Update 05/27/2007: One of the comments in the talkbacks (thanks kd5auq!)mentioned that there is no patch to be downloaded for AT&T based Motorola RAZR phones. I've no idea if Motorola currently or formerly supported AT&T based RAZRs, as I'm an iPhone kinda guy, but I'd be curious to see if anyone else has noticed this, knows if AT&T phones are vulnerable, is a Motorola rep that wishes to comment, or has had similar issues getting a patch for your phone. Also, I added two polls to the end of the article, feel free to contribute!
A sexy mobile vulnerability was released today by ZDI that really caught my attention. Here are the details:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable Motorola RAZR firmware based cell phones. User interaction is required to exploit this vulnerability in that the target must accept a malicious image sent via MMS.
The specific flaw exists in the JPEG thumbprint component of the EXIF parser. A corrupt JPEG received via MMS can cause a memory corruption which can be leveraged to execute arbitrary code on the affected device.
-- Vendor Response: Motorola states: Together, ZDI and Motorola have identified a potential vulnerability related to viewing malicious, manipulated JPEG files affecting select RAZR-series devices. Although the possibility of this vulnerability occurring is very remote and would only occur in unique circumstances, Motorola proactively corrected it in all new device releases.
To ensure that you have the latest software load available for your device, please visit: http://direct.motorola.com/hellomoto/NSS/update_my_software.asp
So, what's a real bummer about this, and this is why I hate the disclosure brokers, is that no proof of concept code is released, leaving us with some real questions about the vulnerability. Motorola says in the ZDI release:
"Although the possibility of this vulnerability occurring is very remote and would only occur in unique circumstances, Motorola proactively corrected it in all new device releases."
Ok, what's the details then? Why's it so tough to exploit? It sounds pretty straightforward, user accepts malicious image sent through MMS, get's pwned. What's so tough about that? One-click to pwnage. It's sent with an MMS, so you could adapt your approach. Maybe you send it attempting to look like a popular bank, telling someone it's an image of their bank statement. My message to Motorola is that if you say it is not an issue, back up why it is not an issue, don't leave us grasping at thin air for your reasoning.
Worse yet, I went to check out the Motorola update page, hoping they'd have more details (they did not), and I decided to enter in some fake information to see what there response was for a given phone. I said I used t-mobile and had a Motorola RAZR phone, this is what was presented to me:
Motorola Software Update provides the latest approved software for devices in warranty. Please enter your date of purchase to determine warranty status.
Date entered here...
You will be prompted if a backup and restore of your device is warranted. If a backup and restore is warranted, during the software update, all third-party media, including but not limited to, music, pictures, ringtones, and screensavers, will be deleted. You will need to reload all third-party media after the software update. Third party applications and some custom settings CANNOT be automatically restored after the device has been updated. Please note that during the update, you will have the opportunity to save your personal data.
Umm... so, apparently, I only get to be protected from this flaw if my phone is still under warranty. Could someone with a Motorola RAZR or from Motorola please confirm whether this is the case? If so, this is ridiculous.