T-Mobile's G1 smart phone has a critical vulnerability in Google's Android operating system that could be used by hackers, according to a leading security researcher.
Led by Charlie Miller , a researcher who has rooted out high-profile bugs in Apple Inc. 's Mac OS X and iPhone , a team from Independent Security Evaluators (ISE) identified the bug and reported it to Google last week. ISE is a Baltimore-based security consultancy where Miller works.
Miller, who declined to get specific about the vulnerability, said only that it is a buffer overflow bug that could be exploited by tricking G1 users into visiting malicious sites. "There's a chance that the attacker could execute malicious code remotely" with the same privileges as the user of the phone's browser, Miller said.
Miller said that after alerting Google, a security researcher from its Android team contacted him for more information, and to ask that he withhold information until a patch was in place. Miller refused to wait, but promised not to disclose any details or technical information that could be used by hackers.
"People should know that there's a problem with the G1 before they buy it," Miller said as he defended his actions. "I don't want to help the bad guys either, but people should have all the information before they make a decision to buy [the phone]. I think I'm totally in the right here."
Google did not respond to a request for comment, or to questions about the status of any patch for Android and the G1.
According to a more detailed warning on the ISE site, the flaw is within one of the more than 80 different open-source packages used by Google to assemble Android. Miller blamed the bug on Google's use of outdated code. "This particular security vulnerability that affects the G1 phone was known and fixed in the relevant software package, but Google used an older, still vulnerable version," said the ISE alert.
Miller declined to name the specific open-source package at fault.
Google has been caught in the same bind before. Because it used an older version of WebKit , the open-source rendering engine that also powers Apple's Safari, for the foundation of its own Chrome browser, users were at risk from attacks based on a months-old flaw that had been dubbed the "carpet bomb" bug.