Samsung scrambles to plug Galaxy S6 Edge flaws

Samsung has closed eight of 11 serious vulnerabilities found in its flagship Galaxy S6 Edge device by its Android operating system partner Google.

Most physical Android devices are made by other companies that use the Android Open Source Project (AOSP) and add their own customisations on top.

Google's Project Zero security research team undertook an effort to understand to what degree original equipment manufacturers introduced new and exploitable security bugs in the software.

The team also wanted to know how quickly vendors resolve bugs after they are reported.

"OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers," the team wrote.

Two teams of Project Zero researchers competed against each other for a week to "hack the Galaxy".

They found a total of 11 serious security issues through fuzzing (giving unexpected, invalid and/or random data to apps and programs) and code review.

Device drivers and media processing were identified as weak areas in Samsung's OEM software. Three logic issues were discovered that were easy to exploit.

The teams also found flaws in the Galaxy S6 software that permitted directory traversal, allowed users emails to be forwarded to another account, and five memory corruption issues in the way images are processed, three of which can be exploited by simply downloading a picture.

Samsung uses the US National Security Agency-developed Security Enhanced Linux (SELinux) extensions that "made it more difficult to attack the device", according to the Google researchers.

But SELinux does not completely protect devices against vulnerabilities, they said.

"...  we found three bugs that would allow an exploit to disable SELinux, so it’s not an effective mitigation against every bug."

Of the 11 security holes discovered and reported to Samsung, eight were fixed in the company's October maintenance release update. 

Three remaining vulnerabilities - considered by the Project Zero team  to be of lower severity - will be addressed this month.

The Google researchers commended Samsung for addressing the highest severity issues within 90 days.