Samsung scrambles to plug Galaxy S6 Edge flaws

By on
Samsung scrambles to plug Galaxy S6 Edge flaws

Google's Project Zero elite hackers strike again.

Samsung has closed eight of 11 serious vulnerabilities found in its flagship Galaxy S6 Edge device by its Android operating system partner Google.

Most physical Android devices are made by other companies that use the Android Open Source Project (AOSP) and add their own customisations on top.

Google's Project Zero security research team undertook an effort to understand to what degree original equipment manufacturers introduced new and exploitable security bugs in the software.

The team also wanted to know how quickly vendors resolve bugs after they are reported.

"OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers," the team wrote.

Two teams of Project Zero researchers competed against each other for a week to "hack the Galaxy".

They found a total of 11 serious security issues through fuzzing (giving unexpected, invalid and/or random data to apps and programs) and code review.

Device drivers and media processing were identified as weak areas in Samsung's OEM software. Three logic issues were discovered that were easy to exploit.

The teams also found flaws in the Galaxy S6 software that permitted directory traversal, allowed users emails to be forwarded to another account, and five memory corruption issues in the way images are processed, three of which can be exploited by simply downloading a picture.

Samsung uses the US National Security Agency-developed Security Enhanced Linux (SELinux) extensions that "made it more difficult to attack the device", according to the Google researchers.

But SELinux does not completely protect devices against vulnerabilities, they said.

"...  we found three bugs that would allow an exploit to disable SELinux, so it’s not an effective mitigation against every bug."

Of the 11 security holes discovered and reported to Samsung, eight were fixed in the company's October maintenance release update. 

Three remaining vulnerabilities - considered by the Project Zero team  to be of lower severity - will be addressed this month.

The Google researchers commended Samsung for addressing the highest severity issues within 90 days.

Copyright © iTnews.com.au . All rights reserved.
Tags:
android galaxy edge s6 galaxy s6 google samsung security

Most Read Articles

Number of homes in NBN limbo balloons

Number of homes in NBN limbo balloons
Human Services casts doubt on Watson

Human Services casts doubt on Watson
MyGov gets a makeover

MyGov gets a makeover
ANZ Bank looks to DIY tech under Maile Carnegie

ANZ Bank looks to DIY tech under Maile Carnegie
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Growing companies have a growing interest in technology
Growing companies have a growing interest in technology
RSA NetWitness® Endpoint. Respond 3X Faster to Threats
RSA NetWitness® Endpoint. Respond 3X Faster to Threats
Building platforms for future health and education
Building platforms for future health and education
Breach Level Index Report
Breach Level Index Report
Data Security vs Human Behaviour
Data Security vs Human Behaviour

Events

Log In

Username:
Password:
|  Forgot your password?