Details of vulnerabilities in the Palm Pre and Android published

In an interview with PC Pro, Alex Fidgen, director of security services provider MWR, has spilled the beans on the vulnerabilities in the Palm Pre and Android, both of which now appear to have been plugged. According to Fidgen, it was possible to inject and execute code on the Palm Pre by opening a crafted vCard e-mail attachment. This gave the attacker remote control of the device and enabled them to use it as a remote listening device.Fidgen does not say whether MWR has actually demonstrated this in practice. Palm was informed of the problem in May and fixed it in July with the release of webOS 1.4.5. Oddly, in the PC Pro interview Fidgen claims that Palm did not respond, despite a posting on MWR’s own website from 7th July stating that a patch is available.

According to Fidgen, Google’s Android also allowed injection of malicious code through a vulnerability in the WebKit browser engine. This could be exploited to read user names and passwords stored by the browser. Infection merely required a user to visit a crafted web page. Google is reported to have fixed the bug in the recently released Android 2.2 (Froyo).

Not that this is of much use to users whose smartphone vendor fails to offer updates to the latest version on Android devices. According to Google, currently only 5% of all Android mobiles accessing the Android Market are running version 2.2.

Google’s update policy is somewhat opaque anyway. In contrast to its Chrome browser, for example, the company almost never releases information on fixed vulnerabilities. Other platforms with WebKit-based browsers are also believed to be affected by the bug, though it is not clear whether Safari on the iPhone falls into this category.

Source.

Advertisements
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: