Mobile security guy Rotologix has popped two popular not-Chrome not-Firefox Android browsers, gaining the power to commit remote code execution using zero-day flaws.
The holes affect Dolphin Browser and Mercury Browser which have something in the realm of 100 million and one million installs respectively.
For comparison FireFox scores up to 500 million installs and Chrome clocks some five billion installs, or roughly the population of Earth in 1987.
The self-described Java nerd (@rotlogix) reported the vulnerabilities to the developers, both of which responded with patches.
He says Dolphin can be slapped by manipulating its themes with the following attack:
"An attacker with the ability to control the network traffic for users of the Dolphin Browser for Android can modify the functionality of downloading and applying new themes for the browser. Through the exploitation of this functionality, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user's device. The only user interaction this requires is selecting, downloading, and applying a new Dolphin Browser theme."
The Dolphin Browser was last updated in July meaning that all users are vulnerable to the zero day vulnerability. The hacker recommends users stick with their current theme and consider using a different browser until a fix is dropped.
But they should avoid moving to Mercury; in fact those users should dump that browser too thanks to a series of chained unpatched holes, according to the hacker.
"The Mercury Browser for Android suffers from an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its WiFi Transfer feature. Chaining these vulnerabilities together can allow a remote attacker to perform arbitrary reading and writing of files within the Mercury Browser's data directory.
Interested application security bods can peruse his posts for full technical details. ®