Forums | Reviews | Search | Full Version

Firm MWR Infosecurity claims to have discovered a vulnerability in webOS that would allow an attacker to create a specially crafted SMS message that would allow them to "subvert webOS completely."  Once the attacker gains control, the phone's microphone could be utilized to record and transmit whatever is picked up around it.

Reached for comment, Palm has told us that "The current version of webOS fixes the security vulnerability reported to Palm."

We at PreCentral assume that the "current version" with the fix is webOS 1.4.5, which has been released to nearly all carriers in all regions, excepting most prominently AT&T and Verizon. As with OS updates in the past, we hope and expect that 1.4.5 will roll out to those users soon.

The exploit sounds awfully similar to the SMS injection exploit that was discovered in webOS 1.3.1 and subsequently remedied by Palm in later releases of the operating system. It is notable that webOS 1.4.5's release notes for Sprint do mention MWR in regard to fixing a security issue.

Via: The Inquirer, Source: V3webOS 1.4.5 Release Notes; More coverage: webosroundupThanks to fusion 158 for the tip!