Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Google patches buffer overflow flaw in Android KeyStore service

A serious buffer overflow vulnerability in Android's KeyStore storage service, responsible for maintaining cryptographic keys, has been patched.

Last week, IBM's security team publicly disclosed details of the bug (CVE-2014-3100), which it alerted Android's security team to last September. As of Nov. 2013, Google confirmed that it had prepared a fix for the flaw, which affects Android 4.3 (Jelly Bean). The patch is available by updating to Android 4.4 (KitKat).

An attacker would have to carry out a number of feats to exploit users, including bypassing Android's data execution prevention feature, and overcoming other security mechanisms, like address space layout randomization, IBM's blog post said.

Upon successful exploitation, a hacker could obtain an device's decrypted and encrypted master keys, as well as “interact with the hardware-based storage and perform crypto operations” – such as arbitrary data signing on the victim's behalf, IBM revealed.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.