A new exploit has been discovered for a once-patched vulnerability in Android 2.3. A security hole in the default web browser allows a malicious web page to harvest the contents of the handset’s SD card, which could contain sensitive information.
Google is aware of the issue; their current workarounds are to disable Javascript, use a different web browser, or remove the SD card.