Google and T-Mobile late last week began rolling out a patch to users of the G1 phone to address a security vulnerability in the Android operating system, a Google spokesman confirmed to SCMagazineUS.com Monday.
The patch does seem to fix the problem, Charlie Miller, a security researchers with Independent Security Evaluators (ISE) who discovered the flaw, told SCMagazineUS.com Monday.
The vulnerability was discovered in October by Miller and ISE researchers Mark Danie and Jake Honoroff, just days after the Android went on sale. The problem originally was publicized in The New York Times.
The bug was related to the 80-plus open-source packages on which the Android operating system is based. The vulnerability was fixed in the newest versions of the software, but Google had used an older version of one package that was still vulnerable, Miller said.
As a result of the vulnerability, if a user visited a malicious web page, an attacker could have gained access to saved passwords, information entered in web form fields and cookies used to access sites, Miller said.
“We treated it very seriously,” a Google spokesman said of the vulnerability. “It came to light in late October and we worked with T-Mobile to get the patch rolled out to the G1s.”
When researchers initially notified Google of the vulnerability, Google asked they not make the information public. ISE released information about the vulnerability but kept details to a minimum before the patch was issued as to not aid those who might have wanted to exploit the flaw.
The New York Times said Google believed Miller broke an “unwritten code” by disclosing the vulnerability before the internet giant patched it.
“I'd say that if I hadn't alerted everyone it would have taken a lot longer [to patch],” Miller said.
Users will have a notice on their phone asking whether they want to update, the Google spokesman said.
See original article on scmagazineus.com
Vulnerability patched in Google's Android-powered phone
By Angela Moscaritolo on Nov 5, 2008 9:45AM