Risk
10/26/2008
11:25 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

T-Mobile G1 'Android' Smartphone Has Serious Security Flaw

As if headlines haven't been bad enough lately, reading the New York Times' story on Saturday about the security flaw in Google's Android software didn't help cheer me up very much.

As if headlines haven't been bad enough lately, reading the New York Times' story on Saturday about the security flaw in Google's Android software didn't help cheer me up very much.John Markoff, over at the New York Times, wrote an excellent account of a flaw in the new T-Mobile G1 smartphone. This flaw looks particularly nasty, and according to Markoff's story, is the result of Google failing to use the most recent versions of the open source components that form Android's foundation.

The risk in the Google design, according to Mr. Miller [note: security researcher Charles A. Miller], who is a principal security analyst at Independent Security Evaluators in Baltimore, lies in the danger from within the Web browser partition in the phone. It would be possible, for example, for an intruder to install software that would capture keystrokes entered by the user when surfing to other Web sites. That would make it possible to steal identity information or passwords.

That's a nasty one. But it seems that while Miller told Google of the flaw, he also disclosed its existence before Google had a chance to patch. Miller explains his reasoning to Markoff:

Mr. Miller said he was withholding technical details, but said he felt that consumers had a right to know that products had shortcomings.

First: if you don't know that products have "shortcomings," you probably lack the IQ necessary to dial the G1.

Didn't we experiment with this partial-advance disclosure earlier this year with the now-famous DNS flaw which was announced sans-technical details by Dan Kaminsky? We all know it didn't take long for other security experts to figure out the nature of the flaw, and the information got released before everyone had time to patch. Despite Kaminsky's best intentions, the situation went into a nasty flat-spin that lasted for weeks.

Thankfully, since the T-Mobile G1 doesn't come remotely close in importance to the Internet's DNS, we're not in for a repeat of the same magnitude. But it does show the debate on the proper disclosure of vulnerabilities just isn't going to die.

No. The disclosure debate is like the maniacal killer in a bad horror flick: he just keeps lurching out at you at every turn.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.