Google's Android once again makes the headlines, this time because the Google phone (G1) which was launched last week is vulnerable to hacker attack. For those of you that are keeping track, the previous week coincides to when the source code for Google's Android phone went open source.
According to ISE (short for Independent Security Evaluators) the problem resides in the fact that the Android OS (operating system) is based on various open source programs – a grand total of 80 open source programs to be more precise. The security issues within these software programs were addressed and fixes were issued, just that Google did not exactly use the up-to-date, patched versions. Instead it used older versions that are plagued by various vulnerabilities (known ones at that).
The experts from ISE that discovered the problem are: Charlie Miller, Mark Daniel, and Jake Honoroff. According to them the security problem is exploitable, but they will not provide in depth information regarding it. Why have they chosen not to do that? The reasoning behind this is quite simple: the hackers that want to exploit it will have to do their own work, they will not be handed over the information. Meanwhile Google will have time to work on a security patch or fix. ISE will release the exploit that they came across only after Google makes a fix available. If you get hacked at that point, it is completely your fault because you did not take care to upgrade.
Here are the few details that we have about the vulnerability. If a hacker sets up a malicious site and you visit it, then said hacker can run malicious code and take over the browser. The attacker would have access to all the goodies stored in the browsers memory (cookies, passwords, data that you fed into various web applications). All the G1 phones that are currently being shipped to buyers, are shipped with this security vulnerability. At this time there is no known exploit in the wild and hopefully Google will release a fix before the hackers figure out how to exploit this vulnerability.
According to ISE (short for Independent Security Evaluators) the problem resides in the fact that the Android OS (operating system) is based on various open source programs – a grand total of 80 open source programs to be more precise. The security issues within these software programs were addressed and fixes were issued, just that Google did not exactly use the up-to-date, patched versions. Instead it used older versions that are plagued by various vulnerabilities (known ones at that).
The experts from ISE that discovered the problem are: Charlie Miller, Mark Daniel, and Jake Honoroff. According to them the security problem is exploitable, but they will not provide in depth information regarding it. Why have they chosen not to do that? The reasoning behind this is quite simple: the hackers that want to exploit it will have to do their own work, they will not be handed over the information. Meanwhile Google will have time to work on a security patch or fix. ISE will release the exploit that they came across only after Google makes a fix available. If you get hacked at that point, it is completely your fault because you did not take care to upgrade.
Here are the few details that we have about the vulnerability. If a hacker sets up a malicious site and you visit it, then said hacker can run malicious code and take over the browser. The attacker would have access to all the goodies stored in the browsers memory (cookies, passwords, data that you fed into various web applications). All the G1 phones that are currently being shipped to buyers, are shipped with this security vulnerability. At this time there is no known exploit in the wild and hopefully Google will release a fix before the hackers figure out how to exploit this vulnerability.