has introduced NPAPI plugin /usr/lib/libkindleplugin.so
(symlinked to /usrl/lib/browser/plugins/libkindleplugin.so
) which is used by system-wide WebKit engine.
It is scriptable plugin, so webpage can embed it and invoke it's "exported" native methods.
I gave enough information for googling about how to invoke methods of this embedded plugin.
So far, I've found following "exported" properties and methods:
- property test (it just returns number 500)
- method dev.log
- method lipc.set
- method lipc.get
- method todo.scheduleItems
I don't know anything about parameters of these methods and don't know whether they produce sensible result at all. But if they are working, then OH-OH!, it could be dangerous, because it could be used by any website (yes, this plugin is accessible from Web Browser).
I hope someone more proficient in understanding of disassembled ARM C++ code will share more information about plugin's methods usage.
To disable plugin, just change extension of symlink in /usr/lib/browser/plugins
(or remove this symlink). I believe, it will be sufficient.
On 23 Jul 2012 Amazon made available update to 5.1.2
which must be applied over 5.1.0
. Amongst other changes, 5.1.2
deletes NPAPI plugin /usr/lib/libkindleplugin.so
, symlink /usrl/lib/browser/plugins/libkindleplugin.so
and directory /usr/lib/browser
, thus eliminating possible remote attack vector.