It's the start of a new month which means that Google has released its latest security update for its own Nexus and Pixel devices, but has also notified partners of its findings. As a result of this, Samsung has now released its findings and issued a post on what fixes will be made with the release of its own update.
While Samsung has listed several security issues, there are some that have not been disclosed. The list can be seen below.
SVE-2016-6942: Security issue on package name check logic on SVoice
Severity: Medium
Affected versions: L(5.0/5.1), M(6.0)
Reported on: August 4, 2016
Disclosure status: Privately disclosed.
There are two SVoice vulnerabilities. One is a Hare hunting vulnerability with insufficient verification when installing applications, and the other allows the provider to be seized by any other applications that uses custom provider without declaring any permission.
The patch fixes SVoice to find the exact applications with proper verification and adds protection to the provider by declaring required permission.
SVE-2016-7123: Crash on InputMethod via unprotected receiver using specific intentSeverity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0)
Reported on: September 21, 2016
Disclosure status: Privately disclosed.
The vulnerability in several Recevier components of InputMethod application can result in crash and restart system UI when the malformed serializable objects are passed.
The patch complements the exception handling routine to prevent crash.
SVE-2016-7180: Contact list leakage in logfile via broadcasting unprotected intentSeverity: Low
Affected versions: M(6.0), N(7.0)
Reported on: September 16, 2016
Disclosure status: Privately disclosed.
The vulnerability exposes contact information and list of installed applications in the system-accessible log.
The patch removes the problematic code.
¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.
Like previous security updates, they will arrive over the air on supported handsets. While the February update has been detailed, don't expect the updates to arrive overnight. Last month's security update took nearly a month to arrive on handsets like the S6 and S6 edge+. Unfortunately, there isn't a concrete timetable for updates, but if anxious, you can always hit the manual update option in the settings menu to check if it is available.
Source: Samsung via SamMobile | Image via Samsung
3 Comments - Add comment