Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Samsung Tizen Accused of Being Home to at Least 27,000 Findable Bugs

A purveyor of static code analysis wished to pitch his product to Samsung. What better way, he thought, than to run his product against the Samsung Tizen operating system, and demonstrate the results. The demonstration fell through, and the purveyor decided instead to publish his findings.

A purveyor of static code analysis wished to pitch his product to Samsung. What better way, he thought, than to run his product against the Samsung Tizen operating system, and demonstrate the results. The demonstration fell through, and the purveyor decided instead to publish his findings.

The purveyor is Andrey Karpov, CTO at “Program Verification Systems” Co Ltd and one of the developers of PVS-Studio. In a report published Wednesday, he claims that PVS-Studio would find 27,000 coding errors in Tizen. He actually checked only 3.3% of the code; but finding about 900 errors, he believes that would extrapolate to 27,000.

If his figures are correct, it could be a lot worse. He suggests that one use of PVS-Studio will detect “more than 10% of errors that are present in the code.” Regular use would push that up to about 20% of the errors — but either way, if his figures are correct, the implication is that Tizen potentially houses more than 250,000 bugs.

Tizen is a Linux-based open-source operating system designed for wide use in Samsung products: smartphones, tablets, smart TVs, smart watches, cameras and PCs. The project started in 2013, and by 2015 it had reached smartphones. Today it can be found on millions of devices and especially smart TVs.

Tizen is not new to controversy. Earlier this year security researcher Amihai Neiderman, then at Israeli firm Equus Technologies, reported the presence of 40 zero-day vulnerabilities in Tizen. “Right now, Tizen isn’t mature enough, isn’t ready enough to be sent to the public like this,” he commented. “If those vulnerabilities I found in a few hours of research, then somebody who’s really going to dedicate himself to be a Tizen researcher will find way more vulnerabilities.”

27,000 bugs do not translate to 27,000 vulnerabilities — but some of them could. For example, Karpov claims to have found 52 errors in which private data is not cleared. Only one is in the direct Samsung code — the rest are in third-party libraries used in Tizen. “I think this is a serious omission,” he writes, “since is does not matter which part of the program will be erroneous, when private data will remain somewhere in memory and then someone will use it.”

Karpov wrote an open letter to Samsung in May 2017. He described a number of the errors he had found, and said “Our team is willing to work on improving the quality of Tizen project. The text contains remarks to the code fragments, but this is not criticism. All projects have bugs. The aim was to show by real examples that we aren’t talking about abstract recommendations concerning the code improvement, but about real defects that we can find and fix.”

Samsung’s Youil Kim rejected the approach. Stating that “We currently have our own static analysis tool and run it regularly for Tizen,” Kim added, “However, we don’t agree with that Tizen has 27,000 defects that should be fixed.”

Advertisement. Scroll to continue reading.

Karpov begs to differ. 

SecurityWeek has reached out to Samsung for a statement on this issue, but has had no response at the time of writing. If one is received, it will be appended to the post.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.