Samsung scrambles to plug Galaxy S6 Edge flaws

By on
Samsung scrambles to plug Galaxy S6 Edge flaws

Google's Project Zero elite hackers strike again.

Samsung has closed eight of 11 serious vulnerabilities found in its flagship Galaxy S6 Edge device by its Android operating system partner Google.

Most physical Android devices are made by other companies that use the Android Open Source Project (AOSP) and add their own customisations on top.

Google's Project Zero security research team undertook an effort to understand to what degree original equipment manufacturers introduced new and exploitable security bugs in the software.

The team also wanted to know how quickly vendors resolve bugs after they are reported.

"OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers," the team wrote.

Two teams of Project Zero researchers competed against each other for a week to "hack the Galaxy".

They found a total of 11 serious security issues through fuzzing (giving unexpected, invalid and/or random data to apps and programs) and code review.

Device drivers and media processing were identified as weak areas in Samsung's OEM software. Three logic issues were discovered that were easy to exploit.

The teams also found flaws in the Galaxy S6 software that permitted directory traversal, allowed users emails to be forwarded to another account, and five memory corruption issues in the way images are processed, three of which can be exploited by simply downloading a picture.

Samsung uses the US National Security Agency-developed Security Enhanced Linux (SELinux) extensions that "made it more difficult to attack the device", according to the Google researchers.

But SELinux does not completely protect devices against vulnerabilities, they said.

"...  we found three bugs that would allow an exploit to disable SELinux, so it’s not an effective mitigation against every bug."

Of the 11 security holes discovered and reported to Samsung, eight were fixed in the company's October maintenance release update. 

Three remaining vulnerabilities - considered by the Project Zero team  to be of lower severity - will be addressed this month.

The Google researchers commended Samsung for addressing the highest severity issues within 90 days.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
android galaxy edge s6 galaxy s6 google samsung security
In Partnership With

Most Read Articles

Australia gets world-first encryption busting laws

Australia gets world-first encryption busting laws
NAB's public cloud expansion ran without internal IT staff

NAB's public cloud expansion ran without internal IT staff
Ban Chrome as default browser, limit Facebook user data harvesting: ACCC crackdown

Ban Chrome as default browser, limit Facebook user data harvesting: ACCC crackdown
NBN Co may have to pay users stuck in congested wireless cells

NBN Co may have to pay users stuck in congested wireless cells
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Automate and secure IOT for Business
Automate and secure IOT for Business
Data Science and AI Solutions for Cybersecurity
Data Science and AI Solutions for Cybersecurity
Intro to AI for Security Professionals
Intro to AI for Security Professionals
Digital Transformation: Hope, or Hype?
Digital Transformation: Hope, or Hype?
How to choose a trusted IT provider
How to choose a trusted IT provider

Events

Log In

Username / Email:
Password:
  |  Forgot your password?