Home Business IT Open Source Google plays down impact of kernel flaw as it releases Android patch

Android lead security engineer Adrian Ludwig has announced that a patch has been released to manufacturers to fix a vulnerability in the Linux kernel that was said to also affect Android devices.

But there are some differences in the evaluation of the vulnerability which was announced a few days back by the Israel-based firm Perception Point.

The firm said the flaw would affect all versions of the kernel from 3.8 onwards; it permitted the escalating of local privileges to root status. It was said to be due to a flaw in the keyring facility which encrypts and retains information, encryption keys and certificates and provides them to applications.

Perception Point claimed all platforms, including ARM, are vulnerable, thus differentiating the flaw from many others which only affect the x86 and AMD platforms. This effectively meant all Android devices with 3.8 kernels and above were affected and could be potentially exploited by means of a malicious mobile app.

In his announcement, Ludwig said the patch released by Google would be required on all devices which had a security patch level of March 1, 2016. When an Android device is manufactured, information is provided about the date to which it is patched and this is this refers to.

Ludwig contradicted the claims of Perception Point that all Android devices with 3.8 kernels and above were vulnerable.

"We believe that no Nexus devices are vulnerable to exploitation by 3rd party applications," he wrote.

"Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents 3rd party applications from reaching the affected code."

This contradicts the advisory put out by Red Hat when it released its own patch for the flaw, saying that use of SELinux did not mitigate the issue. The other big Linux company, SUSE, has released its own patch.

Ludwig added: "Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in linux kernel 3.8, as those newer kernel versions (are) not common on older Android devices."

Release of the patch does not mean that it will be available to users any time soon as each device is patched only by its vendor.


Download an in-depth guide to managing a healthy, motivated and energetic workforce without breaking the bank.


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.






Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities