Number: IRCNE2015082614
Date: 2015/08/30
According to “zdnet”, a security researcher has discovered security problems in the Dolphin and Mercury mobile browsers.
Benjamin Watson, blogging under the name Rotlogix, revealed the existence of vulnerabilities within the Android-based mobile browsers. Last week, the security researcher said the flaws could lead to remote code execution or arbitrary read/write access.
Mobotap's Dolphin Browser for Android is a highly customisable browser for smartphones and mobile devices, including search bar tailoring and themes. Following Chrome and Firefox, the browser app is one of the most popular mobile browsers for the Android OS and boasts between 50 million and 100 million installations.
According to Watson, when new themes are downloaded, the files are transferred over HTTP as a standard .zip file under the extension .dwp. Through the use of a simple script, the downloaded theme can be intercepted and injected with a modified, malicious theme, which in turn allows for an arbitrary write in the Dolphin data directory.
The .zip payload can then be crafted to exploit the unzipping process of the browser theme. The researcher found that a malicious library could be uploaded to overwrite the original browser library, libdolphin.so, paving the way for full remote code execution.
When the malicious theme is applied, "full blown code execution" is possible, according to the researcher.
The Mercury browser also captured the security researcher's attention, and was discovered to be vulnerable to arbitrary reading and writing of files in the browser's data directory.
Watson recommends that in both cases users avoid downloading and applying new themes, and they should also consider using a different browser altogether until patches have been issued.
- 9