|
|
|
Google Scrambles to Patch Buffer Overrun Exploit in Android G1
By: Clint Boulton
2008-10-27
Article Rating:  / 6
There are 1 user comments on this Mobile & Wireless story.
Google Scrambles to Patch Buffer Overrun Exploit in Android G1 (
Page 1 of 2 ) Security expert Charlie Miller leverages a flaw within an SDK component of Google's open-source Android operating system. The buffer overrun flaw lets hackers hijack the Web browser on a user's T-Mobile G1 smart phone, which is Google's first big entry into the mobile and wireless game to deliver users mobile Web services. Miller bought a G1 early from a T-Mobile employee on eBay to test his exploit. Google said it is working with T-Mobile on delivering a fix to the device.The T-Mobile G1 smart phone has not even been on the market for one week, but a security expert has already found a significant flaw in the Google Android software that fuels it.
The vulnerability, first reported in The New York Times, allows a hacker to hijack a Web browser on a G1 gadget. A user with malicious intent could capture users' user names and passwords for accessing Web sites, such as bank accounts, online retail sites and online auctions.
"I can basically do anything the Web browser has permission to do," said Charlie Miller, principal analyst at Independent Security Evaluators, who wrote an exploit for the flaw based on the Android SDK (software developer kit) Google released to open source. "I can read text messages, read their cookies, see their passwords, watch them surf the Web and watch what they type."
If he wanted to, he could also surf the Web on a user's G1 from his own computer, and make a user think they are going to a banking site when they're really going to his site.
Miller told Google about the flaw Oct. 20, two days before the G1 launched in T-Mobile stores and to customers. Miller said Google didn't want him to tell anyone else about the flaw until there was a fix available, but he said that could take months from now because they have to get T-Mobile involved, among other steps in the process.
"It seems to me, if I'm going to shell out $200 for this thing, I have the right to know if there is a problem," Miller said. "I'm sure they're going as fast as they can, but people have a right to know there is a problem. If you think there is no problem, then you are going to act one way with your phone, but if you know there is a problem that's not fixed yet, maybe you'll be a little more careful."
Google is indeed hard at work on a fix. Google said:
"We are working with T-Mobile to include a fix for the browser exploit, which will soon be delivered over the air to all devices, and have addressed this in the Android open-source platform. We treat all security matters seriously and will carefully work with our partners to investigate and update devices periodically to reduce our users' exposure."
|
|
�������xv6(;^+(g٦(Rw�ْmM,cYg-�$�!)9�^%g��-qi'mK�X(�
B��?H�p4ô��c|{Τ>w}�1�ߛF0kB/92v�>;|�9|AL�=T�adF,h�|J|Oo\R_Fܨ&`&`1Ztl8lRl �j��9a�?xh#'@I�R�/Gu)pCcP e�G$oIX}䛿S=2vs͛6B�u
XI,B(?N&�Ĉus͟�}g^/ԡ�c�F�4LߵC2��hj9�TE$*cO^3l
ֱb�B�#"F��τ=ͻ�`$nPrN7w#205b$)V�,#&�3ýر�:s��x08JeJ-jfM�uO:�d#t>�+?_fV'_Z-կ=?"wAJAͼ��94��o��ߖA朊@��-�:s�f5*z*�F`K3�70���s�h�I�;�n�ZKC0�[#RFf�\� Д��a�cx`Ma�b&DJH7�S��}RU/��(AM/�-
�5|*\($ٛ�"G�;Cx��r!DKI��8d8�{���NRٌ�.[�\28Bt9Q]�+\M�G=-�p�x=mvZÏם6�\/�}���LqJXx7Y`I�-e`\\�Զ7�j�ϏRQ ^,ԕo+&�r�f[Ԗ-Pò˔A'
~y�G>��:mNS'm�95ż1l;4�}t>�$��4icŦh4@g&�h`CCҏ�&-Ѐ�
w&|h��x� c
00w�9�&z4H۠h&r<�5$զ�ʦ/M@B9��{ǻ�ޚ�~�(w
z7t,5�,/�{@`\@Z�8`�$8ʼ��m�¢�8�ѵO�pM�rA}1`sDokwiic���)_\jC8�dN˵�K��(G))�$C{ ��hI#r�����
Bг1,`@o!`�`[X�� a�+R
.<���B�I��)r x&,R,BV-KᗄPf%i2mń(VFN��l�(0��Vf)5mV�AL �
�|�U=kb�$`~f�
oZ��io#2Rj�\7q6�EEi��j"�yd\s˰e0k#�Ӧ-�`"KjZ�Uv
~JIe��(������~+ӥ��
Ϻ�&�j}
��:�ZQa߯E�Xo^ :څH�����i3
9�6�~tqߎ3XA�m�k+sD
�ü
�z30Jјlkwl\Qm(}��n�q&�njJ7up]8�ý�okv��Qby6�G�3��d߉�&z���Gj{�%�r fD/h{
~z�U-'e0&30�ʃz5c�;
[6�0U�sfyr;ݯ5056u
2
\ z�ď5v �k��_�?L��[L&�zɖ0m0]sK��l\7�a Z�Gwi�ŏh(5rnΠ3C~�=բ,@��%UHU,UU\H�z,`we]Tckc`WPF4`�W�&s�\x&\_{�Ƌ�(bo)Q^J�SW".wD<�7Ϩ�3�}Nb�
��4PG��teWՄθ�4;eʿ-�XLd;ɲ�#X�I7,�
ְ�S�F*͐[YQa'\$X+JJYt�>80xn�T N���WQ�qT*N��_ZaQb��sE1 7FcyH�~��Zg�^�pRtt(Е�_{tCRT>ir(zχxǀ�5�_�ayH�Dyy{v>R�ﵲe+Kx�iW{㐔�J~9lK^Ï-øDoٷ��P �K)�#b6f$LTKU^I�Et�Fh0Z�< p 8YR|I}ҿ_SzG{ّX+ G�7�E?!hSHN:<�a�Sڎ7�M,#R_?�I];fW쐺Cվk,�S�VXMr!�֒,49Aϐa6n�glC_{k^+[���5�̀o��
I5:?<�Bp$� ��ǀzB�:��.Zi%�$C[(�����1tJ1(_RJ�MQ6�=#�ijvL×"(�L^(0[JӷoHW蘧Y�'D{_q+
s��z4~&�\3Z9n~"�B2�^'68�/�hp)9�ڏH�%/p�QZ�ins
zsHfaP;DZ3pu*dhw<)~�[ħ{�,�/䎉����R�1T�$�0m1결t]$�<3OђN)tJȓ$�F�=�)�I28IUF4A2�uIH?�Md�4XPWl
Pق�Z��'59ܻ8�^]6D2z��=`l)Za�"|)Nr
a=i]�`e>�ewqJiI�g��+y5EY-.l*$'?vb�'%��6
D�Tz@0�Hr吜zC=?UmO綉�X�kys=q�츃�%vd��:Gw*b�,_��huӅ[ejwd{t���4dkwT��/'y��SwA(,c5Kd�ؗ辰`;᧥}e��Tq���:�+`*9$�Th�H~ݍe_"+2�NI�ȅ^t*<>rg�ȸ�@7Yu��d3D?�ye1>�R3=�4|GPc�y~cI�.�~�(TR��/aO�,J麇\%��(�]MT-/^\RK>^_ϫ����@<@�{�.=ا�H�YX�tjQ;Wg�
?
'|ȞF}�Ա؉.qd�,dF9��a}�30[˱=�Ι���ោJ��;l�Vp�N
Ϧv_ O��%�FJM�c-ێ��!e_�Ц õcV:��
/!ʫIVܱ�S,*oO_�O�o+N֊ v)[ꈧ g�ך?�n1� |kM5�%&p$��M{fr+��(?���܇'Vx�e86[b4[03| LcK����fdM%3RT|X`ˤ~[X�''\/_zE��&g��q�/L�IiJ��a-# ƗO}Sġ~=��ϖj²3K<'f|rH�s N_�ԧsӆueqb&P|M-KQz.G]b)OM� ,�{�WIϜ ~,�G~5@:M�G�$��K› 75_4ې�|b>r�I�c}Tu�F��gn>F�^ӹ�PҹR�;;R_�Ei'1Mwc�hpme�ܒS�c�7��mtJ1/�Y�~8��nβH�i,O��J5�#1gtҭR8qFČ鄇�-D6B�te�tUe��s/
�bS! &z�[�vR8MymXi2DxV?���W?�ˌ=-9UObS``(�3^;P)MR5ލ,yVDvdId+V$nŕB!�H4OT�:PVTqZŋUڐJ�!�3 ?GuHV2/cʓ/'�0�L��L
&�:ݜL�<���Y�_�Y�F&0qqbbym�¥LvZ^-'�W-|Q~4,6o;f��dB-FLO}�%$6���~�F솪nLb&
{�\e6CEŴ�R0%�r^ٙIz\ 3(�I�nf��nH0KL����Բ
1
_�1*e\Bh=Ǡ%%�Y��.>Z\K�} T(V%%bj!S�B�=.ͧz-;�aIQ$>y.5d́6�̱�ەZg�+-
+Ν$U�g0F84�����J���py�(�>(ݍ�?ъ2Z5�Mdv��Ҡ[P�̅,I\O�Oy�j!,��X(K,&����)dh>ᥝx&)TZ^r!AC�/ ұfSyz�g4�.�����88]� 7/H%N|�a�f,;hs:�(��R@{i|>(p�~EԱӬ�y
n4�웨e>S�U 5��/D��z�Grt5ztJ=6ne�$L��
9:�
�df��iIj�38�c~]�I�@����Ϧ0�po�x z&{ &jy[�۲,<Ԧwr\/ωJYh ]8έ4h"üxpuBQK@�:T)Vjƃ/�� h� &��Aؤ�`7F
6.i>]ulIRJep?%l�6 �q'7777wc걾:��NAb�>�M�hL.�o8}l �'F��!l=�L�]�R`7w%[g{9;Rܽ>^
�L:0/w��+1k�˵eO�?$�0#A�2�d �aV�-�-�E)�9%(��%|� [r䫺C+&4��$'Y:SOTWAq�$!H�g
_qoX=B!qHےJWםOM/{�:�}&�Rtj溎b+r^U�\bZ��I,s�Yĉ�z4ҖbN2�{��8R��`5̹w&*J-x40H���d�'l1/�s�!�"�A$1D���L*JP�j>-yUN�ˉ@:w �cqra�%x0F]� �!�� !�7v!C6C-٢Z'�E�c8�}��0� 49^i"H� � uX���']�`7w]ɣ9=9=9=9=߸ӳX�k>�MD�Luq4'�,0�19�4<`hy�ڄ;otp qަ-*�X&gi�:p#_=H.|o.rvW[Tz�Bm|�b*]h�[1OG-; ?9�E@�ç#>ϔ|I�퉱�W5�;��bd9SgT-QxNְܱP\ud~�#7eS6�%:fYdo+x ȿ2[_�u2^-�/R�@0���,{�mvX�W!)LfERr��j���ߦ�um_u�_(ֈ_4ׅ�dUooc�;wt%�R�P3Wwbp,Lۼ�&�`lA�J���FR�
V$��
4"*Ιh֖,@PaRD�+o�pApy|�`'H�nH��N�~i�R x�+s�#@k5=:=f|'B5RRCt�Ƕ�;3&}b&CB7XzW�$e�_Mt,a�e=)ȁ.E=TG�*Dz'^t���]SF*�4a�%�0-g}+A#C!5z��ad}$ƽ▮t�yϹgL���h'ʤ\�[���a0F_�1Z%G�B�A8A�Xd�5ˋ�#��AE!��ѡb�KfR�lǛkJ�a}NfAfQȢiw\��sI
oU^r�OQ/K.i^`Vd1t��W��BZcĻ��Wes{��ɣ.�j"�-3
�jD: �x}#-F5נ��)x9mabfģ
g5�0}�f�DZGa�v̈́WХ|�W@O[jk�hDPU)˹unȓ�P}Ƴp-* ;,S@�Nm[q,>��c����Z+`miX�}>H�'ܺzB��9\I�fpZZ#X(+J
P�c�0ԑZ�fG@.`$H9{.í�V�ޯ�'�sP=Ӓ"^Glۏ\VKZ%se8.�.�6b�K&p}hyG�&ˇtxZډ�bL�k�R~ƃ'���pr�|q_o�Z&ȱL�po:~W,�T�Z~O"?{|�����զ̋Ht2)&Ȑ«f�6ȝ4����_K= o~{@\r
�qF,��-E||0XV$νO��g-�<�-SWld""@Ո��^�_�a���.:az��V=�gD&8 x%�w5q4tS{ 죋B��c3�3}�9asH ]TW\A��,�
� [z>K9x��{�/\o|J7�o9f�H� s9NVotn~��"1"�'0�枩U-c2Șh
MQ HxD�~=�0&N;!"��L��m�a�@���d��p���0'�1C�LD:5L[�lFLN[�$.�����q�߽bb��WoP$P +wdc&�||�9ǀ+�0_/
$�U,%Ҹ�)��T��&}�fA=bA!>?&~��?1HL)!Hbu�~����f`�:>�"(S[��]ă0>]hs(hpW'Acj `�`�\�N���5�
|{�c�`��>�c�[7��Υi4EVz|L�
]ǒ�4�B1h^ܘE!�㯛1�}��
=<�RXX_1ԻPSr$4k�|:*�!dW`�cE)'N�6SoS��w��2Vq6%L�z%rEeW0`A#'92ag44\�K�ۂ�IS��pٷ�!ѺLNפEN;�2x<8^
Krܹ)*lk
nWji|9?>v/;WahT慶DQ)HFY�0;eAq(�SͅfU/Y.284$/J!�M8s'Q~�^\��;�'P~�sA3,�Pqsy7n.�@���@����
3o�(_�3�*}'ߧ�@MV9M�@7��d_ry�[�rֺ
)�qFy9
|�SG0�U�75ip[~|^ಓ_�a'ce�=�' MĮkf s?3�´�_XrnY��='��̄08=8G9+2ppn�n-(}atl'�y�Rx�܃�AR(�~Q�A[#r/.�JDπn���FfβR����yn%()%�y+6(م�7�0UZVAo>�Dn[~Qڗ��@1a璧�f*iů�Kw? /X�)Ns�'|oS�ې)0XP�y4w��6كl2x�M��1(D�0�ƞ=�Hˍt�_f%�\!dW<�lԷ3@FC0!���Zyc�KE�%&(Xp\'A6Ιimw9;>�Ba2\�X�G�x
ky�f#ŧsW<2ZPt jf
kL~wx>Y:}#s!?"L�nl�^^kte�(n
aa�ɗX�[zw0�0jLP�9͓_ a�0*�=�:`-�h_̮%̱`=b^8qe�Qs|�J9j��
{τ �ixf�X��c`*#F"��Z*bJ�؉ZqpR.C79I(>eSc'@n0\|y
d9[Hօ5��\j9/bY4~>��\9�9�.@OI"cXM1}aE�|iOS<'\�=+�S
�a%P�a0|Y�k/o��P:m��yH%D=C�
ɳQƠk'O�(QF�=;��)>_c34�N~9lKaE�e遢%!4��!ջj˳dEg0��.A|Ѿhy6��n_ ���?i4�V�A$摝7y@Ƣ�I:6p0�JV}0�1{l~r[)�cEs̥D/5^JB\sjh6
|
Mobile & Wireless 
