Google Downplays Linux Vulnerability for Android; Releases Patch

Google has refuted a recent security report that claimed two-third of smartphones and tablets running its Android operating system as exposed to attacks due to a Linux kernel vulnerability. The Mountain View-based company says that the actual number of devices that are affected by the "keyrings" bug is significantly smaller. Furthermore, the company has released a security patch to AOSP and OEMs.

Adrian Ludwig, security lead for Android at Google, in a Google+ post Thursday said, "We have prepared a patch, which has been released to open source and provided to partners today. This patch will be required on all devices with a security patch level of March 1 2016 or greater."

Security firm Perception Point reported earlier this week about a three-year flaw in Linux kernel version 3.8 that could be exploited by an attacker to perform kernel code execution and gain root level access on the targeted system. In the report, the firm added that this affects as many as 66-percent of all Android devices.

As we had pointed out, not all versions of Android - hence not as many devices - could be vulnerable as many Android versions are based on Linux kernel 3.4 or lower. Google said that many devices running Android 4.4 (KitKat) and lower are not vulnerable as those versions "do not contain the vulnerable code introduced in linux kernel 3.8."

Google's head of security for Android said that the company believes no Nexus handsets are affected, and smartphones and tablets among other devices running Android 5.0 and above are protected too, "as the Android SELinux policy prevents third party applications from reaching the affected code."

Ludwig added he wasn't happy with the way Perception Point and Red Hat handled the issue, adding that they should have given Google prior notice about the vulnerability before publicly disclosing it.

As Perception Point reported earlier, the vulnerability dubbed as CVE-2016-0728, resides in a component called keyrings which stores encryption keys and stores login information and provides it to other applications. Many Linux distributions have assured that they will shortly issue the security patch. Perception Point noted in its original report that it wasn't aware of any security exploitation around keyrings vulnerability in the wild.