Google Android Bug Not as Bad as Feared, Security Researcher Says
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Google Android Bug Not as Bad as Feared, Security Researcher Says

Written By
Brian Prince
Brian Prince
Feb 13, 2009
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

A security researcher is backing away from a warning he issued about the Google Android operating system.

Charles Miller, principal security analyst at Independent Security Evaluators, discovered a vulnerability in the multimedia subsystem Android uses for its browser. The bug, which exists in PacketVideo’s OpenCore media library, is an integer underflow during Hoffman decoding that causes improper bounds checking when writing to a heap allocated buffer.

Although Miller initially said the bug could be exploited to run arbitrary code in the browser, he stated late Feb. 12 that the vulnerability wasn’t as serious as he first thought.

“While the bug can be activated by the browser, the actual code that would be executed by a successful attack would run in the media player, not the browser,” he said. “This means it would live in the media player sandbox and not the browser sandbox, and would presumably have different capabilities. I haven’t actually investigated the media player sandbox at this point, so I can’t say for sure.”

“This makes the bug less dangerous than I thought,” he concluded.

After Google was notified of the vulnerability, it contacted PacketVideo, T-Mobile and oCERT, a public Computer Emergency Response Team, a Google spokesman said Feb. 12. PacketVideo developed a fix on Feb. 5 and patched open-source Android two days later.

“We offered the patch to T-Mobile when it became available, and G1 users will be updated at T-Mobile’s discretion,” a Google spokesperson said at the time.

The spokesman explained that Android’s media server works within its own application sandbox, mitigating against the type of damage Miller first alleged. Security issues in the media server would not affect other applications on the G1 phone such as e-mail, the browser, SMS (Short Message Service) and the dialer, the spokesman added.

“If the bug Charlie reported to us on Jan. 21 is exploited, it would be limited to the media server and could only exploit actions the media server performs, such as listen to and alter some audio and visual media,” the spokesperson said.
Brian Prince
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information