Google details 'reboot' bug, Android security fixes

The G1's request to update its Android software. (Click to enlarge.)

(Credit: Stephen Shankland/CNET News)

Google has begun releasing some details about the vulnerabilities it patched in two updates to Google's Android operating system software in the T-Mobile G1 smartphone.

The company had acknowledged some of the work earlier, but it hasn't posted an official comment about the vulnerabilities. But Rich Cannings of the Android security team shared details about the RC29 and RC30 updates that T-Mobile began distributing to G1 customers at least as early as November 1 and November 9, respectively.

Google had acknowledged the RC29 patch for the G1 fixed a browser vulnerability that could have let an attacker use malicious code on a Web site to take over the browser. The severity of such issues is limited by Android's security design, which walls off applications into separate compartments to limit an attacker's power. But Cannings said the patch also fixed two other issues.

The Android browser is based on the open-source WebKit engine for converting HTML instructions into an actual Web page, and RC29 brought Android up to date with two patches that had been released but that Google had missed. One of them is a universal cross-site scripting problem that could give an attacker control of the browser, Canning said.

RC29 also fixed a problem that could let someone bypass Android's locking mechanism by booting the phone into safe mode.

News.com Poll

Detailing Android fixes
Google and T-Mobile fixed security issues with the G1's Android software but have been quiet about details. How would you like to be notified?

Tell me before I update
Patch ASAP, details later
No worries, I trust you
Other

View results

Google plans to publish fuller details on its Android Security Announcements group soon, Cannings said, but the company waits until the patches have been offered to all users before disclosing full details.

RC30 and the root console bug
RC30, which came about a week later, fixed an unusual "root-console" problem in Android in which text that people typed--while composing e-mail messages or searching contacts, for example--could be executed as Linux commands with the highest-level privileges. One user found it by typing the word "reboot" in a text message.

The problem was that Google left in a feature that let programmers execute commands with a remote device attached over a serial port, but when there was no such device attached, the phone just used input from the keyboard.

Linux and Unix users are advised to use their systems with "root" privileges reserved only for administrators, but Android was actually giving anybody that privilege. The problem was lessened because many characters used in Linux commands, such as hyphens, tildes, and slashes, weren't available, but it was still a big problem, Cannings said.

"We tried really hard to secure Android. This is definitely a big bug," he said. "The reason why we consider it a large security issue is because root access on the device breaks our application sandbox."

On the flip side, though, it would have been hard to use: "The barrier is very high to exploit this...It requires a challenger to exploit users," he said. For example, an attacker might have to convince a user to install a game with keyboard movement commands that actually typed out "telnetd" to launch the phone's telnet application to open the phone up to remote control. "

RC30 also fixes two Webkit problems that Apple--which also uses the software in its Safari Browser--reported to Google, Cannings said. First is a buffer overrun issue relating to JavaScript style sheets that could let an attacker gain control over the browser by putting malicious code on a Web site. Second is a problem that could let people read what's in the phone's memory, potentially gaining access to Web site cookies and thereby gaining online privileges. "If you're logged into a bank at that time, (an attacker) could steal your banking cookies," Cannings said.

[LaptuaZ]

Wish I could download the update...dont know how I feel about push downloads...I wish I had R29 or R30, the whole fix of disabling the device as a USB drive to get the alarm to work as very lame. So far, I love the UI and the phone, but it does have several problems such as the alerts not working correctly, or not at all, for instance, if I am in the gmail program, and leave the phone idle, it will not alert me that I have gotten new emails if the phone is idle, so I have to make sure I am back at the home screen to get all my alerts, the problem exists for both email, gmail, instant messages, and text messages. The vibrate on the phone is VERY sub-par, this is a huge problem for me due to the fact that if I am walking down the street and cannot hear my phone, the vibrate does little to no use...bottom line, I find my self checking the phone to see if I have gotten any emails or messages...not only does the sound system bug out, but the alert window does not always show either, this means I am constantly opening up email, gmail, im, and text messages...which is alot to just see if anyone has tried to contact me...for all the cool stuff this phone does, it seemed to miss the basic mark of "Hey someone is trying to get a hold of you..." bravo to the cut and paste, everything else seems to be working fine on it though...I have learned to get around most of the problems I have had. I had a Wing before which was horrid...way too slow to do anything with...but at least I knew when I got a message ;)

[LaptuaZ]

oh yeah, and I kept trying to get the "reboot" bug to happen with no success...not even the bugs work right on my phone :p

[AppleSuxLeo]

Google is where MSFT was about 20 years ago regarding security. Chrome is POS as well as it suffers from Heap Fragmentation and hits the CPU hard even after the page has loaded. IE8 has no such issues.