A dozen of flaws have been found in Samsung's Android operating
system running on Samsung Galaxy S6 Edge smartphones by researchers from Google’s
Project Zero.
However, Samsung claims to have patched most of the
vulnerabilities.
As per the researchers, the flaws could allow an attacker to
manipulate the privilege the device assigns to its apps, and access the
victim's emails among other threats.
The research team reported the vulnerabilities to the
concerned company in late July and eight of them were addressed by the vendor
with its October maintenance release. The company has assured to patch
remaining three security bugs later this month.
Project Zero wanted
to put the security of an OEM device to the test to see how it compares against
Google’s Nexus, for which the Internet giant has started releasing monthly
security updates.
“The majority of Android devices are not made by Google, but
by external companies known as Original Equipment Manufacturers or OEMs which
use the Android Open-Source Project (AOSP) as the basis for mobile devices
which they manufacture. OEMs are an important area for Android security
research, as they introduce additional (and possibly vulnerable) code into
Android devices at all privilege levels, and they decide the frequency of the
security updates that they provide for their devices to carriers,” Project Zero
researcher Natalie Silvanovich said in a blog post.
The researchers, who were asked to find vulnerabilities, looked
for three types of issues that can be part of a kernel privilege escalation
exploit chain, including gaining remote access to contacts, photos and
messages, gaining access to such data from a Google Play application that
requires no permissions, and using this access to persistently execute code
even after a device wipe.
“Each team worked on three challenges, which we feel are
representative of the security boundaries of Android that are typically
attacked. They could also be considered components of an exploit chain that
escalates to kernel privileges from a remote or local starting point,” Silvanovich
said.
Among the eleven high severity issues, the most serious
being a path traversal vulnerability (CVE-2015-7888) in the Samsung
WifiHs20UtilityService service that can be exploited to write arbitrary files
on the system.
The email client installed on Samsung Galaxy S6 Edge devices
is also plagued by a serious flaw (CVE-2015-7889), which allows an attacker to
forward a user’s emails to a different account via a series of intents from an
unprivileged application. Another email client issue (CVE-2015-7893) can be
exploited to execute arbitrary JavaScript code embedded in a message.
Google researchers also found issues related to drivers
(CVE-2015-7890, CVE-2015-7891, CVE-2015-7892), and image parsing
(CVE-2015-7894, CVE-2015-7895, CVE-2015-7896, CVE-2015-7897, CVE-2015-7898).
“Overall, we found a substantial number of high-severity
issues, though there were some effective security measures on the device which
slowed us down. The weak areas seemed to be device drivers and media
processing. We found issues very quickly in these areas through fuzzing and
code review. It was also surprising that we found the three logic issues that
are trivial to exploit. These types of issues are especially concerning, as the
time to find, exploit and use the issue is very short,” Silvanovich explained.