Just the other day I posted Targeting 950 Million Android Phones – Open Source Security Checks?. Today my email had a link to: Nearly 90 percent of Android devices vulnerable to endless reboot bug by Allen Greenberg.
Allen points to: Android MediaServer Bug Traps Phones in Endless Reboots by Wish Wu, which reads in part:
We have discovered a new vulnerability that allows attackers to perform denial of service (DoS) attacks on Android’s mediaserver program. This causes a device’s system to reboot and drain all its battery life. In more a severe case, where a related malicious app is set to auto-start, the device can be trapped in an endless reboot and rendered unusable.
The vulnerability, CVE-2015-3823, affects Android versions 4.0.1 Jelly Bean to 5.1.1 Lollipop. Around 89% of the Android users (roughly 9 in 10 Android devices active as of June 2015) are affected. However, we have yet to discover active attacks in the wild that exploit this vulnerability.
This discovery comes hot on the heels of two other major vulnerabilities in Android’s media server component that surfaced last week. One can render devices silent while the other, Stagefright, can be used to install malware through a multimedia message.
…
Wow! Three critical security bugs in Android in a matter of weeks.
Which makes me ask the question: Who (the hell) is in Charge of Android Security?
Let’s drop the usual open source answer to complaints about the software: “…well, if you have an issue with the software you should contribute a patch…” and wise up that commercial entities are making money off the Android “open source” project.
People can and should contribute to open source projects but at the same time, commercial vendors should not foist avoidance of security bugs off onto the public.
Commercial vendors are already foisting security bugs off on the public because so far, not for very much longer, they have avoided liability for the same. They simply don’t invest in the coding practices that would avoid the security bugs that are so damaging to enterprises and individuals alike.
The same was true in the history of products liability. It is a very complex area of law that is developing rapidly and someday soon the standard EULA will fall and there will be no safety net under software vendors.
There are obvious damages from security bugs and there are vendors who could have avoided the security bugs in the first place. It is only a matter of time before courts discover that the same bugs (usually unchecked input) is causing damages over and over again and that checking input avoids the bug in the majority of cases.
Who can choose to check input or not? That’s right, the defendant with the deep pockets, the software vendor.
Who is in charge of security for your software?
PS: I mentioned the other day that the CVE database is available for download. That would be the starting point for developing a factual basis for known/avoidable bug analysis for software liability. I suspect that has been done and I am unaware of it. Suggestions?