Security researcher Charles Miller is backing away from a warning about the Google Android browser. If an exploit were successful, the actual code that would be executed would run in the media player, not the browser due to its application sandboxing.
A security researcher is backing away from a warning
about the Google Android operating system.
Charles Miller, principal security analyst at Independent Security
in the multimedia subsystem Android uses for its browser.
The bug, which exists in PacketVideo's OpenCore media library, is an integer
underflow during Hoffman decoding that causes improper bounds checking when
writing to a heap allocated buffer.
Although Miller initially said the bug could be exploited to run arbitrary
code in the browser, he stated late Feb. 12 that the vulnerability wasn't as
serious as he first thought.
"While the bug can be activated by the browser, the actual code that would
be executed by a successful attack would run in the media player, not the
browser," he said. "This means it would live in the media player sandbox and
not the browser sandbox, and would presumably have different capabilities. I
haven't actually investigated the media player sandbox at this point, so I
can't say for sure."
"This makes the bug less dangerous than I thought," he concluded.
After Google was notified of the vulnerability, it contacted PacketVideo,
T-Mobile and oCERT, a public Computer Emergency Response Team, a Google
spokesman said Feb. 12. PacketVideo developed a fix on Feb. 5 and patched
open-source Android two days later.
"We offered the patch to T-Mobile when it became available, and G1
users will be updated at T-Mobile's discretion," a Google spokesperson
said at the time.
The spokesman explained that Android's media server works within its own
application sandbox, mitigating against the type of damage Miller first
alleged. Security issues in the media server would not affect other
applications on the G1 phone such as e-mail, the browser, SMS (Short Message
Service) and the dialer, the spokesman added.
"If the bug Charlie reported to us on Jan. 21 is exploited, it would be
limited to the media server and could only exploit actions the media server
performs, such as listen to and alter some audio and visual media," the