A researcher who found a security hole in the Android mobile platform in October has found another one that he says is serious enough for him to recommend people not use the Android browser until the patch is installed.
Charlie Miller, a principal analyst at consultancy Independent Security Evaluators, said on Thursday that a patch for the vulnerability is available on Google's source code repository, but has not yet been made available for download onto the phones via the T-Mobile service.
Like the previous hole, the new vulnerability could allow an attacker to remotely take control of the browser, access credentials, and install a keystroke logger if the Android user visits a malicious Web page.
"All the gory details are out there and they still haven't patched it," he said, adding that he recommends that Android users avoid browsing the Web until they have patched their phones.
Android Security Engineer Rich Cannings said PacketVideo developed a fix for the vulnerability on February 5 and patched Open Source Android two days later. Google offered the patch to T-Mobile when it became available and G1 Android users "will be updated at T-Mobile's discretion," he said in a statement.
The bug was found in code that was not written by Google but was contributed by multimedia software company PacketVideo to the open source Android project. PacketVideo's OpenCore media library is used in the mediaserver and is executed within its own Application Sandbox, according to Google.
"Media libraries are extremely complex and can lead to bugs, so we designed our mediaserver, which uses OpenCore, to work within its own application sandbox so that security issues in the mediaserver would not affect other applications on the phone such as email, the browser, SMS, and the dialer," Cannings wrote. "If the bug Charlie reported to us on January 21st is exploited, it would be limited to the mediaserver and could only exploit actions the mediaserver performs, such as listen to and alter some audio and visual media."
T-Mobile representatives were unavailable for comment.
Miller, who presented a talk on the Android vulnerability at the Shmoocon security conference in Washington, D.C., on Saturday, said he notified Google about 17 days before he gave the talk.
"By comparison, when we found the bug in October in Android, they fixed it in 12 days," with a patch available for the phones, he said. "They have it in their power to do this quickly."
Updated 4 p.m. PST to clarify Google comment that bug is limited to the mediaserver code and not the entire browser.