After news of the Linux zero-day vulnerability came out and caused waves of alarm to reverberate throughout the tech world, Google has responded: It is now working on a patch that will be rolled out across all Android devices on March 1. Moreover, Adrian Ludwig, with a G+ post published in behalf of the Android Security Team, communicated that they believe that there’s a smaller percentage of Android devices affected.
The post from Adrian Ludgwig’s Google+ Account: https://plus.google.com/u/1/+AdrianLudwig/posts/KxHcLPgSPoY
Truth be told, The Register’s take on the matter may actually be correct: The current hardware used on Androids may not even be capable enough for a potential hacker to create as much data cycles as needed to get to exploit that vulnerability. What is more is that such an exploit may require that the potential hacker would have physical access to the device, and that’s not exactly such a probable thing, unless, of course, someone manages to develop a very sophisticated malware program that can be deployed remotely and will be able to impose as many cycles as 4,294,967,296 system calls on an Android.
By the time someone figures out how to code that, the Android Security Team may have already rolled out and applied the patch to Androids across the world.
The Register UK’s take on the CVE-2016-0728: http://www.theregister.co.uk/2016/01/19/linux_kernel_keyrings_get_privil...
On the other hand, an onlooker may find it off-putting that the Android Security Team at Google was rather defensive in its response. Engadget reported, in no uncertain terms, that “Google, […] fired back strongly at the claim.” The tech central also communicated its inference that Google may have done so “[…]Particularly because it wasn't given the usual window to address the flaw before it was publicly released.”
Whether that’s an accurate estimation of why Google “fired back strongly” or just a pure speculation on Engadget’s part is a moot argument, really. The fact remains that Google’s Android Security Team was caught off guard, and the report of the flaw went to press before it could craft a more diplomatic response, or one that reassures the public that they’re working on the task already.
In any case, there is a point from Adrian Ludwig’s G+ post that must not be missed: “[…]Many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in Linux kernel 3.8, as those newer kernel versions not common on older Android devices.”
Hopefully that part of Adrian Ludwig’s statement was not just released to appease concerned tech pundits, developers and end users alike. Hopefully they’re telling the truth and that their statement, “No Nexus devices are vulnerable to exploitation by 3rd party applications,” is also true.
The previous Droid Report on the CVE-2016-0728: http://www.droidreport.com/alarming-discovery-linux-bug-allows-access-ro...
The Engadget report on Google/The Android Security Team’s reaction: http://www.engadget.com/2016/01/21/google-denies-linux-flaw-is-a-serious...