Google closes critical security hole in Android
According to reports in the US media, Google has started to deploy the first security update for its Android mobile operating system. The users of T-Mobile's G1 are offered the update for automatic installation. According to a system message, no emergency calls can be made while the update is being installed. A reboot is required after installation.
The update is designed to close the hole in Android that became apparent last weekend. Attackers are able to inject and execute arbitrary code when a specially crafted web page is visited with a vulnerable Android device. The problem is said to be caused by an outdated open source package. Independent Security Evaluators (ISE), who discovered the hole have, so far, released no further details.
The injected code can, however, only be executed at the web browser's privileges, and attackers are not able to gain control over the entire mobile device. Google's approach with Android is to separate all the applications from the overall system by running each in its own sandbox to isolate potential security holes. It would be possible to install a trojan in the memory of the browser, which is derived from WebKit, to spy out any passwords and critical authentication data entered on other web pages.