The week-old Android operating system that powers T-Mobile’s G1 smartphone is off to a rough start as a team of experts from ISE have identified and successfully exploited a security vulnerability on the device. The vulnerability is located in one of the 80 open source packages assembled by Google for Android. Further, the vulnerability is related to a buffer overflow in an older version of the package and has already been fixed. However Google didn’t use the latest version of this package for Android.
ISE has not released full details about this issue and are working with Google to resolve the issue. It looks like the impact of this vulnerability is limited to running any code with the privileges of the web browser application and information that it has access to. So a web site would have to trick the user into entering confidential information or cookies and cache from the browser sessions.
What concerns me is the speed at which this has been found. It makes me wonder if there are many more just waiting to be found. There will always be bugs and issues when it comes to software development, but this exploit doesn’t seem to be overly complicated and should have been caught before the release.
Ultimately, this will be a good test of the over-the-air update feature of Android.
You can read more information regarding this exploit on the ISE web site.
Two articles I found of interest from SC Magazine
http://www.scmagazineuk.com/Software-applications-to-become-mules-for-backdoor-threats/article/119982/
http://www.scmagazineuk.com/Google-hacking-increasingly-effective/article/119971/