漏洞摘要

近期，Android Studio发现两个严重漏洞。

一个基于内置WebServer，在不需要用户同意的前提下，可以让黑客通过一个恶意网页访问用户的本地内容。我理解，这算是一个标准而经典的漏洞了，就算对黑客没有什么深入了解的人，也经常在影视作品中看到黑客们远程偷文件的场景，这就是了。

另一个基于内部的RPC，可以让黑客访问IDE的大量内部API，包括获取IDE的版本、配置信息等，也包括部分的控制操作，如打开一个Project。我觉得，这个稍微要弱一些，因为只能控制Android Studio，倒是不能让黑客完整控制你的电脑。

另外，这两个漏洞仅仅影响到IDE，不影响IDE编译出来的APK以及安装这些APK的Android设备。这一点倒是比XcodeGhost那档子事要好多了。

采取措施

这封邮件是2016年5月9日发出的，其中承诺在5月11日（即我发文的今天）会给出修复版本。考虑到西半球的时间比东半球晚半天，可能5月12日才能更新。

现在最新的稳定版本是v2.1，所以最新的修复版本是v2.1.1。对仍然停留在v1.5.1、v2.0的人，Google也承诺会给出对应的修复版本，如v1.5.2之类的。

吐槽

这些漏洞，我看来是属于IDE开发者自己折腾出来的。

Emacs、Vim这类编辑器就没有发生这类安全问题，主要原因不是它们的作者具有多么高超的网络安全意识和设计，而是没有做一堆杂七杂八、无比强大却又对用户来说没有什么用的功能。（你可曾知道、使用过Android Studio内置的WebServer？）

由于IntelliJ IDEA内也有Android的模块，这两个漏洞就是其开发方JetBrains向Google发出的通知，而JetBrains承诺这个模块与Android Studio将会同步更新。从目前的迹象看来，IntelliJ IDEA的其它模块是没有这些漏洞的，所以这些都是Google自己改出来的——这个真心比较囧。

当然，也许大多数Android Studio的用户们，会对此毫不在意——反正我没有什么好被黑的。但我还是建议，要对这类事情保持敏感，免得哪天真的有东西怕被黑、再去采取措施时，已经被黑了好几圈了。

这个时候，再怀念Eclipse也没有用。在Google抛弃ADT以后，我们已经回不去了。

邮件原文

没有必要全文翻译，原文（节选）附录如下：

Partner Security Advisory—2016-03

Published May 09, 2016

Partner Security Advisories are supplemental to the Partner Security Bulletins. Security Advisories address issues that may not require security patches or devices updates, but could still affect a user’s overall security.

Summary

Google has been notified by JetBrains of two security issues that affect all versions of Android Studio. These issues are both rated as Critical severity due to the possibility of remote code execution. These issues only affect the Android Studio development environment and do not affect Android devices.

Google is planning to issue an Android Security Advisory on May 11, 2016 to help users understand the impact of this issue. This will be a public version of the Partner Security Advisory.

Customers who have all previous versions Android Studio are at risk. All customers are encouraged to upgrade to the latest version of Android Studio, version 2.1.1.

Background

Two issues were reported to Google on April 11, 2016 by JetBrains. Google verified the vulnerabilities and worked closely with JetBrains to develop fixes.

A patch for both issues will be released on May 11, 2016 by JetBrains in their IntelliJ platform, which is an integral part of Android Studio. A patch for Android Studio will be released at the same time.

Built-in WebServer Vulnerabilities

A Cross-Site Request Forgery (CSRF) flaw in the IDE’s built-in WebServer could allow an attacker to access the local file system from a malicious web page without user consent.

Internal RPC Vulnerabilities

Over-permissive Cross-Origin Resource Sharing (CORS) settings could allow an attacker to access various internal API endpoints; gain access to data saved by the IDE; gather various meta-information, like IDE version; or open a project without permission.

Suggested Action

On May 11, 2016, update to Android Studio 2.1.1, which contains the patch for the security vulnerabilities.
Press Statement

“Google has become aware of a security issue with Android Studio. The issue is part of the IntelliJ platform’s built-in WebServer. Google and JetBrains have developed a patch, which has been released in the latest version of Android Studio 2.1.1. We are requesting all Android Studio users move to the latest version.”
Common Questions and Answers

1. What’s the problem?
   There are two security vulnerabilities in the IntelliJ platform, on which Android Studio is based. The first issue enables a cross-site request forgery attack within the internal WebServer that could allow an attacker to access local file system from a malicious web page without user consent. The second issue could allow attackers to access various internal API endpoints to access data saved by the IDE.
2. How would an attacker seek to exploit this issue?
   An attacker could set up a web page with a maliciously crafted URL to attempt to access local files on the target machine.
3. Has Google seen evidence of this being exploited?
   We have had no reports of active customer exploitation or abuse of these newly reported issues.
4. How will you be addressing this issue?
   We are offering security patches for three prior stable versions of Android Studio (v1.5.1, v2.0, and v2.1) to upgrade to v2.1.1. We are encouraging all our developers to upgrade to Android Studio 2.1.1.
5. Does this affect the Security Patch String?
   Because this issue is only in Android Studio, there are no Security Patch String requirements.
6. Which versions of Android Studio does this affect?
   The vulnerabilities affect all versions of Android Studio 2.1 and earlier.
7. What if I can not upgrade to the latest 2.1.1 version?
   We are offering security patches for versions 1.5.1, 2.0, and 2.1 of Android Studio to upgrade to v2.1.1. However if you need to stay on Android Studio 1.5.x, we are also offering a zip file of v1.5.2, which includes the patch for the security vulnerabilities. Download the zip here and manually install the zip package over your existing Android Studio installation.