Data theft vulnerability in Android 2.3 not plugged

A security vulnerability in the Android browser which could be exploited to steal data, and was disclosed back in November 2010, is still exploitable in the latest version of the smartphone operating system (version 2.3, 'Gingerbread'). Security researcher Xuxian Jiang of the University of North Carolina reports that it is possible to bypass the patch which was supposed to fix the vulnerability.

Jiang states that he informed the Android Security Team of the problem on 26 January and provided them with exploit code tested on a Nexus S. Happily, he reports, the team was very quick to respond to his message, took the problem seriously and began looking into it straight away. Jiang stresses that it is not a root exploit. It runs within the Android sandbox and consequently only has access to some data, such as that stored on the SD card. No exploit for the vulnerability has been observed in the wild.

The vulnerability, originally discovered by security expert Thomas Cannon, requires the user to allow himself to be enticed onto a crafted website. Canon publicly disclosed the problem after Google initially stated that it would not be fixed in Android 2.3. An apparently makeshift patch was then included in version 2.3. According to Jiang, the security team has now promised to provide a definitive fix for the problem in the next major Android update.

Until then, Jiang suggests that users can protect themselves by disabling JavaScript in the Android browser, using another browser such as Firefox or by unmounting the /sdcard directory – the latter may, however, severely affect phone usability.

(crve)