02-22-2012 10:35 AM
> if you had a vulnerability that allowed remote execution and required an action
> that requires superuser access on an unrooted device, the vulnerability
> would be useless for someone who wanted to attack an unrooted device.
1. I do not believe that that is true. Just like on a Windows computer, the attack would be limited when operating in a limited user account, but it would _not be eliminated_.
It would have access to all files and privileges that the limited user account has access to. Which is a lot.
I wouldn't be real happy if it stole my contacts list (including their email addresses, for spamming purposes) or deleted my several GB of music files. Or deleted my apps. Or placed calls where charges would occur (e.g., foreign countries, 900 numbers, etc).
2. From reading their security warning, it appears that Adobe doesn't believe that "the vulnerability would be useless for someone who wanted to attack an unrooted device" either.
Perhaps you are saying that after gaining access, the hacker would need to tailor the attack specifically for Android OS, as opposed to Windows.
The hacker's response would be: no problem.
They can do that any time they want to.
Look at it this way, Erik.
All this just sells more NMS.
Hopefully NMS protects against these kind of vunerabilities (e.g., flash).
02-22-2012 11:28 AM - edited 02-22-2012 11:52 AM
The existence of a vulnerability does not mean the use of a vulnerability. You are correct that apps such as Flash, Acrobat, etc contain vulnerabilities that can be exploited. Right now, the main threat vector we're seeing are trojanized Apps. These can be modified legitimate apps or copy cats Apps. At some point I would expect to see attacks via a drive by download type or while using apps such as Flash, etc.
Put it another way for right now. Let's say that you are a hacker who wants to make money. Say that 80% of traffic to your site is on a Windows machine with 10% on Mac, 5% on iOS, and 5% Android. Where would you invest the time and effort in? You'd go for the biggest slice.
Right now, the extent of the protection we currently provide is in the Web Protection component. Right now, there is virus protection and we do plan to add further layers of protection. NMS uses a system similar to Safeweb. You can use the Safeweb site to check a site, but keep in mind that there may be a delay before that is added to the system that NMS uses. Primarily to ensure that the site is in fact targetting the Android platform.
02-23-2012 11:09 AM
> The existence of a vulnerability does not mean the use of a vulnerability.
Logically true, but evades the point.
The folks at Microsoft could say the same thing, right?
But they still bring out a patch for it.
Because they know that sooner or later someone will exploit it.
It's just a matter of time.
> the main threat vector we're seeing are trojanized Apps.
Agree. See "It's just a matter of time."
> Right now, the extent of the protection we currently provide is in the _Web Protection_ component.
So the current version of NMS does _not_ protect against:
Flash, Adobe Reader, Java, etc vulnerabilities.
Is that correct?
In my previous post I mentioned concerns about:
stealing the contacts list, deleting files, deleting apps, making calls.
Does the current version of NMS protect against those?
The reason I ask is I'm trying to decide whether or not to purchase NMS.