November 4th, 2008
Google and T-Mobile push patch for Android security flaw
During the weekend, Google and T-Mobile pushed a patch fixing last week’s disclosed security flaw affecting Google’s Android. The flaw and the PoC were communicated to Google on October 20th, with the vulnerability itself made possible due to Android’s use of outdated third-party software packages.
“Users of the G1 Android phone on Friday have begun receiving a software update that fixes a flaw that security researchers found earlier in the week. The update included the fix to the browser vulnerability and a couple of other minor changes as well, said Michael Kirkland, a Google spokesman. Every user of the G1 may not have gotten the update yet but should within a short time frame, he said. Google worked with T-Mobile USA, the only operator selling the device, to push the update out to users. The G1 went on sale last week, and T-Mobile has not disclosed how many have sold so far.”
The same issue occurred back in March, when multiple vulnerabilities were reported in Google’s Android SDK, the exploitation of which was once again made possible due to the use of outdated open source image processing libraries. If there’s a pure Android security flaw that you’re looking for, try the outdated software packages running on it for starters — pretty similar situation to Microsoft’s recent emphasis on how the exploitation of third-party applications undermines their security.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
