The flaws are difficult to exploit because malicious programs must be tailored to a specific model of cell phone, said Adam Gowdiak, a 29-year-old security researcher with the Poznan Supercomputing and Networking Center who discovered the vulnerabilities. He figured out how to attack a Nokia 6310i mobile phone, but the effort took four months, he said in a Friday posting to the BugTraq vulnerability mailing list.
Before the vulnerabilities could be exploited, a phone user would have to download and run a malicious Java program, called a midlet, Gowdiak said in an e-mail interview. He's not aware of a way to automate an attack.
He notified Sun of the vulnerabilities in August, and the company said it sent Java licensees a patched version of the vulnerable component, called the Java bytecode verifier, within two weeks.
"We have not seen any attempts to exploit this vulnerability, but if there is one, the user can simply delete...the applications they downloaded from an untrusted source," said Eric Chu, Sun's director of marketing for the Java 2 Micro Edition, or J2ME, software.
But in an October talk at the Hack in the Box conference in Malaysia, Gowdiak said the situation should be taken seriously. "Vendors and (the) antivirus industry are not prepared for this kind of threat," he said in his presentation. "It should be expected that remote vulnerabilities for mobile devices will be published within the next six months."
Sun didn't publish the vulnerabilities, instead choosing to let the cell phone makers notify their customers. "We don't have a relationship with the end consumer," Chu said.
Java, which lets programs such as video games run on many different cell phones, has grown common. Sun estimates that more than 570 million Java-enabled handsets will have been sold by the end of 2004, and one in three handsets is equipped with Java. Hundreds of cell phone service providers rely on J2ME to sell ring tones, games and other downloads.
Sophisticated mobile devices are growing more important. According to the Meta Group, roughly two-thirds of all businesses and organizations will deploy mobile data services by 2007. Mobile e-mail will top the application list, with half of organizations launching a wireless e-mail system within three years and 75 percent in four years.
The vulnerability disclosure comes on the eve of CTIA Wireless I.T. & Entertainment 2004, a cell phone trade show in San Francisco, where Java will support many new services to be unveiled.
SponsoredWhite Papers, Webcasts, and Downloads
- Building the Virtualized Enterprise with VMware Infrastructure VMware VMware virtualization software has been adopted by over 120,000 enterprise ... Download Now
- Gartner Webcast: Data Loss Prevention, Compliance Trends Trend Micro The regulatory environment is changing. Find out what companies need to ... Download Now
- Scaling Out With Oracle RAC 10g on Dell Clusters Dell Oracle Database 10g is designed to enable enterprise grid computing, which ... Download Now
- Talkback
- Most Recent of 6 Talkback(s)
- Thread View
- Flat View
- I wondered what "****" would try to bring MS into it.
- You win... (Read the rest)
- Posted by: No_Ax_to_Grind Posted on: 10/25/04 You are currently: a Guest | Log in | Terms of Use
J2ME?
Fred Fredrickson | 10/23/04
|
 
J2ME is client side, no server involved!
B.O.F.H. | 10/23/04
|
|
SOME issues?
alterego_z | 10/23/04
|
|
alterego should have been in politics
John Zern | 10/25/04
|
|
I wondered what "****" would try to bring MS into it.
No_Ax_to_Grind | 10/25/04
|
|
So, they just shouldn't have run the story
FilledOut | 10/23/04
|
