Motorola's RAZR handset is vulnerable to downloading malware from a corrupted picture message, TippingPoint said on its vulnerability reporting service, Zero Day Initiative (ZDI).
Hackers are able to send a corrupt JPEG image to a RAZR which would run malicious code on the device if viewed, according to the ZDI advisory, released on Tuesday. Malicious code could force the device to make unwanted calls or send unwanted messages, for example.
The flaw exists in the JPEG thumbprint component of the EXIF parser. EXIF, or Exchangable Image File format, is a set of tags that can be embedded in image files, which might include the location where the image was taken or the camera used to take it.
When the user tries to view the image, a memory corruption is caused and malicious code can be run on the device.
Motorola was quoted on the advisory as saying: "Together, ZDI and Motorola have identified a potential vulnerability related to viewing malicious, manipulated JPEG files affecting select RAZR-series devices. Although the possibility of this vulnerability occurring is very remote and would only occur in unique circumstances, Motorola proactively corrected it in all new device releases."
The phone vendor urged RAZR users to download a firmware update from its website. Though the site insists users confirm that their device is under warranty, any users entering a date of purchase within the last 24 months are able to download the update.
Motorola has known about the vulnerability since July last year.
There are as yet few mobile viruses in existence - probably less than 400 - and many of these are proof of concept.
But many businesses are keeping a close watch on mobile exploits, particularly those which affect the major enterprise platforms.
Many of the anti-virus vendors now have a product which they claim will help to secure mobile devices against malware.
See original article on scmagazineus.com
Motorola RAZR vulnerable to JPEG attack
By Richard Thurston on May 30, 2008 9:58AM