Palm's WebOS platform - the software behind the Palm Pre smartphone, among others - has a rather nasty bug in it which can lead to remote exploitation via SMS.
According to a post on ZDNet's Zero Day blog
, the flaw - discovered by security firm Intrepidus Group - stems from the inability of the SMS client within WebOS to perform input validation on received text messages. As a result, the team found "a rudimentary HTML injection bug [that] leads directly to injecting code into a WebOS application
" - something Intrepidus describes as "quite dangerous
," allowing a single SMS to bring the system to its knees.
It's a pretty serious flaw, made worse by the simplicity of the injection mechanism - one simple text message is enough to bring the system to its knees, or send the user to a malicious website to quietly download a Trojan or other malware.
" the researchers behind the attack believe that Palm - which is allegedly trying to find a buyer
- should have caught the issue in early testing. The fact that current handsets in the wild suffer from such a simple flaw shows, the team claims, that Palm "put almost no thought into security during [its] development of WebOS.
The team has posted a video
demonstrating the scope of the vulnerabilities - and thus far Palm hasn't provided a comment as to when the issues raised by Intrepidus might be resolved.
Are you shocked to find such a simple flaw in a supposedly mature, commercially-available mobile platform, or is Intrepidus being more than a little harsh on Palm? Would knowledge of this attack put you off making your next smartphone a WebOS device, or does the platform have bigger issues? Share your thoughts over in the forum