Recent Palm webOS Vulnerabilities - MWR InfoSecurity Clarification

MWR InfoSecurity have recently published information about vulnerabilities affecting several mobile platforms. Owing to errors in the reporting of these issues MWR are publishing this statement to clarify the situation and answer questions that have arisen about the issues and their current status.

In May 2010 MWR Labs identified and reported two vulnerabilities in Palm’s mobile operating system “WebOS”. One of these vulnerabilities has recently been used by us to demonstrate the impact of security flaws in smartphones to the press. Following on from the publications, articles and blog posts published by various sources have led to some confusion regarding the response to these issues by Palm and their current status. Both vulnerabilities reported by MWR were originally identified in Palm WebOS 1.4.1 and were immediately reported to Palm’s Security Team. They speedily responded to our reports, acknowledging the vulnerabilities. Since the disclosure of these issues to Palm MWR InfoSecurity have taken the decision to discuss the presence of vulnerabilities in smartphone platforms. This decision was taken to highlight the risk to users of smartphone vulnerabilities and to ensure the issues are correctly represented within the public domain.

With the WebOS 1.4.5 release Palm fixed one of the vulnerabilities reported to them by MWR InfoSecurity. This vulnerability is an issue in a local service running on the phone and full details of this are yet to be released by MWR. This information will be released once all users have had a chance to install Palm’s fix.

The issue that Palm has not currently addressed is the vulnerability in the vCard parsing, which was demonstrated by MWR InfoSecurity on the 11th of August. However in recent conversations with members of Palm’s security team they stated that a fix is planned for Autumn 2010. Owing to the current situation users are therefore advised to exercise caution until an appropriate vendor supplied patch has been provided.