Tuesday, October 28, 2008

Android Gets Exploited

Google's Android operating system for the T-Mobile G1 has a serious security vulnerability that allows malicious hackers to launch drive-by browser attacks, according to an alert from security research firm Independent Security Evaluators (ISE).

ISE is the same firm that discovered the first iPhone code execution flaw.

It seems that Google has a problem with using up-to-date open-source packages in its products. You may recall the first Chrome security flaw discovered was a result of using an out-of-date version of Webkit.

As ISE said:
The Vulnerability

Android is based on over 80 different open source packages. The vulnerability is due to the fact Google did not use the most up to date versions of all these packages. In other words, this particular security vulnerability that affects the G1 phone was known and fixed in the relevant software package, but Google used an older, still vulnerable version. So as not to inform the "bad guys", we will not release any further information on the particular vulnerability or software package until a fix is available.

The Impact

A user of an Android phone who uses the web browser to surf the internet may be exploited if they visit a malicious page. Upon visiting the malicious site, the attacker can run any code they wish with the privileges of the web browser application. We have a very reliable exploit for this issue for demonstration purposes. This exploit will not be released until a fix is available.
ISE did note, however, that because of Andriod's application sandboxing technique, any possible attack's impact is limited:
The Android security architecture is very well constructed and the impact of this attack is somewhat limited by it. A successful attacker will have access to any information the browser may use, such as cookies used for accessing sites, information put into web application form fields, saved passwords, etc. They may also change the way the browser works, tricking the user into entering sensitive information. However, they can not control other, unrelated aspects of the phone, such as dialing the phone directly.
That's good news, but for the iPhone, not so much:
This is in contrast, for example, with Apple's iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised.

No comments: