A serious buffer overflow vulnerability in Android's KeyStore storage service, responsible for maintaining cryptographic keys, has been patched.
Last week, IBM's security team publicly disclosed details of the bug (CVE-2014-3100), which it alerted Android's security team to last September. As of Nov. 2013, Google confirmed that it had prepared a fix for the flaw, which affects Android 4.3 (Jelly Bean). The patch is available by updating to Android 4.4 (KitKat).
An attacker would have to carry out a number of feats to exploit users, including bypassing Android's data execution prevention feature, and overcoming other security mechanisms, like address space layout randomization, IBM's blog post said.
Upon successful exploitation, a hacker could obtain an device's decrypted and encrypted master keys, as well as “interact with the hardware-based storage and perform crypto operations” – such as arbitrary data signing on the victim's behalf, IBM revealed.
