

Google has fixed an a potentially devastating bug in its newly released Android operating system.

Some users of T-Mobile's G1 phone found that typing any word on the phone's keyboard — in any application — sent whatever they typed to the phone's command line shell.

Those commands were then executed with root user privileges, meaning there were no limitations on what the commands could do to the phone. For instance, texting the word 'reboot' would actually cause the phone to do so.

"We fixed the bug on Oct. 31 and are currently rolling out the fix to G1

devices," a Google spokesperson told Wired.com. Not all G1 phones may have been fixed though as T-Mobile is rolling out the patch in stages and there could be some phones still to be updated.

The bug affected almost all G1 phones and not just phones that had been "jailbroken" (hacked to work with unauthorized applications).

"This bug does affect users of G1 running RC29 and earlier," says the Google spokesperson. "RC30 fixes this issue and it is not present in the emulator." RC29 and RC30 refer to updates to the Android firmware.

A test this morning at the Wired.com office did not show the behavior on a G1 phone running the RC19 version of the firmware.

The latest update has been rolled out to all G1 phones but users have to click "update" directly on their device for Google to consider the process complete, says the Google spokesperson. "We're in the midst of that."

Despite the publicity around the latest Android flaw, it could not have caused much of a security problem, says Charlie Miller, a mobile-security specialist at Independent Security Evaluators

"It is such a basic problem that it is just embarrassing," says Miller. "It's not really a security problem since you can't do anything with the phone remotely." Miller discovered one of the earliest bugs in Android and says Google fixed that flaw within two weeks of being alerted.

Miller says Android developers were probably rushing to meet a deadline and didn't test the code in detail, leading to the bug. "It was something they were using and may have forgotten to turn off," he says. "It's just sloppy work."

Going forward, Google says it has created an online group to announce security updates and fixes.

Photo: T-Mobile G1 (vveneziani/Flickr)