Remember terminal hebdomad when we told you something was happening we meet weren’t constructive what? We guessed that UK supported Android Phones were try whatever variety of country update and US supported Android Phones who had installed the UK 1.5 Cupcake for every its goodies were ALSO try the update, mistaking it for the Official Cupcake OTA? It appears our surmisal was correct and today we hit whatever details.

The country damage was pretty nonindulgent (at diminutive in concept). Basically, when 2 applications by the aforementioned communicator are installed on your Android Device, the operative grouping allows the applications to deal aggregation between those applications without requiring substantiation by the user. The danger would earmark covering developers to road the grouping of inter-application mode checking, essentially gaining admittance from another applications NOT cursive by that developer.

Ouch. Start conversation most applications from Visa, your bank, or applications that strength hit another huffy accumulation and that is a potentially nonindulgent country flaw. Or maybe it would meet admittance your SMS, contacts, PIN drawing for the hair concealment or another content pronto acquirable by another apps? Not good… not beatific at all. But to the assign of Google and the OHA we’re not uncovering this aggregation discover until AFTER (we assume) the danger has already been removed.

This strained the mass versions of Android:

• 1.5 CRB17
• 1.5 CRB42

The “fixed” edition is traded as “1.5 CRB43″ and the damage doesn’t change 1.0 and 1.1 but permit us undergo if you’re ease streaming one of the imperfect versions.

Another engrossing delicacy to saucer discover is that Credit for noticing the Security damage was presented to Panasonic! A some life past we learned, manner of Panasonic themselves, that we could wager a Panasonic Android Phone in 2010. Seeing as how they are cervix unfathomable in the code, uncovering vulnerabilities before another OHA members, perhaps a Panasonic Android Phone module become kinda rather than later?

The Panasonic CEO mentioned they were “discussing” Android and were “considering” the papers for foreign products… in actuality they are MUCH boost along then that and the fact that they sourced this country damage illustrates the fact.

This aggregation was published publically on oCERT.org - an methodicalness I’m not old with but whose members allow Google, Intel, Nokia and Wind River. Here is a country from the oCERT About page:

The oCERT send is a open try providing country direction hold to Open Source projects strained by country incidents or vulnerabilities, meet same domestic CERTs substance services for their individual countries.

The assist aims to support both super infrastructures, same field distributions, and diminutive projects that can’t give a full-blown country aggroup and/or country resources. This effectuation aiding coordination between distributions and diminutive send contacts. The content is to turn the gist of compromises on diminutive projects with lowercase or no stock security, avoiding the burble gist of seriously communicated or handled compromises, which crapper currently termination in distributions transport cipher which has been tampered with.

The fault was reportable by Panasonic on May 14th and 4 life after the Android Security aggroup requested resource from oCERT. It appears the supply was resolved on May 22nd. I undergo curiousity killed the felid but I can’t support but ask… what was the Android Security Team doing for the 4 life the Security Threat was famous before oCERT was employed on it and how daylong was this danger “out there”?

[Thanks James!]