A security researcher uncovered a new Google Android vulnerability in the mobile operating system's Web browser's multimedia player support that could let hackers take control of the browser to steal sensitive data or exploit some of a device's multimedia functions. The bug, which Independent Security Evaluators principal analyst Charlie Miller presented last week at the Shmoocon hacker conference, lives in the multimedia subsystem used for Android's browser, according to reports from Forbes and ReadWriteWeb.
The code for the open-source Android's multimedia subsystem was written by PacketVideo, which contributed an open version of its Cure multimedia application to Android.
Miller originally said the vulnerability was so serious he recommended people do not use the Android browser until the patch was installed. Reports indicate that Miller has since said the bug isn't as severe as initially believed and not dangerous enough to stop use altogether.
A patch for the vulnerability is already available in Google's source code repository, but it has not yet been made downloadable to the T-Mobile G1. An Android security engineer said that PacketVideo developed a fix for the bug on Feb. 5 and patched Android two days later. In a statement, Android security engineer Rich Cannings said the fix will be available to G1 users "at T-Mobile's discretion."
Cannings wrote that Miller contacted Google Android regarding the bug on Jan. 21.
"Media libraries are extremely complex and can lead to bugs, so we designed our media server, which uses OpenCore to work within its own application sandbox so that security issues in the media server would not affect other applications on the phone such as e-mail, the browser, SMS and the dialer," Cannings continued. "If the bug Charlie reported to us on Jan. 21 is exploited, it would be limited to the media server and could only exploit actions the media server performs, such as listen to and alter some audio and visual media."
This recent security warning around Android is the second since the device was released on Oct. 21. Just days later, Miller and Independent Security Evaluators uncovered an operating system security flaw that left Android wide open for hackers to launch drive-by attacks on T-Mobile G1s. That vulnerability opened the door for users to be exploited if they accessed an infected Web page. Once infected, attackers could gain access to personal information from the browser, like cookies, saved passwords, account numbers and other sensitive data.
Google Android developers issued a patch for that first threat a few days after it was discovered.
--------------------------------------------------------
If you like this post please Bookmark it and comment bellow. To recieve new updates and other posts like this please subscribe via RSS or via Email.
0 comments:
Post a Comment