Google is downplaying the scope of the critical Linux vulnerability patched this week, suggesting that the number of affected Android devices has been exaggerated.
The Android OS is built upon the Linux kernel, but minus many of the libraries that are included in standard Linux builds. Initially, startup Perception Point said that upwards of two-thirds of Android devices would be affected by the vulnerability. The flaw, introduced into the Linux source code in 2012, could be abused by a local attacker to elevate privileges on a Linux server or Android phone via a malicious mobile application.
On its end, Google has patched the flaw in the Android code and on Wednesday released the fix to open source and its partners. Google’s Adrian Ludwig, lead engineer for Android security, said the patch would be required on all devices with a patch level of March 1, 2016 or greater.
Ludwig, however, took issue with Perception Point’s estimates that as many as 66 percent of devices were affected.
“We believe that the number of Android devices affected is significantly smaller than initially reported,” Ludwig said, adding that Perception Point did not privately disclose the vulnerability to Google or the Android security team as it did with the Linux security team.
Perception Point cofounder and CEO Yevgeny Pats told Threatpost this week the vulnerability that it was unknown whether the flaw was under attack.
Ludwig, meanwhile, said that while vulnerability affects Linux versions 3.8 and higher, significantly fewer versions of Android are affected.
“We believe that no Nexus devices are vulnerable to exploitation by third party applications. Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents third party applications from reaching the affected code,” Ludwig said. “Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in Linux kernel 3.8, as those newer kernel versions are not common on older Android devices.”
Perception Point provided Threatpost with a statement this morning:
“As stated, the bug affects android versions with KitKat and higher and it doesn’t matter if the device has SELinux enabled or not. SELinux only affects the exploitation potential and as stated in the blog our research team is working on an exploitation for Android devices with SELinux enabled. The results of that will be published in the next blogpost. Nexus with the newest version comes with the keyring feature compiled in. So we are still standing behind the ~66% of all android devices are affected by the bug.”
According to the Android developers dashboard, 33.3 percent of devices are on the most recent versions of Android (Lollipop 5.0 and 5.1, and Marshmallow 6.0), while 36.1 percent of devices are on Android 4.4 (KitKat) and 24.7 percent are running Jelly Bean (4.1, 4.2, 4.3). Duo Labs, meanwhile, published a report this week that said most Android devices are woefully out of date and that fail basic security hygiene such as enabling a passcode. The report said that one in 20 Android devices are rooted (by comparison, Duo Labs said one in 250 iPhones are jailbroken), and that one in 10 devices don’t have a pre-boot passcode device encryption enabled.
The vulnerability, CVE-2016-0728, lives in the keyring facility built into the various flavors of Linux. The keyring encrypts and stores login information, encryption keys and certificates, and makes them available to applications. In a report published by Perception Point, researchers said the vulnerability is a reference leak that can be abused to ultimately execute code in the Linux kernel.
“User space applications give [keyring] the option to manage the crypto keys,” Pats said. “The user doesn’t have to manage keys; the OS does it for the application. Apps use it for security reasons. When they want to apps to work with crypto, they use this feature. The feature has kernel access; the OS gives the userland app the ability to use this feature. The problem is that the code runs in the kernel.”