Eclair browser exploited

Last week,, security researchers at Alert Logic released the code to exploit the Android WebKit browser on phones and devices running Android 2.1 or earlier.  The exploit isn't the most serious issue ever released -- it appears to give someone running a webserver and listening on a certain port the ability to see your browser and media scanner history -- but it needs fixed, and quickly.

Which is why Google fixed it -- in the Spring when Froyo was announced.  Apple fixed it, too.  I can't find any documentation, but I'm pretty sure HPalm did as well.  I'll talk about it a little deeper after the break. [CIO.comThanks Dave!

I use Linux, so I might be a bit jaded,  I just wanted to say that up front.  I imagine that a number of exploits and security holes were discussed and made public this week at HouSecCon -- a security conference held in Houston.  I expect application vendors, Linux kernel maintainers, Microsoft software engineers, Apple engineers, and anyone else involved in creation of software to be hard at work patching them, including the folks working on Android.  Anyone using Windows, or Mac OS, or Linux will soon be getting those patches in the form of OS updates.  Companies like Adobe or Mozilla will have patches out to us soon as well.

Mobile is a bit different.  iOS users will have to wait a bit longer to patch any holes in the OS if needed, but once it's done, Apple will roll it out and everyone can take an hour and update if they choose to.  Google will get an update out OTA to Nexus One users if needed, and have all the patches committed to the codebase.  Because of the complexity of a mobile OS, it might be a month or so to get any of these patches, and I can live with that.

But what about the carriers?  If I go out today and buy an Android phone, there's a very good chance it won't be running Froyo.  Depending on the model, it may never be running Froyo.  That means browsing the internet with the built in web browser is not safe.  Yeah, I said it.  The flaw is in the Webkit code, so it's possible that third party browsers are unsafe as well.  What do the carriers expect us to do, since they aren't currently offering any alternative?

Proprietary app stores, and bloat are annoying.  Many call it fragmentation when carriers get their hands dirty and monkey with the Android source code.  I call that choice -- choose with your wallet.  This is a bit different.  I'm calling you out, carriers -- how are you going to take care of all your subscribers with phones you can't or won't update, are still in the midst of a long and expensive service contract, yet can't use the internet without exposing themselves to security issues?  What about those phones on your shelves?  Leaving your users hanging is just wrong, and any that are proactive and take the steps to fix these sort of things themselves are left with a very expensive phone without a warranty.  Step up to the plate and earn some of that money you're making from us Android users.

Any of you out there that have had enough and are ready to fix things yourselves, jump into the forums.  There's a really good reason to root now.


Reader comments

Not running Froyo? Careful what websites you visit

Unless you bought your phone off contract and direct from the manufacturer, the carrier is the one responsible -- both for taking your money and supporting their products.

I waited two extra months to get 2.2 for Droid X and still feels like it was rushed. There are bugs everywhere. Be patient.

I say better yet, let them modify it... But they need to modify it in a modular way so that the core pieces that need to be updated can be updated when Google does it.

Let them skin it all they want, but it should be done so in a way like Launcher Pro. It's an app that can be downloaded. "Stock android is still stock android. That can update. We want you to have our skin because we feel it betters the experience. It's an add-on that will not affect the update of the OS. The update may affect the skin, of which we can easily patch for you."

I think that's how manufacturers should handle it.

Sprint and HTC rolled out Froyo for the EVO (on August 3rd) about two months after the phone came out (June 4 IIRC), which was only about a week after Froyo was officially released (last week of May). Sense is probably more deeply entrenched into the OS than any other manufacturer mod too. Just saying...

Oh and I think all of HTC's successive phone launches since then were packing Froyo too, not sure. The G2, MyTouch 4G, Desire HD, and Z all launched with it no? Speak with your dollar people, and inform those around you who may not know any better. It's the only way carriers and manufacturers will get the message.

This is why we should have no system apps, if we could just download the stock browser from the market we would all be safe.

Like any other device used to access online content, one should always be careful where you go and what you download. That's just common sense, but it's always good to remind the masses. :)

I'm willing to wait in order to get a quality update, but I'm sooooo sick of hearing that Gingerbread and Honeycomb are right around the conrner when my Epic still doesn't have Froyo. Android needs to concentrate on updateing recently released phones and quit spending all their time thinking of new sh*t for phones that are barely even in development. Can I get a good, stable Froyo? I probably won't see anything past that for the Epic so I won't worry about Gingerbread and on and on. Maybe a switch back to Blackberry is in my future.

You do realize it's not up to Google (or Android as you refer to them) to update your device. It's up to the manufacturers and carriers. They have the drivers and the extra software/skins they mix in or put on top of the Android OS that keeps it from easily updating.

Google is doing it's job by providing the OS and all updates to it. It's not like RIM (Blackberry) or Apple. They have full control over hardware and software. Google is just the OS provider. It's up to the manufacturers and carriers to step up their game.

Sorry to cross-promote sites AC, but engadget had a pretty good article the other day about mobile phones and OS's that kinda went down this path. It's a good read. Please forgive me AC!