[sabujp]

   The exploit itself is 22,963 bytes of code and if successful will ultimately result in the forced download of a file name loader to the /data/data/com.android.browser directory of the victim device

How can a website force download a file to a device? Seems like a browser vulnerability

[yorwba]

From the article:

Volexity has identified similarities to but has not yet verified that the exploit being employed in this attack is the Chrome Turbofan remote code execution vulnerability that was reported via the SecuriTeam Secure Disclosure program and is covered in an advisory here: https://ssd-disclosure.com/archives/3379/ssd-advisory-chrome...

[Fnoord]

Please quote properly, like this:

> The exploit itself is 22,963 bytes of code and if successful will ultimately result in the forced download of a file name loader to the /data/data/com.android.browser directory of the victim device

The way you quoted is unreadable on mobile, and difficult to read on desktop (scrolling). It is meant for max 80 chars blocks of programming text.

[weare138]

True but just a quick heads up, HN changed the formatting options. The right angle bracket doesn't italicize quotes like it used to and isn't mentioned in the formatting help guide now. Many new HN posters aren't familiar with the old formatting style.

[kerng]

Mmhh.. browsers cache things. When they do, they write things to disk- not sure if that is relevant here though.

But for instance all images, many pages, etc are locally stored/cached by the browser.

[sabujp]

k, wasn't meaning the cache. I'm assuming android doesn't go randomly loading stuff out of the cache

[xgapp]

That's why it's called an exploit