Last year, we reported on a serious vulnerability in all versions of Android, found by a security researcher Thomas Cannon. It allowed a remote attacker to download files off a user's SD card upon visiting a webpage with malicious JavaScript code embedded in it. Google's response was swift, and the fix was rolled out in the public release of Gingerbread at the end of 2010.

A new report from eWeek came out today stating that another researcher, Xuxian Jiang, this time from North Carolina State University, stepped forward with a tweak to the very same vulnerability Google reportedly patched. The new method circumvents protection put in place and allows an attacker, yet again, to access a user's SD card as well as the /system directory and directories that are open for reading in the Android sandbox. As before, an attacker has to know file and directory names in advance, but considering common naming techniques employed by many applications (including your camera), it's easy to imagine a scenario with lots of personal information getting stolen.

Note that because the /data directory is not available within the Android sandbox (try and visit this directory with a file manager like ASTRO), no application settings and sensitive logins can be stolen as a result of this vulnerability. I don't mean to belittle how serious the issue is, but I don't want to blow it out of proportion either.

"What I can say at this point is that the previous patch indeed fixes the previously reported exploit," Jiang told eWEEK. "However, there are other ways to exploit the same (or similar—depending on how you view the problem) flaw. As I pointed out earlier, the ultimate fix will require changing some essential components in the Android framework itself."

Google is reportedly aware of the new issue and is already testing a fix, which will be rolled out as an update to the next Gingerbread revision. Many Android phones are likely never going to see this fix due to ongoing complexities with releasing Android updates and will probably stay vulnerable forever.

Source: eWeek via Engadget

Image credit: AndroidSpin