Nokia confirms flaws in Series 40 handsets

Nokia has admitted to serious vulnerabilities in its Series 40 mobile platform, but claimed the flaws do not pose a significant risk to handsets using the operating system.

The flaws affect Sun's mobile version of Java (J2ME), particularly as used in Nokia Series 40 handsets, and were revealed by Polish security researcher Adam Gowdiak. Gowdiak made Nokia and Sun aware of the vulnerabilities' existence shortly before going public with his findings, but demanded €20,000 (£16,000) from the companies to give them full details of the flaws.

Sun has not said whether it paid up, and Nokia has now said in a statement that it will not comment on that point "for security reasons".

Gowdiak identified two main flaws: holes in older versions of J2ME that allow remote access to phone functions that should be restricted, and problems in Series 40 that allow stealth installation or activation of applications. Series 40 is an enormously popular platform, generally found on Nokia's lower-end handsets. It is used in more than 100 million devices.

"Our testing has been concentrating on products that might have both of the claims present," Nokia said in a statement late this week. "We can confirm that both claims are valid in some of our products. Once we have completed testing and analysis of the alleged issues, we will communicate the next steps. We will also investigate potential measures to counter the risk of stealth installation."

Sun has already said it will be issuing a fix for the J2ME flaws in the coming weeks.

Nokia stressed in its statement that it was "not aware of any malicious incidents on the Series 40 platform". "We do not currently believe these issues represent a significant risk to customers' devices," it added.