Google said it is working with T-Mobile to push the first official Android software update to owners of G1 smartphone. The software fixes a critical vulnerability that allows attackers to extract user information, such as stored passwords and web forms data, from the handset. The buffer overflow vulnerability exists due to the search giant's decision to build Android with an older version of a particular open-source software package that is exposed to known vulnerability, although a patched version has been available for some time.
As previously reported, researchers at Independent Security Evaluators (ISE) were first to highlight the vulnerability, which makes T-Mobile's Android G1 vulnerable to a serious buffer overflow bug that enables attackers to remotely execute malicious code.
Charlie Miller, Mark Daniel and Jake Honoroff who made the discovery and are also credited with discovering several security vulnerabilities in the iPhone, said that Android's security architecture prohibits attackers from gaining access to core phone functions, like the dialer.
Google asked the researchers to withhold information about the vulnerability from the public until a patch is deployed, but Miller decided to speak out right away. "People should know that there's a problem with the G1 before they buy it," Miller told Computerworld. "I don't want to help the bad guys either, but people should have all the information before they make a decision to buy the phone, I think I'm totally in the right here."