Latest news
UC government already replied, say in statement: "Abroad media reports the potential flaw of edition of UC browser international, already was in get repair for a short while. The domestic version of UC browser is nonexistent the newer function that the article alludes is potential flaw, UC browser updates a function to accord with home completely to apply the monitoring requirement of the shop and safe standard greatly each, ask broad user to be at ease use. Ask broad user to be at ease use..
Recently, there is bagman to atttack flaw in safe company discovers UC browser, existence is pushed to send ill will the safe hidden trouble of plug-in unit by aggressor.
△UC browser, domestic shift carries an user to measure one of the biggest browsers, download a quantity to exceed 500 million in Google Play only
According to Dr.web message, analyst of Doctor Web baleful software discovered hidden function in UC browser, the venture that includes to download and run doubtful code among them, bypass Google Play server downloads application, use did not add close link to wait.
The application that Google Play does not permit to collect downloads executable code from the place beyond Google Play, but UC browser violated this one regulation, can download executable Linux component from long-range server. Occupy Dr.Web to analyse nevertheless, this operation itself is nonexistent baleful behavior, open documentation for convenient user however. Package can download documentation, save its catalog to fall to be carried out in order to offer. But this behavior has the browser to browbeat potentially, for bagman attack offerred possibility.
In the process that downloads new plug-in unit, UC browser can send a request to long-range server, receive the link that answers a file. Have in the process not allow a bit of oversight, what this process that corresponds with the server uses is HTTP agreement, is not to add close HTTPS. This makes aggressor OK the request that Hook comes from application, replace the command, let a browser download plug-in unit in baleful server thereby. UC browser itself is used did not sign the reason of plug-in unit, baleful plug-in unit need not safe test and verify can be started.
Dr.web also confirmed in the test this is nodded, researcher intercept the message that UC browser sends a server, opened what design technically successfully to replace module.
Confuse browser of your edition UC (Mini UC Browser) also exist can bypass Google Play server, download the problem of the plug-in unit without the test, but afore-mentioned bagman attack does not apply to the UC browser that confuses your edition. Additional, check according to BleepingComputer, when browser of desktop end UC is examining PDF documentation, same meeting asks to download additional plug-in unit, download plug-in unit from long-range server through insecure HTTP communication. This means aggressor to be able to carry bagman charge possibly, baleful plug-in unit downloads on user computer.
Latest news:
Abroad media reports the potential flaw of edition of UC browser international, already was in get repair for a short while. The domestic version of UC browser is nonexistent the newer function that the article alludes is potential flaw, UC browser updates a function to accord with home completely to apply the monitoring requirement of the shop and safe standard greatly each, ask broad user to be at ease use.
Referenced: Dr.web, BleepingComputer, FreeBuf
UC browser exposes to the sun a bagman attack flaw - China opening a source