How do you defend yourself against the unknown? That is crux of the zero-day vulnerability: a software vulnerability that, by definition, is unknown by the user of the software and often its developer as well.
Everything about the zero-day market, from research and discovery through disclosure and active exploitation, is predicated upon this fear of the unknown—a fear that has been amplified and distorted by the media. Is the world really at threat of destabilisation due to lone-wolf hackers digging up vulnerabilities in popular software packages and selling them to whichever repressive government offers the most money? Or is it just a classic case of the media and megacorp lobbyists focusing on the sexy, scary, offensive side of things, and glossing over the less alluring aspects?
And then what about legislation and regulation of zero-days? In most countries, there are scant legal mechanisms for discouraging or punishing the discovery of new zero-days. There are even fewer laws and directives dictating how zero-days should be responsibly disclosed. It isn't that lawmakers aren't aware of these problems, it's just that there isn't an easy solution. How do you craft a law that allows some research groups to keep on digging for vulnerabilities while at the same time blocking the black hats? What if the government's idea of "responsible disclosure" means disclosing all vulnerabilities to GCHQ or the NSA?
Recently, Europe began discussing how best to interpret the Wassenaar Arrangement—an agreement between 41 countries that was originally designed to limit the proliferation of physical, military weapons to non-desirables—when it applies to the proliferation of surveillance software, intrusion tools, and zero-day software vulnerabilities. In the US, the Senate is set to vote on the Cybersecurity Information Sharing Act as soon as today. The legislation would expand the Computer Fraud and Abuse Act to include security research. The US is trying to decide how to interpret Wassenaar when it comes to the exporting of intrusion software and zero-days too.
The outcome of these consultations and parliamentary processes will dictate whether security researchers, irrespective of the colour of their hat, can continue to operate in Europe and the US.
Fonte Ufficiale: http://arstechnica.com/security/2015/10/the-rise-of-the-zero-day-market/
Mobile networks around the world have been penetrated by criminals and governments via bugs in the code that keeps them running, research suggests.
The bugs could be abused to carry out large scale fraud and unlawful surveillance, security company Adaptive Mobile said.
It found evidence of compromise in every territory it studied.
The study builds on work by other security researchers who warned about loopholes in core network code.
"There's varying rates of activity in every operator we have worked with," said Cathal McDaid, head of Adaptive Mobile's threat intelligence unit, which carried out the research. "They are all being hit by this to one extent or another."
The security holes have been found in a technology known as Signalling System 7 (SS7), which helps to interconnect mobile networks across the globe.
"The SS7 technology is a huge pervasive network that spans the world," said Mr McDaid. "More people use it on a daily basis than use the internet."
The research was prompted by work on SS7 by other security experts who, in a series of separate projects, identified potential problems in the way that it had been implemented on many mobile networks,
"We've found that this is not just theoretical, this activity is ongoing," Mr McDaid said.
By abusing the SS7 security bugs, cyber-thieves have been able to defraud mobile operators by tricking billing systems into giving them cheap calls and roaming. The loopholes have also been used to track people closely, home in on their handset and tap into calls and messages.
In some cases, said Mr McDaid, governments had been found to be abusing the vulnerabilities to carry out unlawful surveillance of targets in other nations.
In one of these cases, the SS7 flaws were used to redirect sensitive conversations among people on the MTS Ukraine network to a Russian mobile operator. Ukraine's mobile regulator investigated but could not discover who was behind the attack. It also found that two other networks in the country were susceptible to the same redirection attack.
The GSMA, the industry association for mobile operators, said it not seen the details of Adaptive's findings and could not comment directly on what it found.
It added; "The GSMA takes the security of signalling networks very seriously and has working groups that follow these developments and offer recommendations and guidance which is incumbent upon the operators and others to implement to safeguard their networks."
Operators had got guidance on how to spot and combat unauthorised SS7 traffic, it said.
Philippe Langlois, founder of P1 Security, which regularly surveys protections around SS7 networks globally, said he was not surprised that there was widespread abuse of the ageing technology. The survey found that many operators did a poor job of protecting information about their core network and shared information on customers too freely.
"Many people have a strong incentive to exploit these vulnerabilities," he said. "There are many different kinds of attackers and end results."
P1's survey had found evidence that SS7 loopholes were being abused to move credit between mobile accounts or to tap into calls and read text messages.
He said the work by security researchers had prompted many operators to tighten up their networks and remove some loopholes. Now, monitoring systems were helping to spot when campaigns of attack were getting under way.
"There are many different ways to defend a network," he said. "It's not a hopeless situation."
Fonte Ufficiale: http://www.bbc.com/news/technology-34536921
Hackers behind a long-running cyber-espionage campaign have begun using a new Adobe Flash zero-day exploit in their latest campaign.
The attackers behind Pawn Storm targeted several foreign affairs ministries from around the globe using a Flash-based attack, Trend Micro reports.
The targets received spear phishing emails that contained links pointing towards sites hosting the exploit. These emails were themed so that they appeared to offer links to news analysis articles and pieces. Examples included “Syrian troops make gains as Putin defends air strikes” and “Israel launches air strikes on targets in Gaza”.
The URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted NATO members and the White House in April this year, security researchers at Trend micro note.
The Flash zero-day affects at least Adobe Flash Player versions 220.127.116.11 and 18.104.22.168, based on the initial results of an ongoing analysis by security researchers from Trend Micro.
Trend Micro has notified Adobe about its discovery, with which it went public on Wednesday. In the meantime, Trend has updated its own enterprise security tools to block attacks targeting this particular software security hole.
Adobe released a scourge of vulnerability fixes for Reader and Flash on Tuesday, as part of its regular monthly patching cycle.
But these updates failed to plug the 0-day (CVE-2015-7645) abused by Pawn Storm, Adobe spokeswoman Heather Edell confirmed. Adobe expects to make a cross-platform update for this critical bug available during the week of 19 October.
More detail can be found in Adobe's holding statement. There is no workaround short of a patch so, as El Reg has repeatedly suggested, users should consider removing Flash altogether or at least enabling click-to-play in your browser so you only run Flash files you can trust.
Storm in a coffee cup
The Pawn Storm crew are innovators in the world of APT-style hacking and previously unknown software security holes. For example, the group used a Java zero-day in an earlier run of attacks.
Pawn Storm cyberspies are trying multiple strategies in their attempt to break into foreign affairs ministries. These efforts extend beyond the latest spear-phishing with Flash exploit malfeasance. Aside from malware attacks, fake Outlook Web Access (OWA) servers were also set up for various ministries. These were used for simple, but extremely effective, credential phishing attacks.
“One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised,” Trend Micro reports. “This means that Pawn Storm has been intercepting incoming email to this organisation for an extended period of time in 2015.”
Fonte Ufficiale: http://www.theregister.co.uk/2015/10/15/pawn_storm_flash_0day_attack/
Yet another adware campaign stemming from China has been identified, and in this fresh go, victims' Android devices can be completely taken over.
The Kemoge adware family, as FireEye calls it, is thought to originate in China. Its infections already span more than 20 countries, including the U.S. and Russia. The adware disguises itself as repackaged popular apps, including “Calculator,” “Talking Tom 3,” and “Smart Touch.” These apps are put on third-party app stores.
Although the infection is relatively typical, with the downloaded app first serving up annoying ads and then trying to gain root access, it does come with one especially new feature. After having gained root, the malware searches for antivirus (AV) software and purposefully seeks to uninstall or disable it.
Yulong Zhang, a FireEye research scientist, said in an interview with SCMagazine.com that this was the first time an adware group's been documented going directly for AV vendors in order to remain on a device.
Going back to the adware's technique for gaining root, once a user downloads a malicious app, the malware unpacks its disguised .zip file, which is protected by at least three layers of encryption. The perpetrators go to great lengths to keep their ultimate payload hidden.
The payload contains exploits for multiple Android devices, including Motorola and Samsung, Zhang said. The apps also don't ask for administrator privileges, although Zhang said users typically breeze through the permissions page anyway. Instead, it requests access to portions of the phone where it might be able to run a root exploit. The camera is one example, he said.
“There's no direct relationship between the description of a permission and its root exploit,” he explained. “It might access the camera, but there may be some vulnerability in the camera's library, and the app can obtain root by exploiting it.”
While these apps are all located on a third-party store, Zhang did point out that one of the malicious apps was designed by a developer whose products appear in the legitimate Google Play store. It doesn't necessarily mean any apps made it through to the real Android marketplace, but Zhang did caution that it's a possibility.
Although a malicious app might not be live now, it could have been in the past and then upgraded to a benign state.
Fonte Ufficiale: http://www.scmagazine.com/fireeye-identifies-new-adware-family/article/443726/
The risk of a "serious cyber attack" on nuclear power plants around the world is growing, warns a report.
The civil nuclear infrastructure in most nations is not well prepared to defend against such attacks, it added.
Many of the control systems for the infrastructure were "insecure by design" because of their age, it said.
Published by the influential Chatham House think tank, the report studied cyber defences in power plants around the world over an 18-month period.
Cyber criminals, state-sponsored hackers and terrorists were all increasing their online activity, it said, meaning that the risk of a significant net-based attack was "ever present".
Such an attack on a nuclear plant, even if small-scale or unlikely, needed to be taken seriously because of the harm that would follow if radiation were released.
In addition, it said "even a small-scale cyber security incident at a nuclear facility would be likely to have a disproportionate effect on public opinion and the future of the civil nuclear industry".
Unfortunately, research carried out for the study showed that the UK's nuclear plants and associated infrastructure were not well protected or prepared because the industry had converted to digital systems relatively recently.
This increasing digitisation and growing reliance on commercial software is only increasing the risks the nuclear industry faces.
There was a "pervading myth" that computer systems in power plants were isolated from the internet at large and because of this were immune to the kind of cyber attacks that have dogged other industries.
However, it said, this so-called "air gap" between the public internet and nuclear systems was easy to breach with "nothing more than a flash drive". It noted that the destructive Stuxnet computer virus infected Iran's nuclear facilities via this route.
The story of Stuxnet
In 2009, a malicious computer program called 'Stuxnet' was manually uploaded into a nuclear plant in Iran.
The worm took control of 1,000 machines involved with producing nuclear materials, and instructed them to self-destruct.
What made the world's first cyber-weapon so destructive?
The researchers for the report had also found evidence of virtual networks and other links to the public internet on nuclear infrastructure networks. Some of these were forgotten or simply unknown to those in charge of these organisations.
Already search engines that sought out critical infrastructure had indexed these links making it easy for attackers to find ways in to networks and control systems.
Keith Parker, chief executive of the Nuclear Industry Association, said: "Security, including cyber security, is an absolute priority for power station operators."
"All of Britain's power stations are designed with safety in mind and are stress-tested to withstand a vast range of potential incidents," he added. "Power station operators work closely with national agencies such as the Centre for the Protection of National Infrastructure and other intelligence agencies to always be aware of emerging threats."
In addition, said Mr Parker, the industry's regulator continuously monitors plant safety to help protect it from any outside threats.
In June this year the International Atomic Energy Agency held its first international conference about the cyber threats facing plants and manufacturing facilities. At the conference Yukiya Amano, director of the IAEA, said both random and targeted attacks were being directed at nuclear plants.
"Staff responsible for nuclear security should know how to repel cyber-attacks and to limit the damage if systems are actually penetrated," he said in a keynote address to the conference.
The civil nuclear industry should do a better job of measuring cyber attack risks and improve the way it defends against them, according to Chatham House. Many plants examined by the report's researchers lacked preparedness for large-scale attacks that took place outside office hours.
"The nuclear industry is beginning - but struggling - to come to grips with this new, insidious threat," said Patricia Lewis, research director of Chatham House's international security programme.
Fonte Ufficiale: http://www.bbc.com/news/technology-34423419
Antivirus applications and other security software are supposed to make users more secure, but a growing body of research shows that in some cases, they can open people to hacks they otherwise wouldn't be vulnerable to.
The latest example is antivirus and security software from Kaspersky Lab. Tavis Ormandy, a member of Google's Project Zero vulnerability research team, recently analyzed the widely used programs and quickly found a raft of easy-to-exploit bugs that made it possible to remotely execute malicious code on the underlying computers. Kaspersky has already fixed many of the bugs and is in the process of repairing the remaining ones. In a blog post published Tuesday, he said it's likely he's not the only one to know of such game-over vulnerabilities.
"We have strong evidence that an active black market trade in antivirus exploits exists," he wrote, referring to recent revelations that hacked exploit seller Hacking Team sold weaponized attacks targeting antivirus software from Eset.
He continued: "Research shows that it’s an easily accessible attack surface that dramatically increases exposure to targeted attacks. For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software. Ignoring the question of efficacy, attempting to reduce one’s exposure to opportunistic malware should not result in an increased exposure to targeted attacks."
As Ormandy suggested, the bugs he found in Kaspersky products would most likely be exploited in highly targeted attacks, such as those the National Security Agency might carry out against a terrorism suspect or spies pursuing an espionage campaign might carry out against the CEO of a large corporation. That means most people are probably better off running antivirus software than foregoing it, at least if their computers run Windows. Still, the results are concerning because they show that the very software we rely on to keep us safe in many cases makes us more vulnerable.
Kaspersky isn't the only security software provider to introduce bugs in their products. Earlier this month, security researcher Kristian Erik Hermansen reported finding four vulnerabilities in the core product marketed by security firm FireEye. One of them made it possible for attackers to retrieve sensitive password data stored on the server running the program. Ormandy has also uncovered serious vulnerabilities in AV software from Sophos and Eset.
In a statement, Kaspersky Lab officials wrote, "We would like to assure all our clients and customers that vulnerabilities publicly disclosed in a blogpost by Google Project Zero researcher, Mr. Tavis Ormandy, have already been fixed in all affected Kaspersky Lab products and solutions. Our specialists have no evidence that these vulnerabilities have been exploited in the wild."
The statement went on to say that Kaspersky Lab developers are making architectural changes to their products that will let them better resist exploit attempts. One change included the implementation of stack buffer overflow protection, which Ormandy referred to as "/GS" in his blog post. Other planned changes include the expansion of mitigations such as address space layout randomization and data execution prevention (for much more on these security measures see How security flaws work: The buffer overflow by Ars Technology Editor Peter Bright). Ormandy thanked Kaspersky Lab for its "record breaking response times" following his report.
Still, the message is clear. To perform, security software must acquire highly privileged access to the computers they protect, and all too often this sensitive position can be abused. Ormandy recommended that AV developers build security sandboxes into their products that isolate downloaded files from core parts of the computer operating system.
"The chromium sandbox is open source and used in multiple major products," he wrote. "Don't wait for the network worm that targets your product, or for targeted attacks against your users, add sandboxing to your development roadmap today."
Fonte Ufficiale: http://arstechnica.com/security/2015/09/security-wares-like-kaspersky-av-can-make-you-more-vulnerable-to-attacks/
It is often said, "the Internet is running out of phone numbers," as a way to express that the Internet is running out of IPv4 addresses, to those who are unfamiliar with Internet technologies. IPv4 addresses, like phone numbers are assigned hierarchically, and thus, have inherent inefficiency. The world’s Internet population has been growing and the number of Internet-connected devices continues to rise, with no end in sight. In the next week, the American Registry for Internet Numbers (ARIN) will have exhausted their supply of IPv4 addresses. The metaphorical IPv4 cupboards are bare. This long-predicted Internet historical event marks opening a new chapter of the Internet’s evolution. However, it is somehow anti-climactic now that this date has arrived. The Internet will continue to operate, but all organizations must now accelerate their efforts to deploy IPv6.
ARIN IPv4 Address Exhaustion
The Internet Assigned Numbers Authority (IANA) delegates authority for Internet resources to the five RIRs that cover the world. The American Registry for Internet Numbers (ARIN) is the Regional Internet Registry (RIR) for the United States, Canada, the Caribbean, and North Atlantic islands. ARIN has been managing the assignment of IPv4 and IPv6 addresses and Autonomous System (AS) numbers for several decades. Each RIR has been managing their limited IPv4 address stores and going through their various phases of exhaustion policies. ARIN has been in Phase 4 of their IPv4 depletion plan for more than a year now. ARIN will soon announce that they have completely extinguished their supply of IPv4 addresses.
At this point, the rules for how address resources are allocated will change. Address resource applicants may not get their justified request fulfilled and might be offered a smaller block or the choice to be added to a waiting list. This page documents the process for the waiting list for unmet IPv4 address requests. To review the unmet resource policies, consult the Number Resource Policy Manual (NRPM), check out section 4.1.8. However, when the supply of IPv4 address space drops to 0.00000, then there will be no more addresses to allocate. If IPv4 addresses become available, then the policies in the NRPM will dictate that they are given out based on the Waiting List for Unmet Requests method.
IPv4 Exhaustion Predicted for Decades
Predictions of IPv4 depletion date back to the early 1990s. The IETF formed the Address Lifetime Expectations (ALE) Working Group in the mid-1990s to analyze the rate of IPv4 adoption in anticipation that this date would come. IPv4 address supply concerns was the primary reasons the IETF wanted to create a new version of the Internet Protocol (IP). The IETF IP Next Generation (IPng) working group started their work around that time and the first IPng was drafted around 1993. In those early days of the Internet, no one could have predicted the tremendous growth of the Internet. The IETF created Internet Protocol version 6 and finalized the header format with RFC 2460 in 1998. Each year as the IPv4 Internet grew at breakneck speeds, transition to IPv6 had become more and more daunting.
Prolonging IPv4’s Lifespan
As the Internet began to grow, techniques like Classless Interdomain Routing (CIDR) and Network Address Translation (NAT) were used to extended life-support for IPv4 for almost two decades. Now ISPs are looking at using Carrier Grade NAT (CGN)/Large Scale NAT (LSN) to further prolong the use of IPv4. However, many of these multi-NAT techniques cause problems for many popular Internet applications. We can expect that there will be other techniques contrived to keep the much-loved IPv4 protocol running for decades to come.
No End in Sight for IPv4
Few organizations are thinking about when they may eventually stop using IPv4. Some enterprise organizations have not given IPv6 much thought and are not aggressively moving to implementing it. Organizations will not be able to transition right from using IPv4 to using IPv6 directly. The dual-stack transition technique is the dominant transition strategy (tunnels are to be avoided when possible). In other words, organizations are encouraged to use native IPv6.
Even if an organization starts to deploy IPv6 immediately, they will still require the use of IPv4 for years to come. IPv6 may not have a large impact on an organization’s near-term IPv4 address constraints. Those few enterprise organizations are playing a dangerous "game of chicken" by ignoring IPv6. While, there are techniques for prolonging the lifespan of IPv4, organizations may end up with limited options. Going forward, organizations that require additional IPv4 addresses will need to request them from their service provider (provided they have any addresses left to lease) or purchase them on the open market. As IPv4 address blocks get traded around and split up, we can expect the Internet routing tables to become increasingly fragmented.
Organizations that deploy IPv6 will be living in a dual-stack world for many years. During that period of using both IPv4 and IPv6 in parallel, organizations will likely incur increased operating expenses. Gradually, over time, the cost of running an IPv4 network will increase.
Now What? Move to IPv6!
So now that this Internet historic date of ARIN’s IPv4 run-out has arrived, we should review what our own organizations are doing to plan for the next phase of the Internet’s lifespan.
Internet Service Providers (ISPs) should already be well on their way through their IPv6 deployments. If you work for an ISP that has not yet started your IPv6 deployment then you are in serious danger of falling far behind your competitors.
If you are an enterprise organization, then your plans for the future need to be quickly defined and put into action. Your organization no longer has the option to continue to ignore IPv6. However, your organization may be planning to invest in purchasing additional IPv4 addresses. Your organizations will be forced to tolerate the use of multiple-layers of NAT and the application problems that come with it. Your organization will be forced to invest in larger Internet routers to be able to handle the rapidly expanding IPv4 Internet routing tables. Your organization should be planning for future years of legacy IPv4-Internet connectivity and actively moving toward full deployment of IPv6.
If your organization is one of those that waited to embrace IPv6, then you are in luck, as there are plenty of resources available to help you with your IPv6 planning and deployment. While Wikipedia.org can get you started learning the basics, you should visit the Internet Society Deploy360 Programme IPv6 page. You should also explore ARIN’s own Get6 site. We wish you the best of luck configuring your systems so you can reach the "whole Internet" using IPv6 and not just the "old Internet" using IPv4.
Fonte Ufficiale: http://www.networkworld.com/article/2985340/ipv6/arin-finally-runs-out-of-ipv4-addresses.html
Apple has said it is taking steps to remove malicious code added to a number of apps commonly used on iPhones and iPads in China.
It is thought to be the first large-scale attack on Apple's App Store.
The hackers created a counterfeit version of Apple's software for building iOS apps, which they persuaded developers to download.
Apps compiled using the tool allow the attackers to steal data about users and send it to servers they control.
Cybersecurity firm Palo Alto Networks - which has analysed the malware dubbed XcodeGhost - said the perpetrators would also be able to send fake alerts to infected devices to trick their owners into revealing information.
It added they could also read and alter information in compromised devices' clipboards, which would potentially allow them to see logins copied to and from password management tools.
Infected applications includes Tencent's hugely popular WeChat app, NetEase's music downloading app and Didi Kuaidi's Uber-like car hailing app.
Some of the affected apps - including the business card scanner CamCard - are also available outside China.
"We've removed the apps from the App Store that we know have been created with this counterfeit software," said Apple spokeswoman Christine Monaghan.
"We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps," said Christine Monaghan.
On its official WeChat blog, Tencent said the security issue affected an older version of its app - WeChat 6.2.5 - and that newer versions were not affected.
It added that an initial investigation showed that no data theft or leakage of user information had occurred.
In Apple's walled garden App Store, this sort of thing shouldn't happen.
The company goes to great lengths, and great expense, to sift through each and every submission to the store. Staff check for quality, usability and, above all else, security.
The Apple App Store is generally considered a safe haven as the barrier to entry is high - there's only been a handful of instances of malware found on iOS apps, compared to Google's Play store which for a while was regarded as something of a "Wild West" for apps (until they introduced their own malware-scanning system too).
It makes this attack all the more surprising, as it looks like two groups of supposedly informed people have been caught out.
Firstly developers, who security researchers say were duped into using counterfeit software to build their apps, creating the right conditions for the malware to be applied.
And secondly, Apple's quality testers, who generally do a very good job in keeping out nasties, but in this case couldn't detect the threat.
Fonte Ufficiale: http://www.bbc.com/news/technology-34311203
MALWARE DETECTING, preventing and protecting company Sucuri has warned the world about a problem in WordPress that is two weeks into the threat charts already and is rising rapidly.
The malware is called VisitorTracker, and its aim should be self-explanatory. Sucuri said that incidents of infection have had a sharp uptick in recent days, and the firm - which reported on it just two weeks ago - hopes that its reprise and update of the information will inform WordPress and encourage it to take action to mitigate the problem.
"We initially shared our thoughts on it via our SucuriLabs Notes, but as the campaign has evolved we have been able to decipher more information as we investigate the effects on more compromised sites," explained Sucuri CTO Daniel Cid in a blog post.
"This post should serve as a resource to help WordPress administrators (i.e. webmasters) in the WordPress community."
It may well do. The information suggests an evolving and interesting malware system that Cid said could be used to trick web users into trusting the most devious of webpages.
"This malware campaign is interesting. Its final goal is to use as many compromised websites as possible to redirect all their visitors to a Nuclear Exploit Kit landing page. These landing pages will try a wide variety of available browser exploits to infect the computers of unsuspecting visitors," he said.
"If you think about it, the compromised websites are just a means for the criminals to get access to as many endpoint desktops as they can. What's the easiest way to reach out to endpoints? Websites, of course."
Sucuri added that it is trying to trace down an access point, but that it might be one of any of the many plugins that are released for the platform.
"We detected thousands of sites compromised with this malware just today and 95 percent of them are using WordPress. We do not have a specific entry point determined yet, but it seems to be a campaign targeting the latest vulnerabilities in plugins," the firm said.
"Out of all the sites we detected to be compromised, 17 percent of them already got blacklisted by Google and other popular blacklists."
Fonte Ufficiale: http://www.theinquirer.net/inquirer/news/2426659/two-week-old-wordpress-malware-attack-is-blossoming-into-a-real-threat
A security flaw in Android that lets people bypass the lock screen on a mobile device has been discovered by researchers at the University of Texas.
They found that trying to unlock the phone or tablet with an abnormally long password caused the lock screen to crash in certain conditions.
The flaw was limited to Android Lollipop, the most recent version of the mobile operating system.
Google issued a patch for its Nexus devices on Wednesday.
About 21% of Android users run affected versions of the operating system.
After crashing the lock screen, the researchers were able to access the phone's data and apps.
The vulnerability could not be exploited if people had chosen a lock pattern or Pin code instead of a password.
While Google is rolling out its fix for Nexus, other phone manufacturers are responsible for distributing the software to their own handsets.
On releasing the patch, Google said it had not yet detected anybody exploiting the flaw.
Fonte Ufficiale: http://www.bbc.com/news/technology-34268050