Wednesday, October 21, 2015
Canonical acts quickly to mitigate Ubuntu Phone zero-day exploit
The story started on 14 October at 22.50 UTC when a member of the Ubuntu App Developer Community posted about an app available from the Ubuntu Phone Software Store called ‘test.mmrow’ which appeared to be doing things it shouldn’t. Things such as creating a script that modified the boot splash screen when the ‘tap me’ button within the malicious app was clicked. This was the giveaway that something bad was happening, and that something with root access being given to the attacker. The engineering team at Canonical were on it straight away, and by 00.50 UTC on 15 October, that’s just two hours after the initial post, a root cause analysis had determined things were serious enough to temporarily suspend all uploads and downloads from the store. The core issue fix was in place by 04.23 UTC and all apps were scanned to be sure none were exploiting the same vulnerability before it was re-opened. That’s a speedy response, and good to see. Although it should be pointed out that the underlying vulnerability itself won’t be totally dealt with until the patch has been rolled out to all users.