Security firm reportedly discovered 88 critical holes in Android
Security analysts Coverity have reportedly found 88 critical vulnerabilities in the kernel of Google's open source Android mobile operating system. When analysing a HTC (Droid) Incredible running Android 2.1, Coverity say they encountered such problems as uninitialised variables and memory corruptions.
The security firm has not stated whether, or which of, the holes in the Android kernel can be exploited to compromise devices, or whether the holes can be exploited locally or remotely. However, the Mozilla Foundation has long classified vulnerabilities such as memory corruptions in Firefox as critical because they can potentially be exploited to inject and execute code.
Coverity plans to release further information about the vulnerabilities in 60 days to give Google and other vendors time to close the holes. This would be the first time that information about vulnerabilities in Android is released to a wider audience. Google has so far generally kept quiet about any holes in Android and hasn't even disclosed the problems fixed in version updates. The Android Security Announcements and Android Security Discussions Google groups set up about two years ago hardly ever receive postings.
However, occasionally, vulnerability information does get circulated (for instance on the Insight web page) but the vulnerabilities can usually only be exploited to "root" a device. Recently, vendor MWR reported on holes in Android. A vulnerability in the WebKit browser engine can apparently be exploited to inject malicious code into a device. The vulnerability is said to allow testers to retrieve all the user names and passwords stored in the browser. MWR said that accessing a specially crafted web page is all that is required for a successful attack. Google reportedly fixed the vulnerabilities in Android 2.2, code named "Froyo". However, this version has not, and may never, become available for many older devices.
Coverity used automated tools to find the holes; a total of 359 defects were reportedly discovered this way. The security firm said that at least the HTC code only includes half as many defects as average "industry" code. The HTC Incredible was apparently chosen because a Coverity employee owns such a device. Strictly speaking, Coverity therefore only examined HTC's custom version of Android, but the various devices only differ in their hardware drivers, at least as far as the kernel is concerned.