Samsung Magician recently patched a flaw which could allow an attacker to execute arbitrary code while some researchers are accusing the firm separately of leaving millions vulnerable by not renewing a domain.
Magician is a management utility for Samsung SSDs which uses HTTPS to perform update operations, however it does not validate SSL certificates.
The vulnerability is caused because the utility fails to securely check for and retrieve updates, which can allow an authenticated attacker to execute arbitrary code with administrator privileges, according to a June 15 CERT security alert.
“An attacker on the same network as, or who can otherwise affect network traffic from, a Samsung Magician user can cause the Magician update process to execute arbitrary code with system administrator privileges,” the alert said.
Users are encouraged to apply the Samsung Magician 5.1. update but should note that since the update mechanism is vulnerable users should not use the self-update mechanism for Magician to obtain the fixed version and users should also avoid untrusted networks.
While Samsung patched this flaw, researchers accused the tech firm of leaving millions vulnerable to backdoor attacks by failing to renew a domain. The firm let a domain linked to S Suggest, a stock app on the platform used to recommend popular apps, expire, researchers argued left a foothold for cyberattackers inside millions of smartphones and gave them the power to push malicious apps on them, various researchers told Vice’s Motherboard.
Samsung disputed the claims and told the publication control of the domain does not allow threat actors to install malicious apps or to take control of users’ phones. Others retorted these claims.
“Someone with bad intentions could have grabbed that domain and to nasty things to the phones,” Anubis Labs Chief Technology Officer (CTO) João Gouveia, who reportedly he took control of the domain Monday, told Motherboard.
Samsung has yet to respond to SC Media for comment.