Google patches critical Android threat as working exploit is unleashed | Ars Technica
The security hole is of course blown out of proportion by the iDevice-loving media, but we do have to address this issue. I've touched base with dsmryder on this exploit. That was yesterday. Unfortunately, one day later, the exploit is being integrated into attack toolkits. THIS SHOULD BE HIGH PRIORITY FOR ALL OF YOU GUYS TO FIX. I'm normally extremely chill with updates, but we cannot leave even the Triumph hanging with a gaping hole. No, you don't need an antivirus. Google was kind of stupid with this exploit. They fixed it in February, but not every device (including the Nexus lineup) got the update. They also haven't released the source for said update. The eggheads made it public only a day or two ago, just in time before a black hat conference next month and the expolit to be integrated into toolkits the next day. Luckily, all the CM Nightlies are already patched. However, the Triumph is vulnerable. This is bad. They didn't make it public so unless all our CM builds were rebuilt yesterday with a repo sync, the exploit is still in there. Good news is you guys do not have to do a repo sync, which would potentially break everything and cause a headache. You can cherry pick the patch from here from Gerrit, here for ICS, here for Gingerbread, and here for Jelly Bean. You can just cherry pick it, or resync and recompile if you really want to. I also recommend modifying even the stock ROM images if possible. If VM won't fix it, we should. You know that update never will come from VM. They just never gave a crap about the Triumph.

UPDATE: More unfortunate news - now we have a SECOND master key exploit. Thank God the Chinese exposed it on Sina Weibo, without going straight to the bad guys. I can find the code that's patched in short on AndroidPolice here. Problem is, I have yet to find a commit on AOSP or CM's gerrit. I will start looking for the commit; this one's unfortunately a more complex patch. I would like to ask for all Triumph devs to assist me on the hunt for this fix. I read that there are yet more vulnerabilities CM's hackers have been fixing like ninja coders. I'll try and find them so that the devs here can patch them, and so that the Triumph, while not exactly a super phone, doesn't turn into a vulnerable piece of crap (VM's stock ROM is vulnerable, just another reason to use custom ROMs, especially on older phones like the Triumph).

UPDATE: Found hole number 2's fix here and here (just different pages for basically the same thing).

 

Well, that's what I get for posting this from Firefox Nightly in the Windows 8 metro application. Yay for the fix. Good find. I'll try and update the OP with the security patch so you guys can cherry pick it if you want. You don't have to do an entire repo sync.

 

LOL go to sleep before I find a way to contact the wife. Both of you. Anyhow, all you had to do was cherry pick the patch. I don't think a security patch requires all the repo syncing. But if you wanna give the Triumph another (possibly last) hurrah go on ahead. But I ask of both of you this - you do not have to keep maintaining this fully when there's another big security hole. But I would ask, and if you need it, pay you a little something in the future the keep this phone from being vulnerable. Even though this phone is in its golden days, it still will need security patches until we all notice this forum is dead. You all do know how to selectively bring patches to CM without having to bust your butt on coding. In the future, just cherry pick the security patches I warn you about. I don't care if the phone has one person still using it, I don't want ANYONE to be vulnerable. For frig's sake, XP is 10+ years old and it is STILL getting security patches, albeit not much longer. You can hold on a year or two (or till nobody visits this forum anymore for this phone, whichever comes sooner) so we can keep the remaining Triumph users secure, right? If you all don't have time, just teach me how to copy a security patch into the code and compile. Should be somewhat easy, since I more or less minimally relied on you all for compiling last time. Ubuntu is my 50% of the time OS, after all. In fact, I'd say if it weren't for school forcing Windows on me, it'd be used way more than Windows.