Google details 'reboot' bug, Android security fixes

Google has begun releasing some details about the vulnerabilities it patched in two updates to Google's Android operating system software in the T-Mobile G1 smartphone.

The company had acknowledged some of the work earlier, but it hasn't posted an official comment about the vulnerabilities. But Rich Cannings of the Android security team shared details about the RC29 and RC30 updates that T-Mobile began distributing to G1 customers at least as early as November 1 and November 9, respectively.

Google had acknowledged the RC29 patch for the G1 fixed a browser vulnerability that could have let an attacker use malicious code on a Web site to take over the browser. The severity of such issues is limited by Android's security design, which walls off applications into separate compartments to limit an attacker's power. But Cannings said the patch also fixed two other issues.

The Android browser is based on the open-source WebKit engine for converting HTML instructions into an actual Web page, and RC29 brought Android up to date with two patches that had been released but that Google had missed. One of them is a universal cross-site scripting problem that could give an attacker control of the browser, Canning said.

RC29 also fixed a problem that could let someone bypass Android's locking mechanism by booting the phone into safe mode.

Google plans to publish fuller details on its Android Security Announcements group soon, Cannings said, but the company waits until the patches have been offered to all users before disclosing full details.

RC30 and the root console bug
RC30, which came about a week later, fixed an unusual "root-console" problem in Android in which text that people typed--while composing e-mail messages or searching contacts, for example--could be executed as Linux commands with the highest-level privileges. One user found it by typing the word "reboot" in a text message.

The problem was that Google left in a feature that let programmers execute commands with a remote device attached over a serial port, but when there was no such device attached, the phone just used input from the keyboard.

Linux and Unix users are advised to use their systems with "root" privileges reserved only for administrators, but Android was actually giving anybody that privilege. The problem was lessened because many characters used in Linux commands, such as hyphens, tildes, and slashes, weren't available, but it was still a big problem, Cannings said.

"We tried really hard to secure Android. This is definitely a big bug," he said. "The reason why we consider it a large security issue is because root access on the device breaks our application sandbox."

On the flip side, though, it would have been hard to use: "The barrier is very high to exploit this...It requires a challenger to exploit users," he said. For example, an attacker might have to convince a user to install a game with keyboard movement commands that actually typed out "telnetd" to launch the phone's telnet application to open the phone up to remote control. "

RC30 also fixes two Webkit problems that Apple--which also uses the software in its Safari Browser--reported to Google, Cannings said. First is a buffer overrun issue relating to JavaScript style sheets that could let an attacker gain control over the browser by putting malicious code on a Web site. Second is a problem that could let people read what's in the phone's memory, potentially gaining access to Web site cookies and thereby gaining online privileges. "If you're logged into a bank at that time, (an attacker) could steal your banking cookies," Cannings said.