Sharp Linux handheld in double bug alert
Sharp's Linux-based Zaurus handhelds have two security bugs.
The first vulnerability could give a remote attacker full control of the Zaurus filesystem, including the ability to overwrite files and/or programs with trojans.
The Zaurus SLD-50000D and SL-5500 devices are designed for consumers but if used in business, the vulnerabilty supplies a way in to get into corporate systems.
The exploit takes advantage of a lack of authentication in the in-built FTP daemon used to synchronise data between a handheld and a users' PC, according to an advisory by Syracuse University's Center for Systems Assurance.
And there's more.
A second vulnerability affects the Zaurus passcode function, which locks the handheld so that no data can be input via the keypad and touch screen. Passwords are stored on devices in encrypted form, but this code can be broken by a dedicated hacker because of a lack of rigour in the cryptographic processes.
Sharp has been notified about both issues and is working on a fix.
As a workaround to the first problem, users who use Ethernet or PPP to attach to a network should either discontinue use of QPE, the default windowing system for the units, or place themselves behind a firewall until a patch for QPE is released. Fixing the second problem is dependant on Sharp introducing a more robust method of storing the passcode function. ®