffer Overflow, buffer overflows were understood as 1972 and the first hostile use was in 1988. Those dates translate into forty-three (43) and twenty-seven (27) years ago.

Is it unreasonable to expect vulnerabilities known for forty-three (43) and used twenty-seven (27) years ago to be avoided in current programming practice?

This is the sort of issue where programming standards, along with legal liability as an incentive, could make a real difference.

If you are interested in knowing more about buffer overflows, see: Writing buffer overflow exploits – a tutorial for beginners.

Comments are closed.