Core Security, who research exploits and loopholes in software releases, have identified eight different security issues in Google’s Android beta, including some that are blamed on the developer’s use of outdated and vulnerable open-source image libraries. The flaws could see a hacker take “complete control” of an Android-powered handset, including exploiting heap overflows and integer overflows, and Core Security demonstrated the issues with proof-of-concept code that worked successfully on the Android SDK emulator.
“Several vulnerabilities have been found in Android’s core libraries for processing graphic content in some of the most used image formats (PNG, GIF an BMP). While some of these vulnerabilities stem from the use of outdated and vulnerable open-source image processing libraries other were introduced by native Android code that use them or that implements new functionality” Core Security statement
Google has responded by pointing out that no commercially-released handsets have been produced using the OS, and that some of the libraries have been replaced in the latest version of Android, m5-rc14. Core Security point out that, while m5-rc14 fixes a number of issues, it is still vulnerable to a bug in the component responsible for processing BMP-format images.
The Open Handset Alliance has reiterated that the platform will undergo many changes and updates before it is considered “ready” for consumers.
