Last year, we reported on a serious vulnerability in all versions of Android, found by a security researcher Thomas Cannon. It allowed a remote attacker to download files off a user's SD card upon visiting a webpage with malicious JavaScript code embedded in it. Google's response was swift, and the fix was rolled out in the public release of Gingerbread at the end of 2010.

A new report from eWeek came out today stating that another researcher, Xuxian Jiang, this time from North Carolina State University, stepped forward with a tweak to the very same vulnerability Google reportedly patched. The new method circumvents protection put in place and allows an attacker, yet again, to access a user's SD card as well as the /system directory and directories that are open for reading in the Android sandbox. As before, an attacker has to know file and directory names in advance, but considering common naming techniques employed by many applications (including your camera), it's easy to imagine a scenario with lots of personal information getting stolen.

Note that because the /data directory is not available within the Android sandbox (try and visit this directory with a file manager like ASTRO), no application settings and sensitive logins can be stolen as a result of this vulnerability. I don't mean to belittle how serious the issue is, but I don't want to blow it out of proportion either.

"What I can say at this point is that the previous patch indeed fixes the previously reported exploit," Jiang told eWEEK. "However, there are other ways to exploit the same (or similar—depending on how you view the problem) flaw. As I pointed out earlier, the ultimate fix will require changing some essential components in the Android framework itself."

Google is reportedly aware of the new issue and is already testing a fix, which will be rolled out as an update to the next Gingerbread revision. Many Android phones are likely never going to see this fix due to ongoing complexities with releasing Android updates and will probably stay vulnerable forever.

Source: eWeek via Engadget

Image credit: AndroidSpin

Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • dbareis

    If Microsoft didn't patch the much older WINXP for security patches then we'd be screaming. Why is that not happening for phone, particularly when over the air updates make it so easy?

    • Astria

      Google fixed it, it's just the carriers who are not doing anything...

      • dbareis

        Google hasn't set up the environment where this can happen nor set expectations.

    • http://yobif.com yobif

      We can't blame google... its because of Carrier i think.

      • http://www.toysdiva.com PixelSlave

        We "SHOULD" blame Google, because they insist that being totally open, they are not responsible for this kind of fixes. Just because they make the Android OS open source doesn't mean they cannot require the Android smartphone makers to meet certain requirements when it comes to updating existing handsets. For example, they can open source the Android project using a different name, and only allow a smartphone maker to use the "Android" name if they can deliver update in a timely manner.

        The fact is Google pretends they live in a perfect world where makers will have incentives to update their phones due to competitions. But in reality, since ALL smartphone makers don't want to update their old devices, NONE of them would provide a fix.

      • dbareis

        There should be clear separation between the OS and what carriers put on top. I should be able to do my own patching from updates google supply or the Google bits and the carrier can do carrier updates for their bits.

  • mrw

    This post is a bit misleading. Only one phone (Nexus S) has Gingerbread and therefore all of the rest of the Android phones (including the N1) are still open to the first vulnerability and likely to remain so for the foreseeable future. It appears likely that only the Nexus S users will be able to benefit from Google's eventual fix to the second vulnerability as well. What a mess.

    • Ruben

      I have 2.3.1 on my Tmo G2. :) Team Gingervillian.

    • Artem

      Hardly misleading considering I specifically point out and mention gingerbread and I am not even sure you saw the conclusion to either this post it the previous one where I rip in Google for the poor update process.

      • mrw

        Yes you did mention Gingerbread and that "many" Android phones would probably remain vulnerable because of the flawed update process. Thank you for writing the post and calling attention to the problem. I think you were too understated -- most (not many) current Android phone will remain vulnerable. As more exploits are inevitably uncovered this will only get worse. Google has created a kind of perfect storm for security vulnerabilities that can't readily be patched -- not because they can't write the code to fix them, but because they can't deliver to the consumers.

  • Zamy

    U all is poen la..doing something don't think first..Android the best..Adios amigo..

  • Deon

    I really think google should have considered a way to push out updates to their android phones, maybe not whole OS upgrades which requires carrier intervention, but a method should be in place to push out simple security fixes. Maybe via the market. A end user loads the market and a message pops up "A new security patch is available, install it now?" they click yes, and boom, they're patched. No OS upgrade required. I do agree it's messed up that they created a fix to this security flaw only in gingerbread, it'll take forever for any decent phone to get to gingerbread and older phones can forget about it. Their needs to be a quick fix, a patch, something. I run gingerbread on my G2 (CM7) so I'm safe but only cause I cared enough to put a custom rom on my personal phone; but it's the concept, I have 6 different family members with various Android phones because I recommended it to them, and now they're all vulnerable. Great.

    • http://www.AndroidPolice.com Artem Russakovskii

      You're still not safe - the patch for the new attack hasn't been rolled out and released to the public yet.

  • vernon

    i love android..tired of getting updates late...i own a desire...google does not bring the nexus series to south africa...so with all this said...if google does not take control of their os or bring nexus to south africa im afraid im leaving for the much boring iphone or windows phone...simple as that..i dont wanna fiddle and flash my phone. i want a complete product.this is why i left winmo for android, sadly seems its more messy at google than it ever was with winmo...seems microsoft has their house in order so if this shit continues with google im leaving when im released from my two year contract :(

    • Deon

      Yeah I left WinMo for Android and have been a huge Android fan. But it does seem Google wasn't prepared for this project. It's grown up so fast and gotten so big that they're disorganized. They don't listen to their developers complaints, they don't listen to their users complaints, they're scrambling and releasing new OS updates but ignoring the older releases and ignoring carriers and vendors that aren't pushing the updates to their phones, they don't have a way to do minor patches to their OS's, etc. I really feel for Google, this has become a major and daunting task but I think in the end it would pay off for them if they just stick with it and throw more resources at it. They need more personnel and departments to handle users requests and complaints and developers requests, etc. If I end up leaving Android it'll suck, but I'm still anti-iPhone, and so I may just go to WinMo 7. I like how like Android they support multiple vendors (HTC, Samsung, Dell, etc.) but they won't allow a vendor to release the product without being thoroughly stress tested in a factory they built just for it. Robotic fingers pushing buttons hundreds of thousands of times to ensure durability and stability of the OS. They don't allow custom UI's, so the experience is the same across multiple devices. In once sense it's more boring than Android, but in another, you have the consistency of apple with the freedom of choice (vendor wise anyways) you get with Android. I'm still an Android fan at the moment, I'll never own an iPhone, but I am keeping an eye on WinMo 7 as my backup plan if Google doesn't get their act together.