PlayStation Portal: TheFloW confirms exploit patched in Firmware 2.06

Hacker TheFloW has confirmed today that the PlayStation Portal exploit he revealed back in February has been disclosed to, and patched by Sony. Specifically, Firmware 2.06 fixes the vulnerability, says TheFloW.

Playstation Portal hack – the status

Back in February, TheFloW announced that he and hackers xyz and ZetaTwo had discovered a vulnerability and crafted an exploit chain to run on the PlayStation Portal. The hack allowed them to run PPSSPP, a PSP emulator for Android, on the PlayStation Portal (the PlayStation portal itself is based on Android).

The hackers disclosed the vulnerability to Sony, possibly through their HackerOne bounty program (the PS5 scope on HackerOne includes PS5 accessories), and Sony promptly fixed the bug(s).

As TheFloW correctly points out, to those annoyed that the exploit was disclosed to Sony, this doesn’t make any difference: either the bug is responsibly disclosed, then gets patched, and people who stay on a lower firmware will eventually benefit from it; or the it isn’t disclosed through responsible channels, gets released in the wild, people have fun with it for a week, then it gets patched anyway. Bottom line: in both cases, staying on a lower firmware is the only way to get, then keep the exploit.

Should you update your PlayStation portal?

I do not own the PlayStation portal but it is safe to assume that the device won’t connect to a PS5 if it’s not running the latest (or, a somewhat recent) firmware. So, ultimately, if you plan to use the device for its intended purpose, you’ll have to update.

Conversely, if you want to update it as a cool, generic android device with a great screen and controllers, you might want to stay on a lower firmware. I’m having a hard time seeing the benefit in that personally at the moment

Read More ...

Android application from China executed -working day exploit on thousands and thousands of devices

Android app from China executed 0-day exploit on millions of devices

Getty Visuals

Android apps digitally signed by China’s 3rd-most significant e-commerce enterprise exploited a zero-working day vulnerability that allowed them to surreptitiously consider command of millions of conclude-person products to steal personal information and install malicious applications, researchers from stability company Lookout have confirmed.

The malicious versions of the Pinduoduo app had been obtainable in third-social gathering markets, which buyers in China and somewhere else count on due to the fact the formal Google Engage in market place is off-limitations or not uncomplicated to entry. No destructive versions were identified in Enjoy or Apple’s App Store. Final Monday, TechCrunch documented that Pinduoduo was pulled from Play soon after Google uncovered a malicious edition of the app out there elsewhere. TechCrunch reported the malicious applications offered in 3rd-party markets exploited a number of zero-days, vulnerabilities that are recognized or exploited prior to a vendor has a patch obtainable.

Complex assault

A preliminary analysis by Lookout identified that at the very least two off-Perform variations of Pinduoduo for Android exploited CVE-2023-20963, the tracking variety for an Android vulnerability Google patched in updates that turned available to close people two months ago. This privilege-escalation flaw, which was exploited prior to Google’s disclosure, permitted the app to perform operations with elevated privileges. The app utilized these privileges to down load code from a developer-designated web-site and operate it in just a privileged setting.

The malicious apps depict “a really innovative assault for an application-dependent malware,” Christoph Hebeisen, one of a few Lookout researchers who analyzed the file, wrote in an e-mail. “In recent many years, exploits have not normally been seen in the context of mass-dispersed applications. Specified the really intrusive mother nature of these types of innovative app-based mostly malware, this is an essential risk cell consumers have to have to protect towards.”

Read More ...