5 days ago by Shaikh Rafia
A zero-day vulnerabilityin the Linux kernel was disclosed earlier this week by Perception Point and Red Hat. Google has now released the patch for Android Linux vulnerability, but doesn’t believe that many Android devices are at risk.
Google has prepared a patch for Android addressing a Linux kernel vulnerability, but the tech giant believes that the number of affected devices is much smaller than initially reported. Perception Point who disclosed the vulnerability had claimed that 66% of Android deviceswere affected. “Linux bug imperils tens of millions of PCs, servers, and Android phones,” ArsTechnicahad reported. Google’s Adrain Ludwig now says that the actual number of affected devices is much smaller. The exploit, dependent on CONFIG_KEYS, has been present in all Linux kernels since 3.8. However, the recommended configuration for the Android Linux has the CONFIG_KEYS disabled, making quite a fewer Android devices at risk.
The exploit could be used by a hacker to gain root access of an Android device, but it requires a lot of processing time. Ludwig says that Android 5.0 and higher versions are safe thanks to SELinux which prevents third-party apps from interacting with the kernel. Moreover, he also says that Nexus devicesare not affected. The risk then comes down to Android devices running on Android 4.4 and have CONFIG_KEYS enabled.
Advertisements
We believe that no Nexus devices are vulnerable to exploitation by 3rd party applications. Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents 3rd party applications from reaching the affected code. Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in linux kernel 3.8, as those newer kernel versions not common on older Android devices. – Adrian Ludwig
Perception Point claims that while SELinux is more difficult to exploit the vulnerability, however, the protection can still be bypassed.
Googleis investigating the issue to further determine the scale of the risk. The company has prepared the patch and released it to open source and partners today. The CVE-2016-0728 patch will be rolled out in the March security update.
Get Latest Tech News Daily
0 nhận xét:
Đăng nhận xét