Tuesday, July 24, 2012

Don't Panic

Probably the very last thing I think about when I settle down to a nice cup of tea and an electronic book is that my Kindle is being owned.  Here I am, enjoying the satiric humor of Douglas Adams and suddenly it occurs to me, "I'm not sure I remember the ingredients for my favorite pan-galactic drink."  So off I go to some, unbeknownst to me, nefarious website and just as the page loads...WHAM.  My kindle is owned.  The story is the same, as technology grows, so do weaknesses in software.  As it turns out, a new feature of the Kindle Touch browser is support for NPAPI, a common scriptable plugin API.  This is great news for plugin writers for Kindle, but poses serious security risks for the browser, as the API has full root privileges on the device.  It is possible in version 5.1.0 of the device to call the API in an <embed> tag, and then use the "lipc.set" method to inject shell commands with root privileges!  The specifics I omit here, but for those of you keeping score at home don't panic!  The VRT has you covered with SIDs 23616 and 23617.



Add to Technorati Favorites Digg! This

No comments: