Google patches critical Android threat as working exploit is unleashed | Ars Technica
The security hole is of course blown out of proportion by the iDevice-loving media, but we do have to address this issue. I've touched base with dsmryder on this exploit. That was yesterday. Unfortunately, one day later, the exploit is being integrated into attack toolkits. THIS SHOULD BE HIGH PRIORITY FOR ALL OF YOU GUYS TO FIX. I'm normally extremely chill with updates, but we cannot leave even the Triumph hanging with a gaping hole. No, you don't need an antivirus. Google was kind of stupid with this exploit. They fixed it in February, but not every device (including the Nexus lineup) got the update. They also haven't released the source for said update. The eggheads made it public only a day or two ago, just in time before a black hat conference next month and the expolit to be integrated into toolkits the next day. Luckily, all the CM Nightlies are already patched. However, the Triumph is vulnerable. This is bad. They didn't make it public so unless all our CM builds were rebuilt yesterday with a repo sync, the exploit is still in there. Good news is you guys do not have to do a repo sync, which would potentially break everything and cause a headache. You can cherry pick the patch from here from Gerrit, here for ICS, here for Gingerbread, and here for Jelly Bean. You can just cherry pick it, or resync and recompile if you really want to. I also recommend modifying even the stock ROM images if possible. If VM won't fix it, we should. You know that update never will come from VM. They just never gave a crap about the Triumph.
UPDATE: More unfortunate news - now we have a SECOND master key exploit. Thank God the Chinese exposed it on Sina Weibo, without going straight to the bad guys. I can find the code that's patched in short on AndroidPolice here. Problem is, I have yet to find a commit on AOSP or CM's gerrit. I will start looking for the commit; this one's unfortunately a more complex patch. I would like to ask for all Triumph devs to assist me on the hunt for this fix. I read that there are yet more vulnerabilities CM's hackers have been fixing like ninja coders. I'll try and find them so that the devs here can patch them, and so that the Triumph, while not exactly a super phone, doesn't turn into a vulnerable piece of crap (VM's stock ROM is vulnerable, just another reason to use custom ROMs, especially on older phones like the Triumph).
UPDATE: Found hole number 2's fix here and here (just different pages for basically the same thing).
The security hole is of course blown out of proportion by the iDevice-loving media, but we do have to address this issue. I've touched base with dsmryder on this exploit. That was yesterday. Unfortunately, one day later, the exploit is being integrated into attack toolkits. THIS SHOULD BE HIGH PRIORITY FOR ALL OF YOU GUYS TO FIX. I'm normally extremely chill with updates, but we cannot leave even the Triumph hanging with a gaping hole. No, you don't need an antivirus. Google was kind of stupid with this exploit. They fixed it in February, but not every device (including the Nexus lineup) got the update. They also haven't released the source for said update. The eggheads made it public only a day or two ago, just in time before a black hat conference next month and the expolit to be integrated into toolkits the next day. Luckily, all the CM Nightlies are already patched. However, the Triumph is vulnerable. This is bad. They didn't make it public so unless all our CM builds were rebuilt yesterday with a repo sync, the exploit is still in there. Good news is you guys do not have to do a repo sync, which would potentially break everything and cause a headache. You can cherry pick the patch from here from Gerrit, here for ICS, here for Gingerbread, and here for Jelly Bean. You can just cherry pick it, or resync and recompile if you really want to. I also recommend modifying even the stock ROM images if possible. If VM won't fix it, we should. You know that update never will come from VM. They just never gave a crap about the Triumph.
UPDATE: More unfortunate news - now we have a SECOND master key exploit. Thank God the Chinese exposed it on Sina Weibo, without going straight to the bad guys. I can find the code that's patched in short on AndroidPolice here. Problem is, I have yet to find a commit on AOSP or CM's gerrit. I will start looking for the commit; this one's unfortunately a more complex patch. I would like to ask for all Triumph devs to assist me on the hunt for this fix. I read that there are yet more vulnerabilities CM's hackers have been fixing like ninja coders. I'll try and find them so that the devs here can patch them, and so that the Triumph, while not exactly a super phone, doesn't turn into a vulnerable piece of crap (VM's stock ROM is vulnerable, just another reason to use custom ROMs, especially on older phones like the Triumph).
UPDATE: Found hole number 2's fix here and here (just different pages for basically the same thing).