Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Expert Warns of Android Browser Flaw

Posted by Soulskill on from the memory-leak-leading-to-robot-revolt dept.

justice4all writes "Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. 'While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,' Cannon wrote. 'It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.'" Sophos's Chester Wisniewski adds commentary on how this situation is one of the downsides to Android's increasing fragmentation in the mobile marketplace.

7 of 98 comments (clear)

  1. This is why I love iPhone by Anonymous Coward · · Score: 4, Funny

    On iOS, vulnerabilities are only used for jailbreaks.

  2. Abuse of "zero-day" term? by ciaran_o_riordan · · Score: 5, Informative

    "Zero-day" attacks are when the application developers had no awareness of the problem before the information got to people who might exploit the problem.

    TFA says Cannon gave Google prior warning, so this isn't zero-day, right?

    http://en.wikipedia.org/wiki/Zero-day_attack

    I think news agencies just stick "zero-day" to all virus/bug news because it sounds scary.

    --
    Expert in software patents or patent law? Contribute to the ESP wiki!
  3. Android cloud computing rates by MillionthMonkey · · Score: 4, Funny

    Tired of Amazon S2 prices piling onto your organization's IT expenses? Thinking of running large distributed apps on your own equipment? We offer cloud computing services for cheap!

    Standard on-demand instances:
    Small (1000 Android cellphones): $0.05 per hour
    Large (5000 Android cellphones: $0.20 per hour
    Extra large: call

    Get a 10% discount if you sign up before zero day is over.

  4. Re:linkbait by node+3 · · Score: 4, Informative

    Fragmentation affects the creation and distribution of the patch.

  5. The real problem is... by jimpop · · Score: 5, Interesting

    The real problem is that there is no easy way to patch this. Seriously, Android/Google should have long ago known that this situation (i.e. vulnerability with no quick way to patch) could be possible.

  6. Re:Chester Wisniewski's point is invalid, IMO by fuzzyfuzzyfungus · · Score: 4, Interesting

    His point is arguably more valid for some types of problems than for others...

    Some things are inherently difficult in an environment with numerous hardware variations that cannot be depended upon(designing UIs that work nicely across multiple screen sizes/keyboards vs. softkeys only, etc, substantial differences in proccessing power, RAM, storage); but most security bugs, unless apocalyptically foundational in some ugly way, generally don't qualify. Nor are security fixes(unlike new features, or issues related to custom skins and other OEM differentiation crap) generally something that carriers are likely to be conflicted about from a marketing perspective. Lots of carriers are doing a lousy job of updating existing handsets to newer android versions because they would really rather just sell you the Model N+1 and another two year contract. Doing that with an obscure bug is harder.

  7. Re:Chester Wisniewski's point is invalid, IMO by Peganthyrus · · Score: 4, Insightful

    So let's say you bought a Windows box. Maybe you got it from HP. Maybe you got it from Dell. Maybe from Sony.

    Who do you expect to provide you with a patch when someone discovers a new Windows vulnerability? Microsoft, right? If it's really serious it'll probably pop up in the next Patch Tuesday. If it's hyper-serious then it might come out three or four days after the vuln was announced.

    That's not the way it works in the Android world, annoyingly enough. Imagine if the version of Windows loaded onto that HP machine was a special HP version, full of HP customizations like a proprietary HP window manager and a proprietary HP web browser. MS can't give you any patches because the HP customizations are a fork of MS's source; when MS does bugfixes, someone at HP has to take a diff of the new MS tree, merge it with the HP tree, and run it all through QA. Oh, and the store you bought it from? Some of them have their own variant source trees too, so the same machine bought from Best Buy rather than direct from HP has its own fork of the OS.

    Now multiply this by a different fork for every damn model they sell. Oh, and because they only have so much money, HP/Dell/Sony/Best Buy/whoever typically only bother merging in the OS updates for computers they made in the last year. If you're lucky.

    Oh, and some of them have implemented DRM that will trash your computer if you try to install vanilla MS Windows. And nobody makes the drivers for their custom hardware available anywhere outside of the binary blobs they distribute. Pretty much everyone except the hardcore nerds is just gonna be running whatever release of the OS came with their computer, or maybe the one update they got - even if they keep the machine for five years. Even if they want to try and update it.

    So tell me, why is this a problem?

    --
    egypt urnash minimal art.