UPDATED Friday, Jan. 22 with news of an Android patch and Google's assertion that most Android devices would have been protected anyway.
A Linux security vulnerability discovered recently has far-reaching consequences, as it affects wide swathes of Web servers and most Android devices. The flaw impacts Android 4.4 Kit Kat and later, and would let rogue apps delete files, access personal information and install programs that could lead to further damage.
This flaw was identified by Israeli security firm Perception Point, and lets installed software or local users elevate their system permissions to gain root access — full system control — without a root password. (The flaw cannot be exploited remotely, but a rogue app that locally exploited the flaw could let in more malware.) While computers and servers running Linux can expect a fix in the next few days, the fractured nature of the Android ecosystem means Android devices may have to wait much longer.
The bug, given the catalog number CVE-2016-0728, exposes an attack point through a memory leak committed in the keyrings facility of version 3.8 and later of the Linux kernel, which Android 4.4 and later uses. As its name suggests, the keyrings facility helps applications temporarily store security information including, but not limited to, authentication keys and encryption keys.
If an Android phone continues to go unpatched for this flaw, it may be targeted by rogue apps exploiting the vulnerability. According to a study released today (Jan. 19) by the Ann Arbor, Michigan-based security firm Duo, Android devices are currently spread out over at least 10 versions of the mobile operating system, and there are thousands of different Android devices, making it difficult to issue one patch that would protect all users.
We have three pieces of advice for Android users running KitKat or later. First, don't download apps from sources other than the Google Play Store. Second, run system updates when your carrier or phone maker pushes them down to your device. Last, next time you buy an Android phone, make sure it's from a manufacturer that issues regular or monthly security updates. (Currently, Google Nexus, Samsung, LG and Motorola do.)
Many of the smart-home appliances currently available also use the Linux kernel, but taking advantage of those bulbs and gadgets would likely require a lot of intentional work done on the spot. More at risk are smart TVs, as many use Linux and the state of smart-TV app security is ill-defined.
If you'd like to confirm the dangerous nature of this flaw, you can try out the proof-of-concept that Perception Point has shared on GitHub.
UPDATE: On Jan. 20, Android security engineer Adrian Ludwig announced on his Google+ page that the Android developers had "prepared a patch, which has been released to open source and provided to partners today."
As noted above, it may take weeks or months for the patch to be distributed to affected Android phones. But Ludwig asserted that the National Security Agency-designed SELinux module present in Android 5.0 Lollipop and above would many phones from the flaw. He added that many phones running Android 4.4 KitKat would also not be affected, as the choice of Linux kernel is up to the phone maker, and many choose not to use the latest kernel available for a certain build of Android.
"We believe that the number of Android devices affected is significantly smaller than initially reported," wrote Ludwig. "Devices with Android 5.0 and above are protected, as the Android SELinux policy prevents 3rd-party applications from reaching the affected code. Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in linux kernel 3.8, as those news kernel versions [are] not common on older Android devices."
Perception Point, the Israeli company that publicized the Linux flaw, replied that SELinux would slow, but not stop, exploits of the flaw.
"It doesn't matter if the device has SELinux enabled or not," the company said in a statement given to the Threatpost security-news site. "Our research team is working on an exploitation for Android devices with SELinux enabled."
As ComputerWorld's Lucian Constantin pointed out, top Linux vendor RedHat said in its own post about the Linux flaw that SELinux did not lessen the problem.