diff options
| author | Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> | 2023-12-31 13:18:02 +0100 |
|---|---|---|
| committer | Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> | 2023-12-31 13:18:19 +0100 |
| commit | 24ba2134fae77c76af8ab5880e1b21b519ed5941 (patch) | |
| tree | eb24222136f267ac3e501d2596530e43f3fa4d20 /markdown/2012_09_replicant-2-3-0005-images-fixing-the-ussd-vulnerability.md | |
| parent | dac22e627f3c716201556537849743387464c73d (diff) | |
| download | haunt-blog-24ba2134fae77c76af8ab5880e1b21b519ed5941.tar.gz haunt-blog-24ba2134fae77c76af8ab5880e1b21b519ed5941.tar.bz2 haunt-blog-24ba2134fae77c76af8ab5880e1b21b519ed5941.zip | |
Add generated markdown files.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Diffstat (limited to 'markdown/2012_09_replicant-2-3-0005-images-fixing-the-ussd-vulnerability.md')
| -rw-r--r-- | markdown/2012_09_replicant-2-3-0005-images-fixing-the-ussd-vulnerability.md | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/markdown/2012_09_replicant-2-3-0005-images-fixing-the-ussd-vulnerability.md b/markdown/2012_09_replicant-2-3-0005-images-fixing-the-ussd-vulnerability.md new file mode 100644 index 0000000..5e4c670 --- /dev/null +++ b/markdown/2012_09_replicant-2-3-0005-images-fixing-the-ussd-vulnerability.md @@ -0,0 +1,36 @@ +tags: Privacy/security, Replicant images release, Paul Kocialkowski +date: 2012-09-30 12:55 +title: Replicant 2.3 0005 images, fixing the USSD vulnerability +--- +Earlier this week, we were noticed that an USSD vulnerability was discovered +in Android. After doing a bit of research, we came to understand the nature of +the vulnerability: intents can basically dial a number and start a call +without asking confirmation to the user. That could seem harmless at first +sight, but it turns out it also works with USSD codes, and some of them are +very powerful. This is mostly the case of vendor-specific USSD codes (that are +not included in Replicant), which could erase the phone’s user data. + +What’s also problematic about this is that web pages can trigger such intents +(through an iframe with the `tel:` prefix for instance). +Since this vulnerability was present in our Replicant images (although the +damage was reduced as we don’t include vendor-specific USSD codes), we decided +to include the fix in our code base and release new images. That’s nearly the +only new feature of these images (Galaxy S also got a nasty graphic bug +fixed). + +You can download the images from the [ReplicantImages][1] page and find +[installation instructions][2] as well as [build guides][3] on the [Replicant +wiki][4]. + + [1]: +<http://redmine.replicant.us/projects/replicant/wiki/ReplicantImages#Replicant-23-0005-images> + + [2]: <http://redmine.replicant.us/projects/replicant/wiki#Installing- +Replicant> + + [3]: <http://redmine.replicant.us/projects/replicant/wiki#Building- +Replicant> + + [4]: <http://redmine.replicant.us/projects/replicant/wiki/> + + |