October 9th, 2009
Google patches Android DoS vulnerabilities
Google has shipped a new version of the Android open-source mobile phone platform to fix a pair of security flaws that could lead to denial-of-service attacks.
According to an advisory from oCERT, a group that handles vulnerability disclosure for open-source projects, the flaws could allow hackers to render Android-powered devices useless.
Here’s the skinny on the first Android issue:
The most recent report concerns Android handling of SMS messages: a specific malformed SMS message can be crafted to trigger a condition that disconnects the mobile phone from the cellular network. The malformed SMS message consists of a badly formatted WAP Push message which causes an Java ArrayIndexOutOfBoundsException in the phone application (android.com.phone).
The phone application silently restarts without user awareness, this leads to a temporary loss of connectivity (as well as dropping of current calls, if any) which can be prolonged in case the phone SIM is protected by PIN, due to required PIN re-entry and the need for user attention. Triggering this bug (repeatedly in case no PIN is present) is considered a remote DoS condition.
And the second bug:
A specific malicious application can be crafted so that if it is downloaded and executed by the user, it would trigger the vulnerable API function and restart the system process. The same condition could occur if a developer unintentionally places the vulnerable function in a place where the execution path leads to that function call. Triggering this bug is considered a DoS condition.
The vulnerabilities affect Android 1.5. Patches have been released by Google.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
