Details of vulnerabilities in the Palm Pre and Android published
In an interview with PC Pro, Alex Fidgen, director of security services provider MWR, has spilled the beans on the vulnerabilities in the Palm Pre and Android, both of which now appear to have been plugged. According to Fidgen, it was possible to inject and execute code on the Palm Pre by opening a crafted vCard e-mail attachment. This gave the attacker remote control of the device and enabled them to use it as a remote listening device.
Fidgen does not say whether MWR has actually demonstrated this in practice. Palm was informed of the problem in May and fixed it in July with the release of webOS 1.4.5. Oddly, in the PC Pro interview Fidgen claims that Palm did not respond, despite a posting on MWR's own website from 7th July stating that a patch is available.
According to Fidgen, Google's Android also allowed injection of malicious code through a vulnerability in the WebKit browser engine. This could be exploited to read user names and passwords stored by the browser. Infection merely required a user to visit a crafted web page. Google is reported to have fixed the bug in the recently released Android 2.2 (Froyo).
Not that this is of much use to users whose smartphone vendor fails to offer updates to the latest version on Android devices. According to Google, currently only 5% of all Android mobiles accessing the Android Market are running version 2.2.
Google's update policy is somewhat opaque anyway. In contrast to its Chrome browser, for example, the company almost never releases information on fixed vulnerabilities. Other platforms with WebKit-based browsers are also believed to be affected by the bug, though it is not clear whether Safari on the iPhone falls into this category.