Earlier this week, news broke that a serious Linux vulnerability hits millions of PCs, servers and Android devices. Now, Google has announced via a Google+ post that far fewer Android devices are affected by this issue than were previously reported and its not a major threat for Android.
LogBook : New Linux Vulnerability is Not a Major Threat for Android
On January 19th, 2016, Perception Point and Red Hat announced a security issue (CVE-2016-0728) in the mainline linux kernel that affects some Android devices.
According Perception Point’s report about a three-year flaw in Linux kernel version 3.8 that could be exploited by an attacker to perform kernel code execution and gain root level access on the targeted system. In the report, the firm added that this affects as many as 66-percent of all Android devices.
Now Google confirms the bug is real but its impact and spread is vastly overestimated.
“Since this issue was released without prior notice to the Android Security Team, we are now investigating the claims made about the significance of this issue to the Android ecosystem. We believe that the number of Android devices affected is significantly smaller than initially reported,” Adrian Ludwig, who works on Android security at Google, wrote in a post at Google Plus.
Google claims that all Android 5.0 Lollipop devices, including the entire Nexus line, have an extra layer of security called SELinux that would render any exploits of this bug useless.
And also most devices running Android 4.4 and earlier use code older than Linux kernel 3.8, meaning they do not contain the bug. This makes the list of affected devices markedly slimmer than the previously reported 66%.
Nevertheless, Google has created a patch for the bug and is mandating that it be pushed out to all devices no later than March 1, 2016.
Ludwig added he wasn’t happy with the way Perception Point and Red Hat handled the issue, adding that they should have given Google prior notice about the vulnerability before publicly disclosing it.
Recently many Linux distributions have assured that they will shortly issue the security patch. Perception Point noted in its original report that it wasn’t aware of any security exploitation around keyrings vulnerability in the wild.