Nokia & Sun: Yes, Nokia S40 J2ME vulnerabilities exist

I have never understood news articles using terms like ‘claims’ and ‘rumors’ when reporting about several vulnerabilities reported in Nokia Series 40 (S40) phones.

Adam Gowdiak from Poland is a well known researcher, man behind Windows RPC issue MS03-026 etc.

Sun has confirmed that older versions of Java 2 Platform Micro Edition (J2ME) are affected (this was on 15h Aug already) and Nokia confirmed these issues today (let’s say, at last).

It is not known if Sun Microsystems or Nokia Corp. paid €20 000 to Gowdiak, last week or possible later.

Some references:

Security Explorations: J2ME security vulnerabilities 2008
MIDP’s and MIDlets put tens of millions Nokia S40 phones in danger

Update 22nd Aug: From IDG.no:

“Gowdiak would not disclose if he was paid, but said that only reputable, vetted companies that pay would get the full research, which amounted to 180 pages and 14,000 lines of proof-of-concept code.

Nokia has a complete copy of Gowdiak’s research, said Mark Durrant of Nokia’s corporate communications.”

Share