ZDNetAsia : Printer Friendly - Google fixes Android root-access flaw

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Asia.
--------------------------------------------------------------

Google fixes Android root-access flaw

By David Meyer
Tuesday, November 11 2008 09:19 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,62048148,00.htm

A bug has been found in Google's Android mobile platform that allows command-line instructions to be automatically run with root privileges.

The bug was revealed late last week, and Google told ZDNet Asia sister site ZDNet UK on Monday that it had already developed a fix. The operator T-Mobile has, however, not yet said when it will be pushing the update out to users of its G1 handset--the first and, thus far, only handset to use the Android software stack.

"We've been notified of this issue and have developed a fix," Google's spokesperson said. "We are currently working with our partners to push the fix out and are updating the source code base to reflect these changes."

The flaw means any recognizable command line can be run from applications in Android phones that are not using the latest firmware. It also effectively means Android has been reading and automatically interpreting and acting upon inputted text. For example, a commentator on the bug thread on Android's forums noted that a text conversation unexpectedly led to their phone being rebooted.

"I was in the middle of a text conversation with my girl when she asked why I hadn't responded," wrote 'jdhorvat'. "I had just rebooted my phone and the first thing I typed was a response to her text which simply stated 'Reboot'--which, to my surprise, rebooted my phone."

Google's spokesperson told ZDNet UK that the issue had come to light as the company was working on a fix to stop users 'jailbreaking' (making it possible to use another operator's SIM card on) their T-Mobile G1 handsets. The spokesperson added that Google had not received any reports of the issue being exploited.

According to the forum thread, the issue is only to be found in firmware versions prior to the current version, RC30.

This latest flaw follows another highly publicised vulnerability in the Android browser that could have made it possible for users to be tricked into visiting malware-laden Web sites. Google has since patched that flaw as well.