Researcher To Release Web-Based Android Attack 136
CWmike writes "A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones. It is being disclosed Thursday at the HouSecCon conference by M.J. Keith, a security researcher with Alert Logic. Keith says he has written code that allows him to run a simple command line shell in Android (video) when the victim visits a website that contains his attack code. The bug used in Keith's attack lies in the WebKit browser engine used by Android. Google said it knows about the vulnerability. 'We're aware of an issue in WebKit that could potentially impact only old versions of the Android browser,' Google spokesman Jay Nancarrow confirmed in an e-mail. 'The issue does not affect Android 2.2 or later versions.' Version 2.2 runs on 36.2 percent of Android phones, Google says"
Re:Anything that gets phone makers to update... (Score:2, Informative)
Still waiting for 2.2 from Samsung... so not them!
Re:Anything that gets phone makers to update... (Score:4, Informative)
If you are on the Galaxy S like I am, Froyo started rolling out today in the UK [androidcentral.com] - hoping the US is not far behind.
Re:Anything that gets phone makers to update... (Score:3, Informative)
Samsung or Sprint (I forget which) already stated that the Moment (which I am posting this from) will NOT be getting 2.2. We are STUCK with 2.1.
Re:Anything that gets phone makers to update... (Score:3, Informative)
Motorola Droid has had every update so far.
Re:That so called Researcher should be arrested (Score:3, Informative)
Typically it is considered bad form for security researchers to release exploits before informing the manufacturer. Once the manufacturer has long enough to fix it, if then it is ok to release it. Experience has shown that sometimes this is the only way to pressure manufacturers into patching it.
Another use for the code is so you can learn. I appreciate it when researchers release the code; a lot of hackers try to keep their techniques secret, and we are all worse off for it.
Re:Anything that gets phone makers to update... (Score:3, Informative)
By your definition, Apple's products complete fit the bill. In fact, given one product problem after another, even without your comments, they seemingly fit the bill. Though honestly, I don't believe your assessment of the market, Android+iPhone is even close to reality.
Just the same, Android phones vary widely in fit, function, and quality. Some even exceed the iPhone's quality by a wide margin. Android's success is not because "resistance is futile" mentality as you attempt to push. Its succeeding because they cover every market segment; including the "cheap" market to well beyond what Apple currently provides.