Android terminals likely to run a vulnerable version of the Linux kernel are not so numerous according to Google. And the devices concerned are protected by SELinux.
Taken by surprise by the revelation of a zero-day flaw in the Linux kernel this week, Google quickly developed a patch for Android that it distributed to device manufacturers. However, it may take several weeks before they begin to update the OS by including the correction. However, according to Google’s estimates, the flaw would not affect as many Android devices as this. The privilege escalation vulnerability allows attackers to take control of Linux systems from a limited account or by tricking users with a malicious application. It was discovered by researchers from the security research company Perception Point.
The researchers warned the team that maintains the Linux kernel, as well as Red Hat, before revealing the flaw last Tuesday. On the other hand, they did not contact the Android security team when they indicated that, according to them, 66% of terminals operating Google’s mobile OS were potentially vulnerable. Their estimate was based on the fact that the flaw affected all Linux kernel versions from 3.8 and that these kernels are used in Android from version 4.4 (KitKat).
Not all vendors update the kernel
But in the Android world, the kernel version depends more on the choice of the device manufacturer than on the version of Android installed on it. Manufacturers do not necessarily update the kernel when they create an OS based on new versions of Android, especially for older devices.
In a post, Adrian Ludwig, Android security manager, clarifies that many devices running Android 4.4 or earlier versions do not contain the vulnerable code introduced in the Linux kernel 3.8, since these new versions are not common on older devices. Android. He also explains that devices running Android 5.0 (Lollipop) and more recent versions of the OS are protected even if they use vulnerable kernels, because the OS is here protected by the Security-Enhanced Linux module (SELinux ) of the nucleus.
Patch required on devices updated on March 1, 2016
The Android SELinux policy for these releases prevents third-party apps from reaching the affected code, Ludwig said, adding that none of the Nexus devices are affected. This seems to contradict both Perception Point researchers, who wrote that there are some ways around SELinux, and Red Hat, which mentions in its own advisory that SELinux does not work around this problem.
Adrian Ludwig specifies that the patch created by Google will be required on all terminals that indicate in the settings of their smartphones a security update dated 1er March 2016 or later. However, this does not force manufacturers to integrate it before this date or on old terminals.