back to article Hacker slaps Dolphin, Mercury browsers, squirts zero day

Mobile security guy Rotologix has popped two popular not-Chrome not-Firefox Android browsers, gaining the power to commit remote code execution using zero-day flaws. The holes affect Dolphin Browser and Mercury Browser which have something in the realm of 100 million and one million installs respectively. For comparison …

  1. Mark 85 Silver badge

    This is all well and good for "security bods"... but what those 101 million users who are vulnerable? Hell,.. most users apparently never get an OS patch. Given that it's 101 million users for these and 5 billion for Chrome, the bad guys will go for the Chrome first. The mobiles are really in deep s**t until the manufacturers and the Telco's decide they should and will do the right thing and push patches without a hit on the user's data limit.

    1. Anonymous Coward
      Anonymous Coward

      Doesn't sound as if these downloadable-browser bugs are reliant on OS patches to fix them, so those 101 million users should be fine when Dolphin gets a patched version in the app stores.

      1. dotdavid

        Yep. To be honest this is mainly another story highlighting how everyone should be using third-party downloadable browsers from the Play store rather than the built-in AOSP Browser which on the vast majority of handsets will never see an update.

        Note this only works for actual browser apps. Many other kinds of apps will use the built in WebView controls for displaying HTML which use the built-in browser. Google have mitigated this a bit in later versions of android (from memory; Lollipop upwards) by making the WebView bits of Android downloadable via the Play store.

  2. Elmer Phud

    " and Chrome clocks some five billion installs"

    As in ''Wot's this that has arrived oin my machine? I only wanted a small, free programme"

  3. michael_dolphin

    Update from Dolphin Browser

    Hi everyone,

    Michael from Dolphin Browser here. Wanted to provide an update on this situation. We found out the root cause of this issue & applied the fix. Since the fix is currently undergoing a staged rollout, it will take at least 24 hours to apply the fix to all Dolphin users. If you would like to test the fix immediately, the APK is here -> https://www.dropbox.com/s/z6k2rmishvnwvwh/DolphinOne_EN__88_Release_Signed.apk?dl=0

    Here is a quick update about this fix/issue:

    1. Dolphin Themes were previously downloaded through HTTP protocol, when it should have been HTTPs protocol.

    2. Dolphin did not previously verify the Theme package, which left room for exploitation. We added additional security checks to make sure Theme packages are safe before users apply them to Dolphin Browser.

    3. Dolphin previously did not perform security checks for our dynamic libraries (e.g. libdolphin.so:). The new security patch will verify and make sure these library files are not modified before they are being loaded.

    We're committed to making sure our users are secure and are doing our best to address any issues as they come up. If you do have any additional questions or concerns, you can reach out to us via social media or at support@dolphin.com.

    Best,

    Michael

    Dolphin Team

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019