While we may think of the web browsers that accompany the major smartphone operating systems as wholly distinct entities, many of them share common elements. At the heart of mobile Safari, the Android browser, and RIM’s browser for the PlayBook is some code known as WebKit. Browsers heavily rely on WebKit to handle page layout when rendering content to the screen. Unfortunately, that may mean that an unusually large fraction of smartphones are vulnerable to a newly-discovered exploit.
The news comes courtesy of security firm CrowdStrike, which intends to make a presentation on the vulnerability at the RSA Conference tomorrow. For the moment, at least, details on the attack aren’t yet available, so all we have to go on are CrowdStrike’s descriptions of what’s possible.
From the sound of it, this WebKit exploit allows for remote code execution on systems with vulnerable browsers; simply clicking the wrong link on a malicious site should be enough to infect you. Of course, you still need a payload to go along with your infection vector, and CrowdStrike reports success adapting existing Android malware to be spreadable via this method.
This all sounds very scary, but we’d recommend holding-off on full-blown panic until details on the attack are explained. For all we know, there may be factors at play that limit the possible effects of the exploit, or make it difficult to deploy. Until we know more, just think twice before clicking any suspicious links.