Researchers expose Android WebKit browser exploit

Researchers expose Android WebKit browser exploit

Summary: Security experts have said handsets running version 2.0 or 2.1 of the Android OS could be remotely compromised by attackers employing code manipulation

TOPICS: Security

A security researcher has discovered a weakness in the WebKit browser in the Android operating system that could potentially lead to remote code execution or software crashes.

The back-door vulnerability could allow attackers to quietly install Trojans or other malicious software that could allow full access to the handset, security engineer M J Keith of Alert Logic warned on Friday. Users simply need to load a web page with specially crafted HTML, he said.

The hole was made public by the security researcher on Friday and has been tested on Motorola Droid devices running versions 2.0.1 and 2.1 of the Android OS. It was also tested on an emulator for versions 2.0-2.1, which were also found to be susceptible.

This weakness is not specific to Android, as the WebKit vulnerability was already known to be present in Apple's Safari and Ubuntu Linux. However, Google has issued a fix in the latest version of the Android operating system, Froyo 2.2.

"We're aware of an issue in WebKit that could potentially impact only old versions of the Android browser. The issue does not affect Android 2.2 or later versions," a Google spokesperson told ZDNet UK on Monday.

According to Google's figures only 36.2 percent of Android handsets have so far made the upgrade to Froyo. Many security issues are not disclosed in public until the companies involved have been given an opportunity to patch the vulnerabilities.

Other mobile operating systems also use the WebKit system, including BlackBerry, Palm (now HP) WebOS, and Apple iOS. Many browsers are also being built on the same platform, including Chrome, Firefox Mobile and Skyfire.

On Tuesday, Coverity, a company that uses tools to check the integrity of software for potential weaknesses, announced that it had found 359 defects in the Android code, of which 88 are classified as high risk.

"Common defects found in open-source code continue to be flaws such as memory corruptions, NULL pointer dereferences, and resource leaks, which can cause system crashes and security vulnerabilities in products," reads the report.

In August, MWR InfoSecurity said it had discovered a flaw in the Android OS that allowed the transmission of confidential information, such as banking details or passwords, if a user visits a malicious web page using the standard WebKit-based browser.

The same researchers also found that a specially crafted vCard transferred to a Palm Pre via SMS, Bluetooth or the web browser could be used to remotely monitor calls made on the device.

Topic: Security

Ben Woods

About Ben Woods

With several years' experience covering everything in the world of telecoms and mobility, Ben's your man if it involves a smartphone, tablet, laptop, or any other piece of tech small enough to carry around with you.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • It is alarming that there are a range of security issues that continue to be highlighted in connection with smartphones. While it is clear that the manufacturers of the phones themselves should strive to combat flaws and weaknesses in their operating systems, I believe that it is also crucial that users of unprotected smartphones take responsibility for their own data security and protect their handsets with a robust security solution. In particular, those who store data and undertake financial or purchasing transactions should use all the protection at their disposal to defend against virus attacks.
    Smartphone platforms are fundamentally insecure, leaving mobile devices exposed to the threats from the web. Loss or theft is also a big risk; if you use your mobile for business, access your emails on it or simply don’t want a stranger looking at your personal text, photos and emails, then it is essential to protect the phone with an inexpensive yet reliable security solution such as BlackBelt AntiTheft.

    Peter Harrison