Researcher warns of critical Google bug in G1 phone
Noted iPhone flaw finder fingers Android OS for vulnerability
Computerworld - A noted security researcher today warned users of T-Mobile's G1 smart phone that a critical vulnerability in Google's Inc.'s Android operating system could be used to hack their phones.
Led by Charlie Miller, a researcher who has rooted out high-profile bugs in Apple Inc.'s Mac OS X and iPhone, a team from Independent Security Evaluators identified the bug and reported it to Google last week. ISE, where Miller works, is a Baltimore-based security consultancy.
Miller, who declined to get specific about the vulnerability, said only that it is a buffer overflow bug that could be exploited by tricking G1 users into visiting malicious sites. "There's a chance that the attacker could execute malicious code remotely" by accessing the same privileges as the user of the phone's browser, Miller said.
T-Mobile started shipping the G1 shortly before the Oct. 22 launch date; the phone is the first powered by Google's open-source mobile phone operating system, Android.
Miller said that after alerting Google, a security researcher from its Android team contacted him to get more information and to ask that he withhold the information from the public until a patch was in place. Miller refused to wait but promised not to disclose any details or technical information that could be used by hackers.
"People should know that there's a problem with the G1 before they buy it," Miller said, defending his actions. "I don't want to help the bad guys either, but people should have all the information before they make a decision to buy [the phone]. I think I'm totally in the right here."
Google did not respond to a request for comment or to questions about the status of any patch for Android and the G1.
Miller also said that he and others at ISE had crafted a working exploit but would not release it until a patch was in hand.
According to a more detailed warning on the ISE site, the flaw is within one of the more than 80 open-source packages used by Google to assemble Android. Miller blamed the bug on Google's use of outdated code. "This particular security vulnerability that affects the G1 phone was known and fixed in the relevant software package, but Google used an older, still vulnerable version," said the ISE alert.
Miller declined to name the specific open-source package at fault.
Google has been caught in the same bind before. Because it used an older version of WebKit, the open-source rendering engine that also powers Apple Inc.'s Safari, for the foundation of its own Chrome Web browser, users were at risk from attacks based on a months-old flaw that had been dubbed the "carpet bomb" bug.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!