J
Josh Levenson
Guest
Samsung appears to be sticking to the commitment it made in August 2015 when it vowed to distribute monthly security updates to its flagship smartphones to prevent them from being open to any major intrusions, like the Stagefright vulnerability which infected over 20,000 devices last year or the Heartbleed loophole that shook the Android ecosystem back in 2014, as the South Korean company has started pushing out Google’s latest security patch for the Galaxy S6 trio and the Galaxy Note 5.
This latest upgrade fixes a multitude of issues, including a handful of “critical” bugs, which could have resulted in devices being remotely accessed if not dealt with correctly. Some patches have purposely been left anonymous, presumably for security reasons, because if they were highlighted, hackers would have had the means to execute a system-wide attack prior to the upgrade being completed.
The changelog can be seen below:
SVE-2015-4958: msm_sensor_config security issues
Severity: Medium
Affected versions: KK(4.4) and L with APQ8084, MSM8974, and MSM8974pro chipset
Reported on: September 25, 2015
Disclosure status: This issue is publicly known.
A vulnerability using without checking the boundary of buffers can lead to memory corruption.
The applied patch avoids an illegal access to memory by checking the boundary.
Severity: Medium
Affected versions: KK(4.4) and L with APQ8084, MSM8974, and MSM8974pro chipset
Reported on: September 25, 2015
Disclosure status: This issue is publicly known.
A vulnerability using without checking the boundary of buffers can lead to memory corruption.
The applied patch avoids an illegal access to memory by checking the boundary.
SVE-2015-5081: Exposed provider and SQLi in SecEmailSync
Severity: High
Affected versions: L(5.0/5.1)
Reported on: October 10, 2015
Disclosure status: This issue is publicly known.
The combination of allowing unprivileged local applications to access some providers and having SQL injection (SQLi) vulnerability can enable any application to access all messages from ‘SecEmail.
The supplied patch prevents SQLi vulnerability by changing query code and unprivileged access by restricting the permission.
Severity: High
Affected versions: L(5.0/5.1)
Reported on: October 10, 2015
Disclosure status: This issue is publicly known.
The combination of allowing unprivileged local applications to access some providers and having SQL injection (SQLi) vulnerability can enable any application to access all messages from ‘SecEmail.
The supplied patch prevents SQLi vulnerability by changing query code and unprivileged access by restricting the permission.
SVE-2015-5109: Samsung Galaxy S6: android.media.process Face Recognition Memory Corruption (MdConvertLine)
Severity: Critical
Affected versions: KK(4.2/4.3/4.4), L(5.0/5.1)
Reported on: October 7, 2015
Disclosure status: This issue is publicly known.
When a malformed BMP image is scanned by a facial recognition library, it can trigger an arbitrary code execution as overwriting the return address from a stack or a register.
The newly released ‘libfacerecognition’ library includes a defense code for prevention of memory corruption.
Severity: Critical
Affected versions: KK(4.2/4.3/4.4), L(5.0/5.1)
Reported on: October 7, 2015
Disclosure status: This issue is publicly known.
When a malformed BMP image is scanned by a facial recognition library, it can trigger an arbitrary code execution as overwriting the return address from a stack or a register.
The newly released ‘libfacerecognition’ library includes a defense code for prevention of memory corruption.
SVE-2015-5110: Samsung Galaxy S6: libQjpeg je_free Crash
Severity: Critical
Affected versions: L(5.0/5.1)
Reported on: November 7, 2015
Disclosure status: This issue is publicly known.
A malformed JPEG file can make memory corruption due to a flaw in ‘libQjpeg.so’ and it is possible to be used to exploit vulnerability.
The newly released ‘libQjpeg’ library includes a defense code for prevention of memory corruption.
Severity: Critical
Affected versions: L(5.0/5.1)
Reported on: November 7, 2015
Disclosure status: This issue is publicly known.
A malformed JPEG file can make memory corruption due to a flaw in ‘libQjpeg.so’ and it is possible to be used to exploit vulnerability.
The newly released ‘libQjpeg’ library includes a defense code for prevention of memory corruption.
SVE-2015-5131: FRP/RL Bypass issue by hacking tools
Severity: Critical
Affected versions: All devices supporting FRP/RL
Reported on: November 11, 2015
Disclosure status: This issue is publicly known.
A vulnerability from download mode can reset FRP/RL partition by using ‘Odin’ protocol.
The applied patch is concerned with bootloader which is a confidential part even inside of Samsung.
Severity: Critical
Affected versions: All devices supporting FRP/RL
Reported on: November 11, 2015
Disclosure status: This issue is publicly known.
A vulnerability from download mode can reset FRP/RL partition by using ‘Odin’ protocol.
The applied patch is concerned with bootloader which is a confidential part even inside of Samsung.
SVE-2015-5133: IAndroidShm IAPAService service DoS
Severity: Low
Affected versions: KK(4.4), L(5.0/5.1)
Reported on: October 30, 2015
Disclosure status: This issue is publicly known.
A vulnerability without proper exception handling in system services can lead to crash by calling malicious service commands.
The applied patch prevents crash by checking the condition of service commands.
Severity: Low
Affected versions: KK(4.4), L(5.0/5.1)
Reported on: October 30, 2015
Disclosure status: This issue is publicly known.
A vulnerability without proper exception handling in system services can lead to crash by calling malicious service commands.
The applied patch prevents crash by checking the condition of service commands.
As is the norm, this update is being distributed in stages. To see if it’s ready for your device head into Settings, scroll to the bottom and tap on “About Device”, hit “System Updates”, then select “Check for updates”. Alternatively, you can wait until you receive a push notification prompting you to install the update.
Source: Samsung
Come comment on this article: Samsung now pushing out security update for the Galaxy S6 trio and Galaxy Note 5
Visit TalkAndroid for Android news, Android guides, and much more!
News via TalkAndroid