Google details 'reboot' bug, Android security fixes
Company has begun sharing some details of the vulnerabilities fixed by patches this month to the T-Mobile G1's Android operating system.
Stephen Shanklandprincipal writer
Stephen Shankland has been a reporter at CNET since 1998 and writes about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertiseprocessors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, scienceCredentials
I've been covering the technology industry for 24 years and was a science writer for five years before that. I've got deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and other dee
The company had acknowledged some of the work earlier, but it hasn't posted an official comment about the vulnerabilities. But Rich Cannings of the Android security team shared details about the RC29 and RC30 updates that T-Mobile began distributing to G1 customers at least as early as November 1 and November 9, respectively.
Google had acknowledged the RC29 patch for the G1 fixed a browser vulnerability that could have let an attacker use malicious code on a Web site to take over the browser. The severity of such issues is limited by Android's security design, which walls off applications into separate compartments to limit an attacker's power. But Cannings said the patch also fixed two other issues.
The Android browser is based on the open-source WebKit engine for converting HTML instructions into an actual Web page, and RC29 brought Android up to date with two patches that had been released but that Google had missed. One of them is a universal cross-site scripting problem that could give an attacker control of the browser, Canning said.
Google plans to publish fuller details on its Android Security Announcements group soon, Cannings said, but the company waits until the patches have been offered to all users before disclosing full details.
RC30 and the root console bug
RC30, which came about a week later, fixed an unusual "root-console" problem in Android in which text that people typed--while composing e-mail messages or searching contacts, for example--could be executed as Linux commands with the highest-level privileges. One user found it by typing the word "reboot" in a text message.
The problem was that Google left in a feature that let programmers execute commands with a remote device attached over a serial port, but when there was no such device attached, the phone just used input from the keyboard.
Linux and Unix users are advised to use their systems with "root" privileges reserved only for administrators, but Android was actually giving anybody that privilege. The problem was lessened because many characters used in Linux commands, such as hyphens, tildes, and slashes, weren't available, but it was still a big problem, Cannings said.
"We tried really hard to secure Android. This is definitely a big bug," he said. "The reason why we consider it a large security issue is because root access on the device breaks our application sandbox."
On the flip side, though, it would have been hard to use: "The barrier is very high to exploit this...It requires a challenger to exploit users," he said. For example, an attacker might have to convince a user to install a game with keyboard movement commands that actually typed out "telnetd" to launch the phone's telnet application to open the phone up to remote control. "