Researcher To Release Web-Based Android Attack

CWmike writes "A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones. It is being disclosed Thursday at the HouSecCon conference by M.J. Keith, a security researcher with Alert Logic. Keith says he has written code that allows him to run a simple command line shell in Android (video) when the victim visits a website that contains his attack code. The bug used in Keith's attack lies in the WebKit browser engine used by Android. Google said it knows about the vulnerability. 'We're aware of an issue in WebKit that could potentially impact only old versions of the Android browser,' Google spokesman Jay Nancarrow confirmed in an e-mail. 'The issue does not affect Android 2.2 or later versions.' Version 2.2 runs on 36.2 percent of Android phones, Google says"

Anything that gets phone makers to update...

[mykos]

So many phone makers seem to think the worst thing in the world is to provide users an official update. Maybe this will get them in gear.

As an aside, does anyone know what phone makers are good about keeping updates coming?

Re:

[Anonymous Coward]

Still waiting for 2.2 from Samsung... so not them!

Re:Anything that gets phone makers to update...

[stoolpigeon]

If you are on the Galaxy S like I am, Froyo started rolling out today in the UK [androidcentral.com] - hoping the US is not far behind.

Re:

[toastar]

If you are on the Galaxy S like I am, Froyo started rolling out today in the UK [androidcentral.com] - hoping the US is not far behind.

If you have root like I do, you probably have had froyo for months

Re:

[cwtrex]

I have been researching roms and kernels for the Samsung Epic, which of course is a CDMA phone and has 4g. You didn't mention which Samsung S you have, but are you aware of a rom that is Froyo and also has CDMA, Wifi, and 4g capabilities for the Samsung Epic?

Is there a way to keep the stock rom, but force it to upgrade to froyo using root?

Re:

[peragrin]

And this is one of the main reasons not to get an Android phone. In order to get upgrades you have to root(jailbreak) the phone. Apple may be a control freak, but at least they are willing to support their products for more than 6 months.

  So many Android phones have come and gone one would think that an game AI was trying to find the right product. I just realized Android phones are the Zerg of cell phones. Cheap, mass produced, and die off quickly.

Re:

[GooberToo]

By your definition, Apple's products complete fit the bill. In fact, given one product problem after another, even without your comments, they seemingly fit the bill. Though honestly, I don't believe your assessment of the market, Android+iPhone is even close to reality.

Just the same, Android phones vary widely in fit, function, and quality. Some even exceed the iPhone's quality by a wide margin. Android's success is not because "resistance is futile" mentality as you attempt to push. Its succeeding because

Re:

[jeffmeden]

I am honestly not trolling... But, please tell me which Android phone is "well beyond what Apple currently provides [in the iPhone 4]"...

Re:

[GooberToo]

Several HTC, Samsung, and Moto devices have all been highly regarded. Especially the latest Samsung S series units. Moto and HTC also make some of the lowest of the lower end devices too.

Seriously, go check out some of the android sites like www.androidguys.com and you will find lots of good information on good Android devices.

Generally the biggest complaint about Android devices originate from the the Apple camp and it almost always boils down to - its not an iPhone and/or it doesn't run the OS I'm used to

Re:

[jeffmeden]

Owning a Fascinate (verizon galaxy s phone) I can say that while advanced, and smart, it is not really any measure better than the iPhone. Lacking a front facing camera, any sort of LED message notification, and sporting a screen technology that is both lower in resolution and far harder on battery life make it impossible to ever classify it as "well beyond what apple currently provides". The incredible's lack of significant screen resolution (even after the switch to LCD to improve reliability and batter

Re:

[GooberToo]

The S family is actually fairly large. I can't speak to your particulars but I can absolutely assure you, there are many phones which are on par or simply out class the iPhone.

Much of your complaints are also of the personal opinion variety rather than technical merit. That goes back to my open mindedness comment before.

Re:

[jeffmeden]

As a cellphone is something one must live with day in and day out, personal opinion on size/shape/feel are HUGE factors, and dismissing these with a wave of your hand is incredibly ignorant. Feel free to include details on your merit-based argument if you *really* think it's that compelling.

Re:

[GooberToo]

You're trolling.

Your personal opinion is not my personal opinion. The opinions of the iPhone crowd rarely match that of the Android crowd which rarely match that of the "other" crowd. So your saying it doesn't match your personal opinion holds zero sway. The legitimate point remains, with absolutely no hand waving, excluding your own. There are many Android devices which are superior to that of the iPhone. Period.

Which means, strictly based on your own personal opinion, its up to you if you can find one you

Re:

[jeffmeden]

You're such an anti-apple fanatic that you can't see the forest for the trees, and think that anything outside your notion of "fair" is a troll. I asked you twice to name these specific "technical, non-subjective features" that you insist certain phones posses that make them superior to the iPhone. Please do so, unless you want to be the one trolling.

Re:

[jDeepbeep]

So many Android phones have come and gone one would think that an game AI was trying to find the right product. I just realized Android phones are the Zerg of cell phones. Cheap, mass produced, and die off quickly.

I'd have to agree with you. I have a Droid Eris that Verizon has declared end -of-life in under a year of its release, and they have also stated it will never be updated to 2.2. I have no choice but to root the phone, since I'm not going to buy a newer, shinier unsubsidized device at $600+ a pop.

Re:

[whodunnit]

Yes like my ipod touch, that for one update i had to PAY to get the upgrade, and now is completely un supported. Yep... apple rules. Oh no, wait.. the suck. And that's why I bough an android phone.

And you don't have to root your phone to get an update, but you CAN.

Damn fanboys.

Re:

[jeffmeden]

If you have genuine security needs (and concerns) like I do, you wouldn't touch a rooting system and hacked rom with a 10 meter patch cord. Hoping for increased security by running "newer" code from completely untrusted sources... What could possibly go wrong?

Re:

[Spykk]

Who is a trusted source? Apple? Motorolla? I'll trust the source code that I am free to read myself long before I'll trust anything a phone manufacturer forced on me.

Re:

[Johnny O]

Samsung or Sprint (I forget which) already stated that the Moment (which I am posting this from) will NOT be getting 2.2. We are STUCK with 2.1.

Re:

[Anonymous Coward]

2 year contract, 6 month technology cycle. Didn't you expect this? I know I did when I bought mine. Just root the sucker and put on a third party rom, which runs incredibly better anyway.

Re:

[Johnny O]

I came with 1.5. I was PLEASANTLY suprised they upgraded to 2.1. Lots of other phones released at the same time are going 2.2. This one was abandonded. Android 2.2 comes with tethering and Sprint doesn't want that (without fees).

Re:

[Zero__Kelvin]

"I came with 1.5."

You are a serious enthusiast. I am loved my first Android phone, as well as my recent one, and I plan on getting the Mytouch HD now that is has been released, but I never came; it didn't even get me hard.

Re:

[jeffmeden]

"I came with 1.5."

You are a serious enthusiast. I am loved my first Android phone, as well as my recent one, and I plan on getting the Mytouch HD now that is has been released, but I never came; it didn't even get me hard.

You are overlooking the possibility that he is a sentient smartphone and was merely referring to the software which was preloaded at birth...

Re:

[Zero__Kelvin]

I am overlooking no such thing. His SlashID is lower than mine, and he was therefore born well before Smart Phones themselves of any sort existed.

Re:

[LandGator]

Perhaps he rooted /. in order to acquire a lower SlashID.

Re:

[Zero__Kelvin]

"Perhaps he rooted /. in order to acquire a lower SlashID."

Try to be serious. Do you really think I hadn't considered that? A sentient being capable of doing such a thing would hardly waste their time with Slashdot. Sheesh ... do you people even stop to think just a little bit before posting these kind of ridiculous and sad attempts to seem smarter than I am?

Sincerely,

- SAM (Sentient Android Master)

Re:

[Pollardito]

I think you'd still be fine without rooting as long as you installed mobile firefox from the Android store? This is a webkit attack that targets the default browser.

Re:

[Nerdfest]

Why would it? In most cases they almost seem to be of the attitude that "You bought it, now it's your problem".

Re:

[mini me]

Apple might give you a few updates when you first purchase your device, but they soon stop coming too. First generation iPhone and iPod touch owners are already without the option of upgrading to iOS 4.

Re:

[mcvos]

Probably because the hardware is not compatible enough anymore. When technology moves as fast as this, a 3 year cycle is still better than what many other manufacturers give us. Networks expect us to get a new phone every two years.

Re:

[rainmouse]

When technology moves as fast as this, a 3 year cycle is still better than what many other manufacturers give us.

You say that 3 years before Apple technology is obsolete and basically abandoned by its manufacturer and pretend that its both acceptable and better than any other manufacturer? Please could you provide some kind of backup to this claim?

Re:

[mcvos]

How is support for the HTC G1? How many other 3 year old phones still get regular updates?

I'm not saying it's acceptable, I'm just pointing out Apple isn't any worse than any other manufacturer in this. And it's not exactly surprising, considering the networks want to sell us a phone every two years.

At the moment, the only way out of this is to make sure you own your phone, and aren't tied to a manufacturer or network to keep your phone up to date.

Re:

[peragrin]

HTC support their phones for 6-12 months. maybe it depends on how many units sold.

Carrier supplied phones are still using android 1.5, 1.6

Apple is literally 3 times better at old software updates than everyone else who sells phones.

Re:

[rainmouse]

Apple is literally 3 times better at old software updates than everyone else who sells phones.

As I said before, please back up these claims. Without proof or some kind of source these could well just be figures plucked from thine own bunghole.

My partners android phone with Orange has been automatically updated to 2.2, why would carriers be supplying phones using android 1.5? Again back up your claims with evidence or a link to something other than ranting on a forum please.

Re:

[mcvos]

My partners android phone with Orange has been automatically updated to 2.2,

And that phone was 3 years old? I'm impressed!

Re:

[peragrin]

The HTC Aria came out in may/June 2 months after the offical 2.2 Froyo came out.

It still isn't updated to 2.2 stock. HTC won't do it. ATT won't do it.

HTC Hero is also officially only android 2.1 with no official updates yet.

instead of being an asshole why don't you go look it up. Here is the problem, you have to look up every phone by each carrier separately to find out if an update may or may not be forth coming. Even then half the time they refuse to list what version of android is avialable unless it

Re:

[tehcyder]

My TMobile Pulse is stuck on android 1.5 unless you want to download a Hungarian upgrade, the thought of which does not fill me with confidence. Is there some easy auto-update feature that needs to be switched on?

(I have zero technical interest in mobile phones in case anyone starts laughing).

Re:

[rainmouse]

Try settings / about phone / system software updates and make sure the tick box is checked. There should also be an option to 'check now' (Not sure how different this method may be on other android phones but I'm hoping its just the same).

The problem is that the carriers sometimes lock out the updates until they can mess about with their own branding on it which can take months. One option is to remove the branding from your phone allowing you to update it yourself though this can be a somewhat technical

Re:

[peppepz]

My HTC phone was supported for 0 months, is the most buggy phone I've ever owned, and in its life it has received 0 (zero) updates - not to upgrade it from Android 1.6 which was already obsolete one month after the phone was released (September 2009), but not even a minor update just to fix the dozens of bugs it has.

In comparison, my $60 dumbphone from another manufacturer has seen 3 firmware updates so far.

Re:

[poetmatt]

really? The original android phone has no problem with froyo 2.2, the original droid has no problem with 2.2.

It's not about hardware, it's whether people are willing to make it work.

Re:

[Culture20]

Apple might give you a few updates when you first purchase your device, but they soon stop coming too. First generation iPhone and iPod touch owners are already without the option of upgrading to iOS 4.

Probably because the hardware is not compatible enough anymore. When technology moves as fast as this, a 3 year cycle is still better than what many other manufacturers give us. Networks expect us to get a new phone every two years.

iPhone 2G users also didn't get security patches for the pdf security vulnerability found immediately after the iOS4 release (which was reported to work on older versions). Apple just said "3 years of security updates is enough for any computer that happens to have a phone built in".

Re:

[mini me]

The first generation iPhone and the iPhone 3G have virtually the same hardware. Apple did not drop support for hardware reasons.

Re:

[mcvos]

Motorola, HTC and all the rest could take a page from Apple and take better care of their customers.

Personally I'd appreciate it if Motorola took a page from HTC and didn't use an encrypted bootloader, so I can update the OS myself.

Re:Anything that gets phone makers to update...

[cheater512]

N900 is pretty good. 3 core updates (I think) so far plus a upgrade to Meego when it is finished.
Also half the price of similar phones.

Re:

[mcvos]

Really? It was still $500 when I considered the N900. (I chose against it because I don't want a stylus; I want multitouch.)

Re:

[Doug Neal]

But the catalog of applications available is dire. Nobody is developing for it. Yes there are a few apps which are really cool, but they're the exception, and they don't have the same level of polish as you'd expect from Android or iPhone apps. And still no decent Webkit browser!

I'm dumping my N900 for an Android device as soon as I'm out of contract. Sad really because the hardware is excellent, and it had a lot of potential.

Re:

[cheater512]

Erm...Why do you want a Webkit browser?
Its got essentially raw Firefox and all its capabilities.

As alternatives it has Fennec and Opera as well.

Re:

[Doug Neal]

Because Webkit is superior to Gecko - it's faster and it uses less memory. The built in MicroB browser is not very quick. Fennec is even worse. The GUI responses lag behind the input noticeably.

I wasn't aware of Opera being available for the N900 though, I will give it a try.

Re:

[cheater512]

I doubt Webkit would do any better than MicroB on the N900. Remember that its processor it half the speed of most newer phones.

And no Gecko is not inherently slow and bloaty. Put any experience you have with desktop Firefox away because it doesnt quite apply to Fennec or MicroB.

Re:

[rmcd]

One problem is that the phone makers insist on idiotic customizations of the android interface, so updates can take a long time because they have to update the customizations as well as the OS.

The other problem is that hardware becomes outdated and perhaps challenging to update. T-mobile just started updating the MyTouch 3G (which I have). This is a 15-month-old phone running stock android, and I think it took them a long time because the hardware is old.

I don't think this is as trivial a problem as some of

Re:

[causality]

One problem is that the phone makers insist on idiotic customizations of the android interface, so updates can take a long time because they have to update the customizations as well as the OS.

Emphasis added.

I don't think this is as trivial a problem as some of the commenters would suggest.

It's trivial because those customizations that hinder updates are idiotic. If they were important and non-essential then it would be non-trivial. As it stands, the problem is very easy to solve.

Re:

[rmcd]

You're right, but ...

It's easy to solve if customers demand clean implementations. I don't see that happening anytime soon. No one I know (apart from friends who are the type to read slashdot) even knows what android is, let alone the difference between "with google" and not.

Re:

[tlhIngan]

One problem is that the phone makers insist on idiotic customizations of the android interface, so updates can take a long time because they have to update the customizations as well as the OS.

The other problem is that hardware becomes outdated and perhaps challenging to update. T-mobile just started updating the MyTouch 3G (which I have). This is a 15-month-old phone running stock android, and I think it took them a long time because the hardware is old.

It's phone makers AND carriers. The only real reason

Re:Anything that gets phone makers to update...

[bhagwad]

Won't it be nice if someone sues a carrier for not providing updates because of which their phone was hacked and valuable data lost? It'll be like a wet dream come true for me :D

Re:

[khchung]

Won't it be nice if someone sues a carrier for not providing updates

So you would be happy to encourage carriers to pick phones that do not have updates so they won't be liable for not providing the updates to customers?

Re:

[Zarf]

Motorola Droid has had every update so far.

Re:

[markhb]

Yeah, well, I've got the original CLIQ, which is just getting the long-awaited upgrade from 1.5 to 2.1, with very few hopes of getting an official bump to 2.2. I wonder if they can backport the WebKit fix from 2.2 into 2.1 without breaking everything in sight.

Re:

[zarthrag]

My nexus one gets 100% pure updates through T-mobile. If I'm impatient, I can run official builds directly from google. No missing features, no custom UI elements. I'll have tethering for free while everyone else pays, and any other feature Google releases that doesn't defy my hardware.

Re:

[peragrin]

The Nexus 1 uses stock android though.

the majority of HTC models lag 6-12 months behind in updates simply because they have to make sure their UI updates correctly on the older hardware. It is also why HTC stops updating phones much earlier than apple does simply because it becomes far to much work for a limited group that you want to purchase new phones anyways.

Re:

[rwa2]

As an aside, does anyone know what phone makers are good about keeping updates coming?

Um, anything supported by CyanogenMOD [slashdot.org]? I specifically shopped for a phone on their list.

Not as convenient as OTA updates, sure. But there's enough good stuff in there to make it well worth the effort to flash from 2.1 to 2.2

Re:

[trcooper]

HTC and Verizon have been good on the Incredible. The second update to the phone in 6 months is set to go next week. This will be a minor update to the Froyo release that went out in August / September I believe. I also expect that we'll see Gingerbread a month or two after it's released.

 

Re:

[tixxit]

I JUST got a 2.1 update from TELUS (Canada) for my HTC Hero. It was several months after most other providers released the update. As far as I know, this is it for support for my phone; HTC only promised up to 2.1. It is annoying that phone companies sell 3 year contracts that come with a phone, when that phone is only supported for 1 year. For all the Apple bashing, at least they actually support their product for the expected lifetime of the device, rather than ditching it as soon as it hits that 1 year

Re:

[ronocdh]

As an aside, does anyone know what phone makers are good about keeping updates coming?

No. I have a Nexus One and am extremely pleased with it. The unlocked bootloader means I can run whatever version of the operating system I want. Google releases the source code months (in some cases, maybe years) before most phone manufacturers get around to offering an update, but modding communities like CyanogenMod [cyanogenmod.com] have an extremely fast turnaround. They build for many different handsets, by different vendors, patch often (there are nightly releases available if you're into that), and don't seem to have

Re:

[tehcyder]

I wouldn't stand for having a computer that restricted the software I'm allowed to run on it, and I don't see any reason to change that philosophy for using a "smartphone."

Having come late to the smartphone joy ride, I've concluded that it's a fucking waste of time, and in future I'll stick to using computers for the internet and everything else, and leave the phone for calls and texts only.

I really can't be bothered with having to update the operating system for what is still basically just a phone.

Re:

[ronocdh]

I really can't be bothered with having to update the operating system for what is still basically just a phone.

You know, a lot of people would say that same thing about their computers. And if you're thinking of devices like the Nexus One as "basically just a phone," you haven't spent time with one. Even calling it "basically just a computer" is selling it short; this thing has a faster processor, more RAM, and more storage space than my desktop computer from ten years ago. And it fits in my pocket.

If you want to be all "Get off my lawn" about smartphones, be my guest. But the influx of mobile computing is happenin

Re:

[tehcyder]

Good point, my wife looked at me pityingly the other day when I started babbling about androids, rooting and custom roms. She has a blackberry.

And the rest?

[AlanCramer]

What about the rest on versions lower than 2.2?

Re:

[tjhart85]

What about the rest on versions lower than 2.2?

Google provided the code with the fix in it, it's up to the manufacturers to give it to the people that bought the phone.

Apple = "Jailbreak", Android = "Risk"?

[TaoPhoenix]

Isn't this roughly similar to the effects obtained by the earlier exploits on iOS? However, there many users first feeling was some relief from the monolithic Apple gate system, but here on Android the spin feels more like traditional tech news.

Risk outweighs benefit

[tepples]

Isn't this roughly similar to the effects obtained by the earlier exploits on iOS?

Technically it is. But unless you bought your Android phone from AT&T, you have the option to put in your own command prompt through "Unknown sources". So any jailbreaks for Android are considered less necessary, and the risk outweighs the benefit.

Re:

[the_humeister]

Even if you do have an AT&T Android phone, which I do, it is still possible to use apk (a tool found in the Android SDK) to transfer programs to the phone. It's pretty simple to use too. Of course, to get rid of the crapware AT&T installs, rooting is still required.

Re:

[mcvos]

There was that one time when a major vulnerability was presented (even here!) as a very convenient way to jailbreak your iPhone. Just visit this website!

Re:

[TaoPhoenix]

Yes, that especially was the one I was thinking of.

Welcome to the community

[gmuslera]

Thomas A. Anderson is specialized in killing Agents, John Connor in killing Terminators, and now M.J. Keith kill Androids... that comes just in time when Hollywood was running out of ideas for a new movie.

Re:

[jokermatt999]

They already had a guy for that; he was played by Harrison Ford.

Misleading Headline

[Farmer Tim]

I read the headline and immediately thought a mad scientist was about to unleash an army of things resembling a cross between Spiderman and the Terminator, and we should all cower in terror in our makeshift basement bunkers awaiting our inevitable destruction.

But TFA revealed it's just a smartphone hack.

All we need is a brand of toilet paper called "Flying Car" and my disappointment with the 21st century will be complete.

Ratings

[tpstigers]

Headline = 1,000,000 points. Copy = I don't know - about a dozen points. Maybe.

Class Action Lawsuit?

[JSBiff]

I wonder if there is any law which covers this sort of situation. The original G1 was only released like 3 years ago - not really very old, but T-Mobile has completely abandoned owners/users of the G1 and is not providing any additional updates.

Honestly, I blame Google. From day 1, it should have been mandatory that OS updates would come from Google, forever. Carriers don't give a crap about keeping users in updated code once the phone is sold. To them, it's just a device which comes in a box, gets sold, and if it becomes 'obsolete' within 2 years, well that's just another box they can sell you in 2 years.

It's absolutely inexcusable that a programmable, Internet enabled device of the complexity of a G1 should not have guaranteed security updates for the included software, for a minimum of 10 years.

Re:

[getto man d]

Google and the hardware manufacturers are both to blame; Google (for the reasons you stated) and the manufacturers for adding in their 'own' elements departing steadily from vanilla android.

I've seen many comments on /. how Android is amazing, especially since it is fragmented (linux and windows arguments) but this is the worst possible case for the mobile platform, IMHO. Unless of course you don't mind upgrading your phone every 'x' amount of years. Some of us don't have the spare $$ and truly want a

Re:

[Psiren]

10 years support for a phone is never going to happen, and it shouldn't. A ten year old device like that would be hopelessly outdated. Even something 2 years old looks pretty pathetic nowadays. They should however be forced to provide updates for the duration of your contract. I know mobile contracts over in the US are pretty fucked up, but here in the UK my current phone is on a two year contract. I just got the update to 2.2 yesterday, but I've still got another 20+ months of contract to run. That's certa

Re:

[Woek]

One of the selling points of the Google Nexus One phone was direct support from Google, and therefore the quickest updates. The phone is quite a bit more expensive than the HTC desire/incredible, which is practically the same phone.

Re:

[TimTucker]

This was also a selling point of the ADP1 (basically the developer version of the G1). Some of us did shell out early for an unsubsidized Android phone with the expectation that it would be directly supported by Google.

Re:

[akadruid]

I don't know why you've selected the G1 - it was one of the better supported phones. It got all the upgrades for the first year, from 1.0 to 1.6.

Pick something like LG GW620/Eve/InTouch Max/KH5200. Released in 2010, in dozens of countries, running android 1.5, it was never updated and was fully abandoned by manufacturer and carriers in under 6 months. There are hundreds of thousands of them out there on 18 or 24 month contracts which won't expire until 2012.

It is fully capable of running android 2.2, and

Re:

[JSBiff]

I accept that the G1 can't do all the things that phones with faster CPUs, more RAM, and more flash memory can. I'm not talking about updates to the latest-greatest version of Android. I mean simply fixes for things like this exploit - Google might say that upgrading the entire OS might fix the problem, but they should also be prepared to offer *small* OTA fixes for older versions of Android to address problems just like this, and the carriers need to get those fixes out to the handset owners. Fix the kerne

This is a good thing

[RichiH]

Yes, there will be a lot of trouble once people lose all their contacts & emails, buy a random Market app for 1000 and similar.

But this will _force_ makers, vendors, network operators and everyone else to introduce sane update policies. These machines are a small PC. They need the same software update capabilities.

Re:

[js3]

irony

Re:

[MichaelKristopeit161]

testing security infrastructure for consenting users

Re:

[tepples]

How can he be permitted to release something, which when used as intended, does harm to others?

For the same reason that tobacco manufacturers are permitted the same thing.

Re:That so called Researcher should be arrested

[sitharus]

Because we've seen from history that most companies won't patch an exploit unless it's screaming at them, and that most exploits are picked up by people who wish actual harm on you before security researchers find them.

Hopefully this will force some device manufacturers to release 2.2 updates for their devices, and with any luck it'll teach them to stick with stock android rather than loading crapware.

Re:

[TaoPhoenix]

50% tangent, MS Security Essentials is flagging Firesheep on me, even though it's more of a security risk to *other* people. They're banking on the lowest X % being so scared to get away from the "Nice Safe Green" effect.

Re:

[jhigh]

"A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones.

How can he be permitted to release something, which when used as intended, does harm to others? This is insane...and he does it "in the light of day!"

Other tools that folks have used to harm others have dual use...but for this code, I do not see any use save for harm. What am I missing?

He is publishing code that can be used to exploit a vulnerability. This could be used for malicious purposes, or it could be used for security demonstrations, as an example to be taught to infosec students or any of a ton of other academic and/or security-related purposes. He is not actually using the code to do anything malicious. Please tell me exactly what statute he is in violation of? Are you saying that no one should ever publish code for exploits?

Re:

[cosm]

"A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones.

How can he be permitted to release something, which when used as intended, does harm to others? This is insane...and he does it "in the light of day!"

Other tools that folks have used to harm others have dual use...but for this code, I do not see any use save for harm. What am I missing?

Either your just whooshing, or you just got whooshed by the submitter and the rest of this community.

Re:

[santax]

I can understand your point of view. But look at mine pov. It's better to have a dude with an agenda including things as: job improvement, proof of concept releasing this then it it that Group X with selfenrichment AND costing damage to you releases it. It's gonna be released anyway. That's for sure.

Re:

[phantomfive]

This is a known exploit, Google has patched it. It isn't like this is some secret thing that no one would have known about if he didn't release it; anyone who actually cares (and has the technical ability) already has the exploit. So he is not harming you really.

Typically it is considered bad form for security researchers to release exploits before informing the manufacturer. Once the manufacturer has long enough to fix it, if then it is ok to release it. Experience has shown that sometimes this is the on

Re:

[Anonymous Coward]

As the owner of a Samsung Galaxy S phone, the manufacturer Samsung has released its 2.2 version for a while. Unfortunately, since I'm under the TMobile carrier, I'm still stuck with 2.1. They said it'll be updated by the end of the year, and every time TMo makes a prediction, it usually takes another 3 months - so March 2011 for me. Why the delay? Probably to keep its bloatware and layout working.

I'll be luck if I don't lose my data by then.

Re:

[phantomfive]

You won't lose your data. The exploit doesn't allow full access to the phone. Still, you ought to have a backup of all that data anyway, in case your phone gets run over by a truck.

Re:

[BrokenHalo]

...in case your phone gets run over by a truck.

That isn't as silly as it sounds. I drove my tractor (twice - forwards and backwards) over my Motorola Razr2 V9 a few months ago. Funny thing is, although the phone looked a bit of a mess, it was still working after that. I guess that qualifies as an endorsement. :-}

Re:

[RMH101]

I was tempted on several occasions to drive over my old RAZR, or throw it out of the window. I always thought that Moto's hardware designers might have put some extra effort into the robustness of the handset given they knew what software was going to end up on there...!

Re:

[BrokenHalo]

Agreed about their software. But I don't use the device for much more than making calls and sending text messages, for which it's adequate. That handset is really beginning to flake out now, so I'll have to take a look at the competition. Yes, I am still using it - in a way, it's kind of cool to have a phone that has been so extensively abused. ;-}

Re:

[tehcyder]

No code release is necessary, just research what API call is broken and how. The purpose of such information is to fix the bug and allow for users to mitigate the attack vector, if possible. Without this information, only black hats can steal your information without you even being aware it was possible.

Yes, but the problem (as with Firesheep) is that what was once something requiring technical knowledge becomes easily available to script kiddies.

It's like why you don't generally sell alcohol or guns to children.