Samsung scrambles to plug Galaxy S6 Edge flaws

By on
Samsung scrambles to plug Galaxy S6 Edge flaws

Google's Project Zero elite hackers strike again.

Samsung has closed eight of 11 serious vulnerabilities found in its flagship Galaxy S6 Edge device by its Android operating system partner Google.

Most physical Android devices are made by other companies that use the Android Open Source Project (AOSP) and add their own customisations on top.

Google's Project Zero security research team undertook an effort to understand to what degree original equipment manufacturers introduced new and exploitable security bugs in the software.

The team also wanted to know how quickly vendors resolve bugs after they are reported.

"OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers," the team wrote.

Two teams of Project Zero researchers competed against each other for a week to "hack the Galaxy".

They found a total of 11 serious security issues through fuzzing (giving unexpected, invalid and/or random data to apps and programs) and code review.

Device drivers and media processing were identified as weak areas in Samsung's OEM software. Three logic issues were discovered that were easy to exploit.

The teams also found flaws in the Galaxy S6 software that permitted directory traversal, allowed users emails to be forwarded to another account, and five memory corruption issues in the way images are processed, three of which can be exploited by simply downloading a picture.

Samsung uses the US National Security Agency-developed Security Enhanced Linux (SELinux) extensions that "made it more difficult to attack the device", according to the Google researchers.

But SELinux does not completely protect devices against vulnerabilities, they said.

"...  we found three bugs that would allow an exploit to disable SELinux, so it’s not an effective mitigation against every bug."

Of the 11 security holes discovered and reported to Samsung, eight were fixed in the company's October maintenance release update. 

Three remaining vulnerabilities - considered by the Project Zero team  to be of lower severity - will be addressed this month.

The Google researchers commended Samsung for addressing the highest severity issues within 90 days.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
android galaxy edge s6 galaxy s6 google samsung security
In Partnership With

Most Read Articles

Telstra to cut at least 8000 jobs

Telstra to cut at least 8000 jobs
UNSW loses data after IBM storage failure

UNSW loses data after IBM storage failure
PageUp People revises data impacted by breach

PageUp People revises data impacted by breach
Woolworths reveals large-scale 'farm to fork' IoT project

Woolworths reveals large-scale 'farm to fork' IoT project
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Managed Security Service Providers for Dummies
Managed Security Service Providers for Dummies
The Cost of Cloud Expertise report
The Cost of Cloud Expertise report
The business case for hyperconvergence
The business case for hyperconvergence
What Every CIO Should Know about DevOps & Container Guides by Puppet
What Every CIO Should Know about DevOps & Container Guides by Puppet
The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators
The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators

Events

Most popular tech stories

Log In

Username / Email:
Password:
  |  Forgot your password?