Google closes security holes in Android
Security service Core Security has reported several heap and integer overflows in Google Android's PNG, GIF and BMP image processing libraries. While some of the flaws are apparently caused by obsolete and vulnerable open source libraries in the development kit, the new Android code itself also contains holes. Google developer Dan Morrill has already conceded that the users of the Android mobile telephony system face more security holes than users of other devices.
According to the report, the holes allow arbitrary code to be injected and executed on the device. So far, the service provider has only tested this on the emulator contained in the Android SDK. Google claims that the code is only executed at unprivileged user level, but Core claims obtaining root privileges is trivial since the account currently doesn't have a password. A simple
su is said to be all that's required.
The problems in the libpng and libgsl (giflib) libraries were already fixed in version m5-rc14 of the Android SDK, which has been available since mid February. The overflows in the BMP functions have been resolved in the current version m5-rc15. Google's Android is currently still under development, and there has been no official release so far. Before an official release, the entire development environment is to be subjected to code auditing. However, several mobile telephony vendors are said to have designed their prototypes with flawed SDKs. Whether these devices are already in circulation is unknown.
- Multiple vulnerabilities in Google's Android SDK, security advisory by Core Security
- Release Notes, overview of the changes by Google