The researcher behind the now well known Android Master Key vulnerability shared more details about the disclosure process, during which attackers somehow managed to reverse engineer a patch for the bug, and write and distribute malware days before Google released the patch to the public.
Jeff Forristal of Bluebox Security spoke at length during Black Hat USA 2013 last week and said many of the details of the vulnerability had been uncovered and presented by the media before he had the opportunity to present his work at the conference last week.
Forristal and his team reported the bug to Google on Feb. 15 before sharing anything publicly. Shortly thereafter, Google confirmed the vulnerability’s existence and began sending fixes to its partners in the Open Handset Alliance in March. It is unknown how, but details of Google’s patch surfaced on an open-source code repository well before Google officially published them, albeit long after what is generally considered a responsible withholding period had ended.
Forristal explained in an email conversation with Threatpost, Google sent the fix details to its OHA partners, which then have the responsibility to deploy that fix. Some already have; some never will, Forristal claimed in a press conference preceding his briefing. Either way, Google’s policy, according to Forristal, is to wait 90 days before posting the details of the fix to the Android Open Source Project, a public source code repository. In this way, the OHA partners have a 90-day head start in which they can address a vulnerability before it goes public.
In this case, Forristal said Google actually withheld the details of the vulnerability for 150 days, meaning it could have details publicly available in early June. Interestingly, Google’s vulnerability patch details surfaced on the Cyanogenmod code repositories on July 6. Google would not publicly release the fix details to the AOSP until July 25.
“The ‘Author’ information of the commit patch aligns with the official Google patch,” Forristal explained via email. “I’m not sure where Cyanogenmod got the patch, but it also doesn’t matter; by this date (July 6), it was well beyond the 90-day ‘withholding’ window of Google, and it was already precommunicated that there was no expectation to further keep the issue private at that point. So it’s reasonable for anyone to freely distribute the patch, even publicly.”
Forristal said some people believe he may have revealed enough information in a Black Hat abstract on Bluebox’s blog for experts to then find the bug on their own. He claimed to know of at least one reliable account where a researcher managed to recreate the bug using just the information in the Bluebox abstract.
An exploit appeared in the wild on July 23, two days before the official Google AOSP release. It’s unknown when the malware authors got their eyes on the patch code, but if it was the Cyanogenmod posting on July 6, that would mean that the malware writers created a working sample in just 17 days, which, Forristal says, is pretty quick.
“If we assume it was the point of full public information disclosure and a working exploit PoC to use as reference, that would be approximately July 6 or 7,” Forristal reasons. “Symantec reported the first found malware sample on July 23rd. It’s certainly quite possible the malware author had obtained or deduced information of the bug workings prior to the July 6 date. It is largely unknown.”
Of course, Forristal and Bluebox would have loved for the details to remain private so that they could have first made them public in their briefing at Black Hat.
“And certainly, there was no agreement or expectation that the bug details had to remain private up until the Bluebox Blackhat talk….that was just a longshot hope by Bluebox,” he said.
Forristal then noted that had there would have been little pragmatic difference had Bluebox been lucky enough to first disclose the details in his Black Hat session on Aug. 1 rather than the Cyanogenmod post on July 6. The same series of events would likely have occurred, only beginning Aug. 1 instead of July 6. Furthermore, he admits his group had no exclusive rights to be the first party to publicize the bug details.