A significant security hole has been discovered in Google's Android operating system for smartphones, which can allow attackers to gain access to users' personal information without their permission.
The newest versions of Android, including the new wave of tablets running its Honeycomb software, are not affected by the bug, according to the researchers at Ulm University who initially reported the issue.
Google on Wednesday began fixing a security Canon BP-512 charger flaw that affects some 97% of Android smartphones.
The flaw, which was discovered by three research assistants at Ulm University in the southern part of Germany, affects approximately 97% of Android users.
In a recent blog post, the researchers found that users of Android devices running versions 2.3.3 and below could be susceptible to attack when they are connected to unencrypted Wi-Fi networks. Anyone else on that SAMSUNG SB-L110 battery network could gain access to, modify or delete Android users' calendars, photos and contacts.
"It is quite easy," the researchers wrote in a blog post. "The implications of this vulnerability reach from disclosure to loss of personal information."
A spokesman for Google (GOOG, Fortune 500) said the company is aware of this issue, and a fix is already in place for the calendar and contacts applications in the latest versions of Android, codenamed "Gingerbread" and "Honeycomb." A solution Acer Aspire 9301AWSMi battery is also in the works for Google's Picasa photo sharing service, he said.
Only about 3% of Android users have the latest versions of the operating system, but Google said Android users running older versions will get a fix "in the next few days." Users don't need to take any action, and the patch will roll out globally.The security flaw stems from Google making use of unencrypted login protocol for the affected services. By using HTTP, rather than the more secure HTTPS, "an adversary can easily sniff the [login information]," according to the blog post Dell Inspiron 9400 ac adapter .
The kind of attack that can be performed on Android devices over unencrypted Wi-Fi networks is similar to so-called "Sidejacking" attacks on Facebook or Twitter. For instance, Firesheep, a free Firefox extension that collects data broadcast over an unprotected Wi-Fi network, allows users to gain access to other people's Facebook accounts.
Though the researchers found that any unsecured application Sony np-bn1 battery making use of an Android user's photos, contacts or calendars could be compromised, the data an attacker can gain access to is limited to those three groups. The security bug does not, for example, allow intruders to view a user's e-mails.
Google was able to fix the problem on its end by requiring an HTTPS connection for calendar and contacts synchronization. By solving the problem on its own servers, Google was able to get around a notoriously slow Android update process: after Google updates the code, manufacturing partners and carriers then manipulate NIKON Coolpix P80 charger the code for each device.
As a result, the vast majority of Android users are still running "Froyo," which launched in May 2010. A quarter of users are still on "Eclair," which came out all the way back in January of last year.
That means a patch for the security hole could have been months or years away for many Android users had Google not found Dell Latitude D505 battery a workaround.
In addition to switching to HTTPS, the researchers also suggested Google prevent Android devices from automatically remembering and logging onto unencrypted Wi-Fi networks. Google did not say whether it had taken any of those steps.
The fix, which addresses a hole allowing hackers to access the contacts, calendars and photos on an Android phone connected to an open Wi-Fi network Dell Studio 1537 battery, will take a few days to cover every phone, a Google spokesman said.
Unlike a traditional software update, the problem exists on Google's servers, so Android users won't need to manually take action.
Android software that has a feature for synchronizing photos to Google's Picasa Web Albums service is also vulnerable. Google does not yet have a solution for that HP Pavilion dv9500 Series battery, but a spokesman said the company is investigating the matter.
The server fix involves switching its login systems to a more secure protocol. Use of the less secure method is a common practice on the Web, as CNN reported in November.
Google's swiftness in patching its network is laudable, but the company doesn't seem to have an adequate solution for a time Hp Compaq Business Notebook 6910p battery when such a problem could only be fixed in each handset's software, said Adrian Turner, the CEO of device security firm Mocana.
"We don't think there's enough being invested proactively to address some of these threats," Turner said. "You want to avoid the oil spill in the first place."
Google recently acknowledged that its procedure for issuing Android software updates needs work, and formed a consortium of cellular CANON POWERSHOT SD750 Battery carriers and hardware manufacturers to address the problem.
No comments:
Post a Comment