Nokia Admits Security Flaws in Series 40 OS

Nokia confirmed Thursday its widely used Series 40 operating system has security vulnerabilities that could allow stealth installation and activation of applications.

But the company was evasive on whether it paid €20,000 (US$29,500) to researcher Adam Gowdiak of Security Explorations, who wanted payment for effort spent finding the flaws.

"For obvious reasons of security, we will not comment further on the detail of our activities with Security Explorations," wrote Nokia spokeswoman Kaisa Hirvensalo, in an e-mail.

Gowdiak, a researcher in Poland, said earlier this month he had found problems with Java 2 Micro Edition, (J2ME) an application framework for mobile devices, as well as the Series 40 OS. Nokia claims Series 40 is the mostly widely used mobile device platform.

Gowdiak has done research on the Java Virtual Machine and wrote on his Web site that he worked at one time for its developer, Sun Microsystems.

Vendors typically steer clear of paying researchers for vulnerability information and alternatively encourage what they term is "responsible disclosure," or a discrete notification before vulnerability information is made public. Otherwise, users of a particular software are at risk while a vendor tries to develop a patch.

Nokia said some of its Series 40 products are vulnerable to an attack that could result in the secret installation of applications. The company said it has also found earlier versions of J2ME could allow privilege escalation or access to phone functions that should be restricted.

"Our testing has been concentrating on products that might have both of the claims present," according to a Nokia statement.

Nokia said it isn't aware of attacks against Series 40 devices, and the problems do not represent a "significant risk."

While details on the vulnerabilities are limited, Gowdiak has said an attack could be mounted by sending maliciously crafted messages to a particular phone number.

Gowdiak could not be immediately reached for comment.

Subscribe to the Security Watch Newsletter

Comments