Security Expert Warns of Android Browser Flaw 98
justice4all writes "Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. 'While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,' Cannon wrote. 'It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.'"
Sophos's Chester Wisniewski adds commentary on how this situation is one of the downsides to Android's increasing fragmentation in the mobile marketplace.
The real problem is... (Score:5, Interesting)
The real problem is that there is no easy way to patch this. Seriously, Android/Google should have long ago known that this situation (i.e. vulnerability with no quick way to patch) could be possible.
Re:Chester Wisniewski's point is invalid, IMO (Score:3, Interesting)
But you do go to Microsoft and ask for Windows patches for your Dell or HP (or even for your iWhatever, if your iWhatever is an iMac, and you're running Windows on it.)
This is a nightmare because you have to go to the company that sells you the gadget... and it can take months for the phone manufacturer to validate a new ROM for your phone based on Google's code, and then a few more months for your carrier to validate that ROM.
Re:Chester Wisniewski's point is invalid, IMO (Score:5, Interesting)
Some things are inherently difficult in an environment with numerous hardware variations that cannot be depended upon(designing UIs that work nicely across multiple screen sizes/keyboards vs. softkeys only, etc, substantial differences in proccessing power, RAM, storage); but most security bugs, unless apocalyptically foundational in some ugly way, generally don't qualify. Nor are security fixes(unlike new features, or issues related to custom skins and other OEM differentiation crap) generally something that carriers are likely to be conflicted about from a marketing perspective. Lots of carriers are doing a lousy job of updating existing handsets to newer android versions because they would really rather just sell you the Model N+1 and another two year contract. Doing that with an obscure bug is harder.