Google's new Android-based phone made some rather unwelcome news when security researchers reported a vulnerability to the New York Times. Charlie Miller, Mark Daniel, and Jake Honoroff of Independent Security Evaluators (ISE) identified the problem.
According to ISE, "Android is based on over 80 different open source packages. The vulnerability is due to the fact Google did not use the most up to date versions of all these packages. In other words, this particular security vulnerability that affects the G1 phone was known and fixed in the relevant software package, but Google used an older, still vulnerable version."
Not very smart on Google's part.
Fortunately ISE won't release details of the vulnerability, stating that "Upon visiting the malicious site, the attacker can run any code they wish with the privileges of the web browser application. We have a very reliable exploit for this issue for demonstration purposes. This exploit will not be released until a fix is available."
ISE said that they contacted Google on October 20 to coordinate getting the problem fixed. Nevertheless, according to the New York Times report "Google executives said they believed that Mr. Miller had violated an unwritten code between companies and researchers that is intended to give companies time to fix problems before they are publicized."
Sounds like spin to me. After all, ISE didn't disclose any details - they didn't even indicate which libraries might be vulnerable. All they did was say that device is vulnerable and that they have a working exploit to prove it. Of course such news isn't good for Google's sales, so the often-used (and unfortunate) course of action would be to attach the bearer of the news. Of course it'd be much bolder to stand up and admit that they messed up big time.