[guardian-dev] Android WebView SOP vulnerability (CVE-2014-6041)

Nathan of Guardian nathan at guardianproject.info
Thu Sep 18 15:01:21 EDT 2014







On Thu, Sep 18, 2014, at 11:57 AM, Adam Kruger wrote:

Hey folks. Just wondering what you guys are planning to do
about this in Orweb.





Orweb only allows on window at a time, and no tabs. I need to
dig deeper into the bug, but my hope was that we aren't
vulnerable because of that.




We're planning a release of Psiphon to disable JavaScript
entirely (with no option for it to be enabled) in our built-in
browser on Android 3.0 through 4.3
([1]https://bitbucket.org/psiphon/psiphon-circumvention-system/
branch/CVE-2014-6041-mitigation).

We haven't seen an authoritative list of affected Android
versions, but in our own testing we found that 2.2 and 2.3
aren't vulnerable.

It seems pretty harsh but we don't have any better ideas to
prevent our users from having an unsafe Internet experience.



Have you seen our work on Orfox? I think we are going to
accelerate a release there, and kill off all of our WebView
based efforts.

References

1. https://bitbucket.org/psiphon/psiphon-circumvention-system/branch/CVE-2014-6041-mitigation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140918/8a08479f/attachment.html>


More information about the Guardian-dev mailing list