A Polish researcher has found two vulnerabilities in the cell phone version of Sun Microsystems' Java software that under unusual circumstances could let a malicious program read private information or render a phone unusable.
The flaws are difficult to exploit because malicious programs must be tailored to a specific model of cell phone, said Adam Gowdiak, a 29-year-old security researcher with the Poznan Supercomputing and Networking Center who discovered the vulnerabilities. He figured out how to attack a Nokia 6310i mobile phone, but the effort took four months, he said in a Friday posting to the BugTraq vulnerability mailing list.
Before the vulnerabilities could be exploited, a phone user would have to download and run a malicious Java program, called a midlet, Gowdiak said in an e-mail interview. He's not aware of a way to automate an attack. He notified Sun of the vulnerabilities in August, and the company said it sent Java licensees a patched version of the vulnerable component, called the Java bytecode verifier, within two weeks. "We have not seen any attempts to exploit this vulnerability, but if there is one, the user can simply delete...the applications they downloaded from an untrusted source," said Eric Chu, Sun's director of marketing for the Java 2 Micro Edition, or J2ME, software.
News source: ZDNet.com