Mobile Security: A Busy, Buggy Week
Android users experienced a brief moment of panic last week when they were told their browser could expose them to a security breach. Initially reported by Forbes earlier this month, the vulnerability was discovered by Charles Miller, the same security researcher responsible for uncovering a similar issue in October.
Such a vulnerability could theoretically allow a hacker to take control of Android's browser, putting passwords and credit card information at risk -- but Google was quick to note that the platform's "sandbox" structure prevents applications from accessing the core functions of the phone. Miller then downgraded the threat again, saying the hole would lead the hacker not to the browser, but to the media player. Google has stated that a fix will be issued soon; the patch is reportedly in Google's source code repository already. Bottom line? Do yourself a favor and patch up. You know what they say about prevention.
Android is not alone. Both RIM and Apple had security-related snafus as well. RIM identified a problem with an ActiveX control, caused by an exploitable buffer overflow, which would cause vulnerabilities when loading third-party applications onto your handset. While RIM released a link to the patch in its advisory, Microsoft has also chimed in with a "kill bit" that will keep ActiveX controls from running in IE.
Meanwhile, Apple's MobileMe took a hit when its users were targets of a phishing scam. Again. This time around, the scam is an e-mail resembling an official announcement from Apple that informs MobileMe users that their subscription renewal didn't go through due to a credit card processing failure -- and then shunts them to a number-stealing site. A similar phishing scam was attempted in August, so hopefully, few MobileMe users will fall for it.