The latest maintenance release from Samsung will includesecurity patches that address several vulnerabilities capable of triggering arbitrarycode executions, causing memory corruptions, or rebooting factory reset protectionsand reactivation locks (FRP/RL).
In total, the update will fix seven flaws specific toGalaxy devices, in addition to six device-agnostic Android bugs that Googlepreviously identified in December and patched for its own Nexus mobile devicesearlier this month.
On its Mobile Security Blog, Samsung yesterday describedin detail six of the seven fixed Galaxy vulnerabilities, noting that one flawcannot yet be publicly disclosed. The three bugs that were labeled as critical weredescribed as follows:
“When a malformed BMP is scanned by a facial recognition library, it can trigger an arbitrary code execution as overwriting the return address from a stack or a register.”
“A malformed JPEG file can make memory corruption due to a flaw in ‘libQjpeg.so’ [the JPEG library] and it is possible to be used to exploit vulnerability.”
“A vulnerability from download mode can reset FRP/RL partition by using ‘Odin’ protocol.” (Odin is utility software used internally by Samsung.)
These patches constitute an ongoing effort by Samsungto follow Google’s example of issuing monthly Android security patches, a promise Samsung made following thediscovery of the infamous Stagefright bug in 2015.
“Thisis great for users. Finally, vendors are… providing monthlysecurity patches and updates, and I’m really excited to see that from amacro view,” said Zuk Avraham, founder and chairman at Zimperium, and head of thezLabs research division, which is credited for initially reporting the Stagefright bug. Avraham added that Samsung has “taken the cue from Google reallyseriously.”
Although Google had fixed some of these same Android-based bugsin its Nexus devices by early January, Avraham notes that Samsung’s reactiontime is not bad at all. “To see an update even within the same month [as Google] is a really important step in the right direction,” said Avraham,suggesting that in the future Samsung will shorten the timeframe even further. “In the past, it would have been a year, twoyears, maybe never.”