Feeds

Sharp Linux handheld in double bug alert

Zoinks!

  • alert
  • submit to reddit

Sharp's Linux-based Zaurus handhelds have two security bugs.

The first vulnerability could give a remote attacker full control of the Zaurus filesystem, including the ability to overwrite files and/or programs with trojans.

The Zaurus SLD-50000D and SL-5500 devices are designed for consumers but if used in business, the vulnerabilty supplies a way in to get into corporate systems.

The exploit takes advantage of a lack of authentication in the in-built FTP daemon used to synchronise data between a handheld and a users' PC, according to an advisory by Syracuse University's Center for Systems Assurance.

And there's more.

A second vulnerability affects the Zaurus passcode function, which locks the handheld so that no data can be input via the keypad and touch screen. Passwords are stored on devices in encrypted form, but this code can be broken by a dedicated hacker because of a lack of rigour in the cryptographic processes.

Sharp has been notified about both issues and is working on a fix.

As a workaround to the first problem, users who use Ethernet or PPP to attach to a network should either discontinue use of QPE, the default windowing system for the units, or place themselves behind a firewall until a patch for QPE is released. Fixing the second problem is dependant on Sharp introducing a more robust method of storing the passcode function. ®

Related Stories

iAnywhere Sharp deal gives Linux PDAs boost
Sharp Linux PDA needs apps now!
Sharp launches next-gen Zaurus, promises 3G wireless version

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.