Officials at Google say a vulnerability affecting the open-source Google Android operating system has been fixed, and T-Mobile will push a patch out to T-Mobile G1 smartphone users. Details of the bug were made public at the ShmooCon hacker event in Washington.
A security researcher is recommending that users approach the browser
on the T-Mobile G1 phone with caution until a patch for a
recently publicized vulnerability is deployed.
Charles Miller, who revealed technical details of the bug at ShmooCon, held
Feb. 6 to 9 in Washington, said
users should either steer clear of the browser or only use it to visit trusted
The bug exists in PacketVideo's OpenCore media library,
which Android uses as the multimedia subsystem for its browser.
According to Google,
once the company was notified of the vulnerability, it
contacted PacketVideo, T-Mobile and oCERT, a public Computer Emergency Response
Team. PacketVideo developed a fix on Feb. 5 and patched open-source Android two
"We offered the patch to T-Mobile when it became available, and G1
users will be updated at T-Mobile's discretion," a Google spokesperson
Click here to read about an earlier announcement from Charles Miller about Android security.
The vulnerability is an integer underflow during Huffman decoding that
causes improper bounds checking when writing to a heap allocated buffer.
According to the oCERT advisory, decoding a specially crafted MP3 file will
result in an unexpected crash or arbitrary code execution due to heap corruption.
"It could be exploited a couple of ways," said Miller, principal
security analyst at Independent Security Evaluators. "One is by getting
the victim to a malicious Web page, say by following a link in an e-mail or SMS
message. Another is by being [an] MITM (man in the middle) on a public Wi-Fi
network, at Starbucks or the airport or something."
A successful attack would allow the attacker to run arbitrary code with the
permissions of the browser, he added.
"For example, it could read cookies and authentication as well as
Trojan the browser to reveal anything typed into the browser," Miller
said. "It would not, for example, allow the reading of e-mails or the
address book, as the browser does not have these permissions."
A Google spokesperson however said the damage that could be caused is
limited by the fact that Android's media server, which uses OpenCore, works
within its own application sandbox. As a result, security issues in the media
server would not affect other applications on the phone such as e-mail, the
browser, SMS (Short Message Service) and the dialer, he explained.
"If the bug Charlie reported to us on January 21st is exploited, it
would be limited to the media server and could only exploit actions the media
server performs, such as listen to and alter some audio and visual media,"
the spokesperson added.
So far, Miller said he has not seen an exploit for the vulnerability in
"The main reason I made the recommendation to not
use the browser is the thing is primarily a phone, not a Web browser," Miller
said. "So I think not using a browser on a phone until a patch is
available isn't asking people to suffer too badly if they worry about their