The latest maintenance release from Samsung will include security patches that address several vulnerabilities capable of triggering arbitrary code executions, causing memory corruptions, or rebooting factory reset protections and reactivation locks (FRP/RL).
In total, the update will fix seven flaws specific to Galaxy devices, in addition to six device-agnostic Android bugs that Google previously identified in December and patched for its own Nexus mobile devices earlier this month.
On its Mobile Security Blog, Samsung yesterday described in detail six of the seven fixed Galaxy vulnerabilities, noting that one flaw cannot yet be publicly disclosed. The three bugs that were labeled as critical were described as follows:
“When a malformed BMP is scanned by a facial recognition library, it can trigger an arbitrary code execution as overwriting the return address from a stack or a register.”
“A malformed JPEG file can make memory corruption due to a flaw in ‘libQjpeg.so' [the JPEG library] and it is possible to be used to exploit vulnerability.”
“A vulnerability from download mode can reset FRP/RL partition by using ‘Odin' protocol.” (Odin is utility software used internally by Samsung.)
These patches constitute an ongoing effort by Samsung to follow Google's example of issuing monthly Android security patches, a promise Samsung made following the discovery of the infamous Stagefright bug in 2015.
“This is great for users. Finally, vendors are... providing monthly security patches and updates, and I'm really excited to see that from a macro view,” said Zuk Avraham, founder and chairman at Zimperium, and head of the zLabs research division, which is credited for initially reporting the Stagefright bug. Avraham added that Samsung has "taken the cue from Google really seriously.”
Although Google had fixed some of these same Android-based bugs in its Nexus devices by early January, Avraham notes that Samsung's reaction time is not bad at all. “To see an update even within the same month [as Google] is a really important step in the right direction,” said Avraham, suggesting that in the future Samsung will shorten the timeframe even further. “In the past, it would have been a year, two years, maybe never.”