This is all well and good for "security bods"... but what those 101 million users who are vulnerable? Hell,.. most users apparently never get an OS patch. Given that it's 101 million users for these and 5 billion for Chrome, the bad guys will go for the Chrome first. The mobiles are really in deep s**t until the manufacturers and the Telco's decide they should and will do the right thing and push patches without a hit on the user's data limit.
Mobile security guy Rotologix has popped two popular not-Chrome not-Firefox Android browsers, gaining the power to commit remote code execution using zero-day flaws. The holes affect Dolphin Browser and Mercury Browser which have something in the realm of 100 million and one million installs respectively. For comparison …
Monday 24th August 2015 08:13 GMT Anonymous Coward
Monday 24th August 2015 15:51 GMT dotdavid
Yep. To be honest this is mainly another story highlighting how everyone should be using third-party downloadable browsers from the Play store rather than the built-in AOSP Browser which on the vast majority of handsets will never see an update.
Note this only works for actual browser apps. Many other kinds of apps will use the built in WebView controls for displaying HTML which use the built-in browser. Google have mitigated this a bit in later versions of android (from memory; Lollipop upwards) by making the WebView bits of Android downloadable via the Play store.
Tuesday 25th August 2015 19:11 GMT michael_dolphin
Update from Dolphin Browser
Michael from Dolphin Browser here. Wanted to provide an update on this situation. We found out the root cause of this issue & applied the fix. Since the fix is currently undergoing a staged rollout, it will take at least 24 hours to apply the fix to all Dolphin users. If you would like to test the fix immediately, the APK is here -> https://www.dropbox.com/s/z6k2rmishvnwvwh/DolphinOne_EN__88_Release_Signed.apk?dl=0
Here is a quick update about this fix/issue:
1. Dolphin Themes were previously downloaded through HTTP protocol, when it should have been HTTPs protocol.
2. Dolphin did not previously verify the Theme package, which left room for exploitation. We added additional security checks to make sure Theme packages are safe before users apply them to Dolphin Browser.
3. Dolphin previously did not perform security checks for our dynamic libraries (e.g. libdolphin.so:). The new security patch will verify and make sure these library files are not modified before they are being loaded.
We're committed to making sure our users are secure and are doing our best to address any issues as they come up. If you do have any additional questions or concerns, you can reach out to us via social media or at firstname.lastname@example.org.