Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Samsung Patches Critical Vulnerabilities in Android Devices

Samsung has released a maintenance update for its major Android flagship Galaxy models to resolve 16 vulnerabilities in these devices.

Samsung has released a maintenance update for its major Android flagship Galaxy models to resolve 16 vulnerabilities in these devices.

The updates, available as part of the company’s monthly Security Maintenance Release (SMR) process, include all patches released by Google up to its January 2016 Android Security Bulletin. The release also includes several Samsung Vulnerabilities and Exposures (SVE) items.

Samsung’s January 2016 SMR includes a patch for a remote code execution (RCE) vulnerability in Android Mediaserver (CVE-2015-6636) rated as Critical. During the media file and data processing of a specially crafted file, an attacker could exploit the flaw to cause memory corruption and remote code execution.The vulnerability appears to be similar in scope to the “Stagefright” vulnerability that was disclosed in July 2015, which affected nearly one billion Android devices. Google’s initial patch did not properly address the mediaserver service flaw.

Another Critical flaw addressed in the updates is CVE-2015-6617, a flaw in Skia that allows remote attackers to execute arbitrary code or cause a denial of service via a crafted media file. The vulnerability was resolved by Google in the December 2015 bulletin, and Samsung included it in its December SMR too.

This month, Samsung Android devices also received fixes for a series of Android flaws rated Medium risk, such as CVE-2015-6643, CVE-2015-5310, CVE-2015-6644, CVE-2015-6645, all of which were patched in Google’s December 2015 or January 2016 updates for the Nexus devices.

Of the 7 SVE items included in Samsung’s January 2016 SMR, three are rated Critical and could result in arbitrary code execution, memory corruption, or FRP/RL bypass. The first could be triggered when a malformed BMP image is scanned by a facial recognition library, the second is a flaw in ‘libQjpeg.so’ and can be triggered by a malformed JPEG file, while the third is a bug in download mode that can reset the FRP/RL partition by using ‘Odin’ protocol, according to the release notes.

Samsung also patched a vulnerability resulting from a combination of unprivileged local apps being able to access some providers and an SQL injection (SQLi) flaw, which allowed applications to access all messages from SecEmail. The update also resolves a memory corruption issue rated Medium, along with a Low rated bug that could cause crashes when malicious service commands were called.

Samsung didn’t provide information on all SVEs included in the package, but revealed that at least two of the bugs affect the Samsung Galaxy S6 smartphone. Users are advised to install the security updates as soon as possible, to ensure their devices are protected from any attempts to exploit the fixed vulnerabilities.

Advertisement. Scroll to continue reading.

Samsung began delivering monthly updates to its Android users in October 2015, after announcing such plans in August. The move followed Google’s decision to resolve flaws in the mobile OS on a monthly basis, after the critical “Stagefright” vulnerability  was found in July to affect nearly one billion devices. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Tim McKnight has joined UnitedHealth Group as CISO following the Change Healthcare ransomware attack.

Zach Furness has joined MITRE as CISO.

Gregg R. Kendrick has been named CISO at Vanderbilt University.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.