Google Android vulnerable to drive-by browser exploit

Summary:The Google Android operating system is vulnerable to a serious security vulnerability that allows malicious hackers to launch drive-by browser attacks, according to alert from a security research outfit.Technical details of the vulnerability, which occurs because Google Android uses an unpatched open-source software package, is being kept under wraps until a patch is available.

Google Android vulnerable to drive-by browser exploit
The Google Android operating system is vulnerable to a serious security vulnerability that allows malicious hackers to launch drive-by browser attacks, according to alert from a security research outfit.

Technical details of the vulnerability, which occurs because Google Android uses an unpatched open-source software package, is being kept under wraps until a patch is available.

[ SEE: Android security team appeals to hackers ]

Google was notified of this issue on October 20th, 2008.

According to a warning from Independent Security Evaluators (the company that found the first iPhone code execution flaw), this particular security vulnerability "was known and fixed in the relevant software package," but Google used an older, still vulnerable version.

The Google Android OS powers the T-Mobile G1 by HTC, a device that's currently in stores in the United States.

[ SEE: Research firm: Google Android SDK has multiple vulnerabilities ]

  • A user of an Android phone who uses the web browser to surf the internet may be exploited if they visit a malicious page. Upon visiting the malicious site, the attacker can run any code they wish with the privileges of the web browser application. We have a very reliable exploit for this issue for demonstration purposes.

The researchers, however, acknowledged that the impact of this attack is "somewhat limited" because of the way Google Android is designed.

  • A successful attacker will have access to any information the browser may use, such as cookies used for accessing sites, information put into web application form fields, saved passwords, etc. They may also change the way the browser works, tricking the user into entering sensitive information. However, they can not control other, unrelated aspects of the phone, such as dialing the phone directly.

Topics: Android, Browser, Google, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.