Security Researcher Warns Unpatched Google Android G1 Web Browser Users

Officials at Google say a vulnerability affecting the open-source Google Android operating system has been fixed, and T-Mobile will push a patch out to T-Mobile G1 smartphone users. Details of the bug were made public at the ShmooCon hacker event in Washington.

A security researcher is recommending that users approach the browser on the T-Mobile G1 phone with caution until a patch for a recently publicized vulnerability is deployed.

Charles Miller, who revealed technical details of the bug at ShmooCon, held Feb. 6 to 9 in Washington, said users should either steer clear of the browser or only use it to visit trusted sites.

The bug exists in PacketVideo's OpenCore media library, which Android uses as the multimedia subsystem for its browser.

According to Google, once the company was notified of the vulnerability, it contacted PacketVideo, T-Mobile and oCERT, a public Computer Emergency Response Team. PacketVideo developed a fix on Feb. 5 and patched open-source Android two days later.

"We offered the patch to T-Mobile when it became available, and G1 users will be updated at T-Mobile's discretion," a Google spokesperson said.

Click here to read about an earlier announcement from Charles Miller about Android security.

The vulnerability is an integer underflow during Huffman decoding that causes improper bounds checking when writing to a heap allocated buffer. According to the oCERT advisory, decoding a specially crafted MP3 file will result in an unexpected crash or arbitrary code execution due to heap corruption.

"It could be exploited a couple of ways," said Miller, principal security analyst at Independent Security Evaluators. "One is by getting the victim to a malicious Web page, say by following a link in an e-mail or SMS message. Another is by being [an] MITM (man in the middle) on a public Wi-Fi network, at Starbucks or the airport or something."

A successful attack would allow the attacker to run arbitrary code with the permissions of the browser, he added.

"For example, it could read cookies and authentication as well as Trojan the browser to reveal anything typed into the browser," Miller said. "It would not, for example, allow the reading of e-mails or the address book, as the browser does not have these permissions."

A Google spokesperson however said the damage that could be caused is limited by the fact that Android's media server, which uses OpenCore, works within its own application sandbox. As a result, security issues in the media server would not affect other applications on the phone such as e-mail, the browser, SMS (Short Message Service) and the dialer, he explained.

"If the bug Charlie reported to us on January 21st is exploited, it would be limited to the media server and could only exploit actions the media server performs, such as listen to and alter some audio and visual media," the spokesperson added.

So far, Miller said he has not seen an exploit for the vulnerability in the wild.

"The main reason I made the recommendation to not use the browser is the thing is primarily a phone, not a Web browser," Miller said. "So I think not using a browser on a phone until a patch is available isn't asking people to suffer too badly if they worry about their security."