Google Android Bug Not as Bad as Feared, Security Researcher Says

Security researcher Charles Miller is backing away from a warning about the Google Android browser. If an exploit were successful, the actual code that would be executed would run in the media player, not the browser due to its application sandboxing.

A security researcher is backing away from a warning he issued about the Google Android operating system.

Charles Miller, principal security analyst at Independent Security Evaluators, discovered a vulnerability in the multimedia subsystem Android uses for its browser. The bug, which exists in PacketVideo's OpenCore media library, is an integer underflow during Hoffman decoding that causes improper bounds checking when writing to a heap allocated buffer.

Although Miller initially said the bug could be exploited to run arbitrary code in the browser, he stated late Feb. 12 that the vulnerability wasn't as serious as he first thought.

"While the bug can be activated by the browser, the actual code that would be executed by a successful attack would run in the media player, not the browser," he said. "This means it would live in the media player sandbox and not the browser sandbox, and would presumably have different capabilities. I haven't actually investigated the media player sandbox at this point, so I can't say for sure."

"This makes the bug less dangerous than I thought," he concluded.

After Google was notified of the vulnerability, it contacted PacketVideo, T-Mobile and oCERT, a public Computer Emergency Response Team, a Google spokesman said Feb. 12. PacketVideo developed a fix on Feb. 5 and patched open-source Android two days later.

"We offered the patch to T-Mobile when it became available, and G1 users will be updated at T-Mobile's discretion," a Google spokesperson said at the time.

The spokesman explained that Android's media server works within its own application sandbox, mitigating against the type of damage Miller first alleged. Security issues in the media server would not affect other applications on the G1 phone such as e-mail, the browser, SMS (Short Message Service) and the dialer, the spokesman added.

"If the bug Charlie reported to us on Jan. 21 is exploited, it would be limited to the media server and could only exploit actions the media server performs, such as listen to and alter some audio and visual media," the spokesperson said.