Google creates fix for zero-day kernel flaw, says effect on Android is greatly exaggerated

Most Android devices are unlikely to run vulnerable kernel versions, and those that do are protected by SELinux, the company said

After being caught off guard by the disclosure of a serious flaw in the Linux kernel this week, Google has quickly developed a patch for Android and shared it with device manufacturers.

It might take weeks for device makers to start releasing firmware updates that include the fix, but that's not a huge problem since, according to Google's assessment, the flaw doesn't affect many Android devices to begin with.

The privilege escalation vulnerability allows attackers to gain full control over Linux-based systems if they have access to a limited account or trick users into running a malicious application. It was found by researchers from Israeli threat defense start-up Perception Point.

The researchers notified the Linux kernel maintainers and Red Hat in advance of publicly disclosing the issue Tuesday. However, they did not contact the Android security team, despite claiming that around 66 percent of Android devices are potentially vulnerable.

Their estimation was based on the fact that the flaw affects all Linux kernel versions from 3.8 forward, and that such vulnerable kernels are used in Android starting with version 4.4 (KitKat).

However, in the Android world a device's kernel version depends more on the manufacturer's choice than on the version of Android installed on it. Manufacturers don't necessarily update the kernel when creating firmware based on newer Android versions, especially for older devices.

Adrian Ludwig, Android's lead security engineer, puts the number of affected devices much lower than Perception Point.

"Many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in Linux kernel 3.8, as those newer kernel versions [are] not common on older Android devices," he said in a blog post.

Furthermore, according to Ludwig, devices that run Android 5.0 (Lollipop) and newer are protected even if they do use vulnerable kernels, because those Android versions have the Security-Enhanced Linux (SELinux) kernel module.

The Android SELinux policy in these versions prevents third-party applications from reaching the affected code, he said, adding that none of Google's Nexus devices are affected either.

This appears to contradict both the Perception Point researchers, who said that there are possible ways to bypass SELinux, and Red Hat, which said in its own advisory that SELinux does not mitigate this issue.

Ludwig said that the fix created by Google for this flaw, "will be required on all devices with a security patch level of March 1 2016 or greater."

However, this doesn't force manufacturers to integrate it until March 1 or even at all on older devices. They just won't be able to advertise a March 1 patch level on those devices.

The patch level is essentially a date string displayed in Android's settings under "About phone" which indicates that the firmware contains all Android security patches up to that date. It only exists in newer versions of Android.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?