Researchers Hand WebOS Vulnerabilties to the Hacking Public

From DailyTech: Palm, Inc. -- new subsidiary of Hewlett-Packard -- hasn't given up on the smartphone market, despite the fact that its Pre smartphones were a relative flop compared to the iPhone and Android platforms. It has revealed the Palm Pre 2, which will soon go on sale in the U.S. And it reportedly has a host of other form factors in the works.

But Palm's latest version of webOS reportedly retains some serious security flaws, much like iOS (which powers the iDevices) and Android. Orlando Barrera and Daniel Herrera of SecTheory uncovered three serious flaws unique to the platform that could be exploited for malicious purposes, plus a flaw in file system permissions.

The flaws exist in both the latest release version of webOS (1.4.x) and the upcoming version, webOS 2.0. The issues uncovered by the team include a floating-point overflow bug, a denial of service vulnerability, and a cross-site scripting issue.

Describes Mr. Barrera in an interview with eWeek, "The user experience in webOS is constructed similar to a Web application: mark-up rendering (HTML/CSS) is used for the visual elements, JavaScript is used for dynamic updating/modification, and system commands are communicated via HTTP locally. This design leaves the webOS susceptible to attacks similar to Cross-site Scripting. If user-supplied content is not properly sanitized prior to it being included within the user interface, conditions are created where this content can execute commands against the system and modify the user experience."

We were contacted by Daniel Herrera of SecTheory. We had erroneously reported that SecTheory was disclosing the vulnerability before approaching Palm. To the contrary, SecTheory actually gave Palm five months to fix the issue and only is disclosing the unpatched vulnerability after Palm has remained inactive on the issue.

View: Article @ Source Site