Earlier this week, Charles Miller, principal security analyst at Independent Security Evaluators, discovered a bug in the multimedia subsystem Android uses for its browser. Initially, Miller warned that the bug could be used to run arbitrary code in the phone’s Web browser. As a result, he urged users to use the browser on the T-Mobile G1 with caution until a patch could be deployed.
Now, Miller is stating the vulnerability isn’t as serious as he first thought: “While the bug can be activated by the browser, the actual code that would be executed by a successful attack would run in the media player, not the browser,” he said. “This means it would live in the media player sandbox and not the browser sandbox, and would presumably have different capabilities. I haven't actually investigated the media player sandbox at this point, so I can't say for sure. This makes the bug less dangerous than I thought.”
The bug exists in PacketVideo’s OpenCore media library. It involves an integer underflow during Hoffman decoding that causes improper bounds checking when writing to a heap allocated buffer. According to an oCERT advisory, decoding a specially crafted MP3 file will result in an unexpected crash or arbitrary code execution as a result of heap corruption.
Android’s media server operates within its own application sandbox, which helps to protect against the type of danger Miller initially alleged. As a result of this separate architecture, a Google spokesperson said security issues in the media server would not affect other applications on the G1 phone such as e-mail, the browser, SMS (Short Message Service), and the dialer. Google designed the OS from the ground up with security in mind. The sandbox architecture was deliberately chosen to limit the damage any exploit could cause.
After Google was notified of the vulnerability, it contacted PacketVideo, T-Mobile, and oCERT. PacketVideo developed a fix for the issue and patched open-source Android by February 7th. The patch was offered to T-Mobile as soon as it became available, but now users are at the mercy of T-Mobile to release the patch. The patch was not included in the G1’s recent RC33 firmware upgrade.