Mobile Java hit with security scare

l33tdawg: If you're looking for Adam's paper the download is available from http://conference.hackinthebox.org and with much thanks to the folks at Packetstorm Security the downloads are also available from here.

A Polish researcher has found two vulnerabilities in the cell phone version of Sun Microsystems' Java software that under unusual circumstances could let a malicious program read private information or render a phone unusable.

The flaws are difficult to exploit because malicious programs must be tailored to a specific model of cell phone, said Adam Gowdiak, a 29-year-old security researcher with the Poznan Supercomputing and Networking Centre who discovered the vulnerabilities. He figured out how to attack a Nokia 6310i mobile phone, but the effort took four months, he said in a Friday posting to the BugTraq vulnerability mailing list.

Before the vulnerabilities could be exploited, a phone user would have to download and run a malicious Java program, called a midlet, Gowdiak said in an email interview. He's not aware of a way to automate an attack.

He notified Sun of the vulnerabilities in August, and the company said it sent Java licensees a patched version of the vulnerable component, called the Java bytecode verifier, within two weeks.

"We have not seen any attempts to exploit this vulnerability, but if there is one, the user can simply delete... the applications they downloaded from an untrusted source," said Eric Chu, Sun's director of marketing for the Java 2 Micro Edition, or J2ME, software.

But in an October talk at the Hack in the Box conference in Malaysia, Gowdiak said the situation should be taken seriously. "Vendors and [the] antivirus industry are not prepared for this kind of threat," he said in his presentation. "It should be expected that remote vulnerabilities for mobile devices will be published within the next six months."