An internal contest between the North American and European members of Google’s Project Zero has resulted in the discovery of eleven high-impact zero-day flaws affecting Samsung’s popular Galaxy S6 Edge smartphone.
“The majority of Android devices are not made by Google, but by external companies known as Original Equipment Manufacturers or OEMs which use the Android Open-Source Project (AOSP) as the basis for mobile devices which they manufacture. OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers,” Natalie Silvanovich, a security engineer on the Android Security Team and a member of Project Zero, explained in a blog post.
So, occasionally, Google likes to test out various OEM’s devices for security vulnerabilities, and to see how soon they will be patched after they are disclosed to the manufacturers.
A week later, the result was eleven found issues (for more specifics, check out the blog post).
“The weak areas seemed to be device drivers and media processing. We found issues very quickly in these areas through fuzzing and code review. It was also surprising that we found the three logic issues that are trivial to exploit. These types of issues are especially concerning, as the time to find, exploit and use the issue is very short,” Silvanovich pointed out.
The good news is that a number of security measures slowed them down. For example, SELinux made it more difficult to attack the device.
“In particular, it made it more difficult to investigate certain bugs, and to determine the device attack surface. Android disabling the setenforce command on the device made this even more difficult,” she noted. “That said, we found three bugs that would allow an exploit to disable SELinux, so it’s not an effective mitigation against every bug.”
Another piece of good news is that Samsung has already patched eight of these issues, arguably the more severe ones, in their October Maintenance Release. These fixes were developed and pushed out within 90 days of the flaws’ discovery – “a reasonable time frame” by Google’s standards.
Fixes for the remaining three are planned for November.