Researchers find vulnerability in Android browser

Researchers have found a cross-application scripting vulnerability in an earlier version of Google’s Android that allows possible attacks on devices running the operating system. The vulnerability lets an attacker exploit Android’s browser URL loading process and inject JavaScript to run and break the sand-boxing that protects sensitive information. “By exploiting this vulnerability a malicious, non-privileged application may inject JavaScript code into the context of any domain... Additionally, an application may install itself as a service, in order to inject JavaScript code from time to time into the currently opened tab, thus completely intercepting the user's browsing experience," Roee Hay and Yair Amit of IBM Rational Application Security Research Group said in their security advisory. In their advisory, they said a malicious application can cause Android’s browser to reach the maximum tab limit, then insert the JavaScript. A malicious app can also send two consecutive startActivity calls, causing Android’s browser to load the first call that includes the attacked domain, and the second call that contains the javascript code. Hay and Amit said Android 2.3.4 and Android 3.1 have been found vulnerable. But they also noted Android 2.3.5 and 3.2 have been released, which incorporate fixes for the bugs. “Patches are available for Android 2.2. and will be released at a later date. Organizations can contact security@android.com for patch information," they added. — LBG, GMA News