August 21st, 2008
Nokia and Sun confirm S40, Java ME vulnerabilities
According to published reports, Nokia and Sun have both confirmed the existence of serious security problems in the Series 40 and Java Platform Micro Edition (Java ME) , giving instant credibility to the claims by Polish hacker Adam Gowdiak.
Gowdiak (left), one of the four LSD researchers who discovered the MS03-026 flaw that was later exploited in the Blaster worm attacks, triggered widespread controversy earlier this month demanding 20,000 Euros each from Nokia and Sun for access to his full research but it now appears that he handed over enough information for the companies to reproduce/confirm the issues.
[ SEE: Researcher discovers Nokia S40 vulnerabilities, demands payment ]
Here’s Nokia’s response:
- Nokia has been a week or two getting back to us, but this morning admitted that they have “been investigating the allegations made, using our normal processes and comprehensive testing… We can confirm that both claims are valid in some of our products.”
From a Sun Micrososystems spokesperson:
- According to Sun, most of the “security explorations” carried out by Gowdiak were specific to the Nokia phone stack’s implementation of J2ME, rather than J2ME itself. “Sun can confirm that there are a couple of potential vulnerabilities outlined in [Gowdiak's] post that are specific to [J2ME] but those are limited to older versions of [J2ME],” Sun’s spokesperson said. “In addition, these vulnerabilities would be extremely difficult to exploit because they would require device-specific information that is not readily available.”
It it not yet known if either company paid for Gowdiak’s research.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
