CVE-2009-1754

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam™
Beyond Security®

SecuriTeam™ Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

	SecuriTeam™ in Your Inbox

	E-mail this CVE-2009-1754 to a friend

New vulnerability?
New tool?
Tell us

Credit:
The information has been provided by Will Drewry.
The original article can be found at: http://www.ocert.org/advisories/ocert-2009-006.html

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Check for CVE-2009-1754

Vulnerability Assessment and Management.
Automated Pen Testing for 50 to 50,000 nodes
beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Android version 1.5 CRB17 through version 1.5 CRB42

Immune Systems:
* Android version 1.5 CRB43 and later

Normally, Android applications will be allowed to share a uid if the packages are all signed by the same developer certificate and request permission to do so at install-time. This allows for packages from the same author to share data. Without enforcement of that behavior, it is possible for any application to be installed in such a manner that it gains access to another (existing) application's data.

Patch Availability:
http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h=5d6d773fab559fdc12e553d60d789f3991ac552c

CVE Information:
CVE-2009-1754

Disclosure Timeline:
2009-05-14: Panasonic reported the issue to the Android Security Team
2009-05-18: Android Security Team requested assistance from oCERT
2009-05-19: oCERT requested CVE assignment
2009-05-22: CVE assigned
2009-05-22: advisory release

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus