According to published reports, Nokia and Sun have both confirmed the existence of serious security problems in the Series 40 and Java Platform Micro Edition (Java ME) , giving instant credibility to the claims by Polish hacker Adam Gowdiak.
Gowdiak (left), one of the four LSD researchers who discovered the MS03-026 flaw that was later exploited in the Blaster worm attacks, triggered widespread controversy earlier this month demanding 20,000 Euros each from Nokia and Sun for access to his full research but it now appears that he handed over enough information for the companies to reproduce/confirm the issues.
Here's Nokia's response:
- Nokia has been a week or two getting back to us, but this morning admitted that they have "been investigating the allegations made, using our normal processes and comprehensive testing... We can confirm that both claims are valid in some of our products."
From a Sun Micrososystems spokesperson:
- According to Sun, most of the "security explorations" carried out by Gowdiak were specific to the Nokia phone stack's implementation of J2ME, rather than J2ME itself. "Sun can confirm that there are a couple of potential vulnerabilities outlined in [Gowdiak's] post that are specific to [J2ME] but those are limited to older versions of [J2ME]," Sun's spokesperson said. "In addition, these vulnerabilities would be extremely difficult to exploit because they would require device-specific information that is not readily available."
It it not yet known if either company paid for Gowdiak's research.