May 29, 2017 | Updated: 07:08 PM EDT

Alarming Discovery: A Linux Bug That Allows Access To Root; Bug May Affect Android Phones

Jan 20, 2016 01:40 AM EST

Binary
An illustration picture shows a projection of binary code including cyrillic words onto a man, taken in Warsaw, Poland.

Just when we thought that restricting root access was enough to keep security vulnerabilities at bay, a report of a vulnerability in the Linux kernel, one that gives hackers possible access to the kernel’s root account, made the rounds of the tech blogs. The news of this vulnerability is important to Android users because remember, Android is based on Linux.

The system loophole, or bug, was discovered by security firm Perception Point and has been dubbed as the “CVE-2016-0728,” a zero-day vulnerability. The vulnerability is called a “Zero-Day Vulnerability,” meaning a flaw that is unknown to the vendor. As of the moment, the report of the said flaw has gone viral, and yes, Linux OEMs are working round the clock to create patches for the said flaw.

According to Perception Point, this bug may affect 66 percent of Android devices. That is a vast majority of the market, and if the bug is exploited, this could mean millions of devices exposed to possible malware or even hacking.

Tech pundits are rather concerned about how the flaw could be patched on the Android, however. Given that the diversity of the Android OSes being used across the market, plus the issue of Android forking, the mere thought of rolling out a patch that could be applicable across the board is already a nightmare. However, Richard Chirgwin, writing for Security in The Register UK, points out a rather interesting concept.

According to Chirgwin, it would take around 4,294,967,296 “system calls” on a PC in order for that particular loophole to be exploited. To the layperson, this means that if a persistent hacker wanted to get at the root, it would take that amount of data cycles in order for them to get into Root, and do whatever they want to the system. On an Intel Core i7-powered PC, this amount of data took them 30 minutes to get through. So as Chirgwin analyzed, it may take an ARM-powered phone more time and more processing power to get to a point where the exploit/bug would be usable to a very persistent hacker.

Is it right for Chirgwin to downplay the flaw? Or is it right for the rest of the blogosphere to panic? In any case, the rest of the Android-using universe will have to wait for the experts to say with full finality, whether to be as concerned about this flaw as we had been with Stagefright.

***

The original Perception Point report: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/

The report by Richard Chirgwin: http://www.theregister.co.uk/2016/01/19/linux_kernel_keyrings_get_privilege_escalation_patch/

With notes from Ars Technica: http://arstechnica.com/security/2016/01/linux-bug-imperils-tens-of-millions-of-pcs-servers-and-android-phones/

The definition of a “Zero-Day Vulnerability”: http://www.pctools.com/security-news/zero-day-vulnerability/