The bug, which Independent Security Evaluators principal analyst Charlie Miller presented last week at the Shmoocon hacker conference, lives in the multimedia subsystem used for Android's browser, according to reports from Forbes and ReadWriteWeb.
The code for the open-source Android's multimedia subsystem was written by PacketVideo, which contributed an open version of its Cure multimedia application to Android.
Miller originally said the vulnerability was so serious he recommended people do not use the Android browser until the patch was installed. Reports indicate that Miller has since said the bug isn't as severe as initially believed and not dangerous enough to stop use altogether.
A patch for the vulnerability is already available in Google's source code repository, but it has not yet been made downloadable to the T-Mobile G1. An Android security engineer said that PacketVideo developed a fix for the bug on Feb. 5 and patched Android two days later. In a statement, Android security engineer Rich Cannings said the fix will be available to G1 users "at T-Mobile's discretion."
Cannings wrote that Miller contacted Google Android regarding the bug on Jan. 21.
"Media libraries are extremely complex and can lead to bugs, so we designed our media server, which uses OpenCore to work within its own application sandbox so that security issues in the media server would not affect other applications on the phone such as e-mail, the browser, SMS and the dialer," Cannings continued. "If the bug Charlie reported to us on Jan. 21 is exploited, it would be limited to the media server and could only exploit actions the media server performs, such as listen to and alter some audio and visual media."
This recent security warning around Android is the second since the device was released on Oct. 21. Just days later, Miller and Independent Security Evaluators uncovered an operating system security flaw that left Android wide open for hackers to launch drive-by attacks on T-Mobile G1s. That vulnerability opened the door for users to be exploited if they accessed an infected Web page. Once infected, attackers could gain access to personal information from the browser, like cookies, saved passwords, account numbers and other sensitive data.
Google Android developers issued a patch for that first threat a few days after it was discovered.
- Juniper Honors 12 Americas Partners
- Facebook And Four More Web Sites We Love To Hate
- Cisco Honors Top Partners During 2010 Partner Summit
- HP Salutes Top Partners At APC 2010 Award Show
- Upclose And Personal With AMD And friends
- Will Oracle's Phillips' Affair Revelation Be A Distraction?
- Apple, Microsoft Unlikely Allies Against Google
- HP-Microsoft Cloud Partnership Needs To Show Us The Goods
- Blog: It's Time For A Cybercrime Public Service Announcement
- Nortel Sell-Off Continues: Ethernet Business To Ciena?
- Want To Deploy Exchange 2007 SP2 In A Server 2008 R2 Domain? Sorry
- Apple Improves iTunes 9 With Syncing, Visual Enhancements
- Oracle Ad Refutes Sun Hardware Fears
- U.S. Copyright Chief Rips Google Book Deal In Testimony
- Apple Slashes iPod Price Tags
- Price Is Right? Asus To Launch Low-Cost E-Reader
- Microsoft Xbox 360 Consoles Fail More Often Than Wii, PS3
- Privacy Group To Congress: Stop Online Advertisers In Their Tracks
- Microsoft, Intel Tout Their Collaboration On Windows 7
- Tech Data Adds Integration Services With New Center
| • |
| • |
| • |
| • |
| • |
| • |
| • |
|
|
