Home Business IT Open Source Google plays down impact of kernel flaw as it releases Android patch

Google plays down impact of kernel flaw as it releases Android patch

Android lead security engineer Adrian Ludwig has announced that a patch has been released to manufacturers to fix a vulnerability in the Linux kernel that was said to also affect Android devices.

But there are some differences in the evaluation of the vulnerability which was announced a few days back by the Israel-based firm Perception Point.

The firm said the flaw would affect all versions of the kernel from 3.8 onwards; it permitted the escalating of local privileges to root status. It was said to be due to a flaw in the keyring facility which encrypts and retains information, encryption keys and certificates and provides them to applications.

Perception Point claimed all platforms, including ARM, are vulnerable, thus differentiating the flaw from many others which only affect the x86 and AMD platforms. This effectively meant all Android devices with 3.8 kernels and above were affected and could be potentially exploited by means of a malicious mobile app.

In his announcement, Ludwig said the patch released by Google would be required on all devices which had a security patch level of March 1, 2016. When an Android device is manufactured, information is provided about the date to which it is patched and this is this refers to.

Ludwig contradicted the claims of Perception Point that all Android devices with 3.8 kernels and above were vulnerable.

"We believe that no Nexus devices are vulnerable to exploitation by 3rd party applications," he wrote.

"Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents 3rd party applications from reaching the affected code."

This contradicts the advisory put out by Red Hat when it released its own patch for the flaw, saying that use of SELinux did not mitigate the issue. The other big Linux company, SUSE, has released its own patch.

Ludwig added: "Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in linux kernel 3.8, as those newer kernel versions (are) not common on older Android devices."

Release of the patch does not mean that it will be available to users any time soon as each device is patched only by its vendor.


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.