Vulnerability in Superusers and SuperSU found
According to a post from Koushik Dutta, creator of ClockworkMod recovery (and also the open source Superuser app that’s currently used in CyanogenMod), his Superuser application – along with the closed source Superuser by ChainsDD, and also SuperSU by Chainfire – are getting updates to fix a currently unreleased vulnerability. The issue was found recently and is being patched before it’s exploited in the wild.
As of this writing, SuperSU has already been updated and Koushik Dutta has a post on his Google+ stating that a fix is in the works for CyanogenMod by developer Ricardo Cerqueira. Koushik is in Paris now, so work on patching his Superuser is delayed for a bit.
Basically, the exploit that was found seems to work on all root management applications that start with the word “Super.” Super. More details of the exploit will be released Monday, so grab your updated Superuser management application whenever you get a chance, or whenever it’s released. Make sure to make a nandroid backup before you update the application and binaries, just in case something with the new versions doesn’t work for you.
While probably nothing will happen with the exploit, we can wildly speculate that it will lead to the end of the world as we know it, or at least cause a few Android users some headaches after details of the exploit will be released to the public at the start of a new work week.
Three apps starting with “Super,” two named Superuser, two out of three developers starting with “Chain,” one vulnerability.[Google+ via Android Police]