Earlier this month, a small cybersecurity company made big news after it publicly disclosed a zero-day bug in the Linux kernel.
The kernel is the heart of the operating system, so kernel bugs of this sort often allow regular programs – applications that are supposed to have their power restricted by the kernel – to “promote” themselves to perform usually-prohibited tasks, such as reading private data or modifying other software illegally.
This sort of attack is known as an EoP, short for elevation of privilege.
The company that discovered the bug, an Israeli start-up called Perception Point, said the buggy code is in Linux 3.8 and potentially affects “millions” of Linux computers and servers and “66% of Android devices.”
Fortunately, the extent of the threat to Android users may have been overstated, as Android’s security chief Adrian Ludwig disputed Perception Points’s claims in a post on Google Plus.
Ludwig says the number of Androids affected is “significantly smaller than initially reported.”
Many devices running Android 4.4 KitKat and below are not affected because the version of Linux with the buggy code (Linux 3.8) is “not common” on older devices, Ludwig said.
And even though Android devices with Android 5.0 and above do have the vulnerable code, Ludwig claims they are protected because Security-Enhanced Linux (SELinux) on those Android versions “prevents third-party applications from reaching the affected code.”
Regardless, Perception Point is standing by its claims.
The company said that it has been working on an exploit to get around SELinux, which it may publish in upcoming blog posts, and “anyway the most important thing for now is to patch it as soon as you can.”
Patching may well be a problem for the vast majority of Android users.
Ludwig said Google has released a security patch to open source and partners, but the fix will not be issued until March updates.
Google Nexus devices will get the update automatically over the air, but users of non-Google devices will have to wait for vendors and carriers to issue the patch.
That means the vast majority of Android devices could remain unsecured for a long time.
Image of robots courtesy of Shutterstock.com.
Laurence Marks
“Many devices running Android 4.4 KitKat and below are not affected because the version of Linux with the buggy code (Linux 3.8) is “not common” on older devices,” Ludwig said.
Kinda like saying it’s okay to run Win 98SE or WinMe now, since no one’s writing malware for it any more. I like it. Maybe I can go back to XP in a year or two, also.
Anonymous
“The company said that it has been working on an exploit to get around SELinux, which it may publish in upcoming blog posts.” You have to exploit the kernel to get around selinux. So…they’re going to exploit the kernel to get around selinux so that their kernel exploit is reachable. Got it.
David Daynard
As a CyanogenMod developer, I can tell you the number of OEM shipping devices vulnerable to this is zero. OEM builds rarely ship with CONFIG_KEYS enabled, which, among quite a few other things, is a pre-requisite to exploit this (Ironically quite a few CM devices do ship with CONFIG_KEYS enabled)