Google Android SDK Update Contains Passwordless Root Account

According to security vendor Core Security, the latest Android SDK version m5-rc15 update arrives without a root password by default, “Unprivileged users with shell access can simply use the su program to gain privileges,” said Core.

Since the end of January Google have received numerous reports about it’s Google SDK possessing a number of security flaws and vulnerabilities.

Bug detection is obviously an important part of the development process thanks to it’s release within the open source community.

Core Security provided Google with a detailed lengthy advisory regarding the Android SDK, detailing the number of security related issues. the vulnerabilities discovered by Core all concerned the processing of images by Android’s web browser. Core said the flaws in processing GIF, BMP, and PNG images could have enabled a malicious website to attack the platform and ultimately execute arbitrary code.

Google made the following statement in response to Core’s initial advisory:

“The current version of the Android SDK is an early look release to the open source community, provided so that developers can begin working with the platform to inform and shape our development of Android toward production readiness. The Open Handset Alliance welcomes input from the security community throughout this process. There will be many changes and updates to the platform before Android is ready for end users, including a full security review.”

Google’s latest Android SDK version m5-rc15 does fix these noted image vulnerabilities - just be sure to set yourself a root password.

Did you enjoy this post? Subscribe to our RSS Feed!