Android Portal

As we learned a couple of days ago, the T-Mobile G1’s firmware revision RC29 contained a rather embarassing bug: Any text entered via the keyboard could be interpreted as a Linux command and executed with root privileges. That means typing <enter>reboot<enter> while writing an email, for example, actually rebooted the phone. Annoying, obviously, but also very dangerous. An attacker could potentially trick users into launching telnetd (thereby giving the attacker remote access to a root shell) or if he just wants to cause a little mayhem, convince them to enter commands that would brick their phones.

Until now Google has been somewhat tight-lipped about the patches, presumably because they didn’t want to supply information to would-be hackers before the OTA updates had reached G1 users, but now they have revealed a little more about the fixes in RC29 and RC30, even though a full changelog is not available yet.

While RC30 focussed mainly on the root console bug and the potentially dangerous G1 “jailbreak”, it also fixed two vulnerabilities in the phone’s WebKit-based browser: a buffer overrun bug that could allow attackers to take over the browser and another one that allowed access to the phone’s memory, possibly enabling malicious websites to hijack cookies from other websites.

RC29 fixed the WebKit cross-site scripting vulnerability and a security hole that would allow someone to circumvent large parts of Android’s security mechanism by booting into safe mode.

via CNET