Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Samsung security update fixes critical bugs hidden in Galaxy devices, Android OS

The latest maintenance release from Samsung will includesecurity patches that address several vulnerabilities capable of triggering arbitrarycode executions, causing memory corruptions, or rebooting factory reset protectionsand reactivation locks (FRP/RL).

In total, the update will fix seven flaws specific toGalaxy devices, in addition to six device-agnostic Android bugs that Googlepreviously identified in December and patched for its own Nexus mobile devicesearlier this month.

On its Mobile Security Blog, Samsung yesterday describedin detail six of the seven fixed Galaxy vulnerabilities, noting that one flawcannot yet be publicly disclosed. The three bugs that were labeled as critical weredescribed as follows:

  • “When a malformed BMP is scanned by a facial recognition library, it can trigger an arbitrary code execution as overwriting the return address from a stack or a register.”
  • “A malformed JPEG file can make memory corruption due to a flaw in ‘libQjpeg.so' [the JPEG library] and it is possible to be used to exploit vulnerability.”
  • “A vulnerability from download mode can reset FRP/RL partition by using ‘Odin' protocol.” (Odin is utility software used internally by Samsung.)

These patches constitute an ongoing effort by Samsungto follow Google's example of issuing monthly Android security patches, a promise Samsung made following thediscovery of the infamous Stagefright bug in 2015.

“Thisis great for users. Finally, vendors are... providing monthlysecurity patches and updates, and I'm really excited to see that from amacro view,” said Zuk Avraham, founder and chairman at Zimperium, and head of thezLabs research division, which is credited for initially reporting the Stagefright bug. Avraham added that Samsung has "taken the cue from Google reallyseriously.”

Although Google had fixed some of these same Android-based bugsin its Nexus devices by early January, Avraham notes that Samsung's reactiontime is not bad at all. “To see an update even within the same month [as Google] is a really important step in the right direction,” said Avraham,suggesting that in the future Samsung will shorten the timeframe even further. “In the past, it would have been a year, twoyears, maybe never.”

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.