Chicago (IL) - At the Schmoocon hacker conference in Washington D.C., Charlie Miller, security researcher presented a new vulnerability in Google's mobile OS Android, which lets hackers take control of the phone's web browser and other processes from a remote location. Once an individual's phone has been compromised the hackers are capable of gaining access to saved credentials stored in the browser and the browsers history.





The vulnerability is within code written by PacketVideo, a software company which contributed an open version of their Core multimedia application framework to Android, thus making it the multimedia subsystem for the Android web browser.



When the flaw was discovered, Google was notified and on January 21st, Google claimed a fix will be issued "as soon as it becomes available."



The fix has actually been available since February 7th, only it has not been pushed out to Android phones. In fact, the patch can be found in Google's source code registry, making the danger really irrelevant.



With the exploit having been around for a while, many are curious as to why they've heard nothing of it until now. It's not because the vulnerabilities are only marginally dangerous; in fact, Miller is recommending that owners of the Android phones avoid utilizing the web browser until the patch is released. The vulnerability is very serious and the breech could have consequences for all users involved. If you must use your phone you are advised to only visit trusted sites and only use the T-Mobile network (don't use a WiFi connection).



Google has released the following statement:

"Charlie Miller, a security researcher at Independent Security Evaluators, contacted security@android.com on January 21st regarding a bug in PacketVideo's OpenCore media library that he intended to disclose on February 7.

Media libraries are extremely complex and can lead to bugs, so we designed our mediaserver, which uses OpenCore, to work within its own application sandbox so that security issues in the mediaserver would not affect other applications on the phone such as email, the browser, SMS, and the dialer. If the bug Charlie reported to us on January 21st is exploited, it would be limited to the mediaserver and could only exploit actions the mediaserver performs, such as listen to and alter some audio and visual media.

The Android Security Team responded by contacting PacketVideo, T-Mobile, and oCERT, a public Computer Emergency Response Team. PacketVideo developed a fix on February 5th, and they patched Open Source Android two days later. oCERT assisted PacketVideo with coordinating the fix, and they published an advisory detailing this issue. We offered the patch to T-Mobile when it became available, and G1 users will be updated at T-Mobile's discretion.

We thank our partners PacketVideo, oCERT, and T-Mobile for their engagement and attention to this issue."

The Android is in some ways much more secure than other operating systems. Its architecture utilizes a sandbox approach that stops malicious code injected into the browser from accessing and taking over other parts of the mobile operating system. The negatives to this are that individuals might accidentally give permission to a malicious application thus making their phone vulnerable to breech.



Some feel that the Android still needs to do more; the majority of the security issues which have been uncovered thus far have been serious.