Linux flaw puts millions of PCs, Android smart devices at risk

(The flaw cannot be exploited remotely, but a rogue app that locally exploited the flaw could let in more malware.) While computers and servers running Linux can expect a fix in the next few days, the fractured nature of the Android ecosystem means Android devices may have to wait much longer.

The bug lies in the code that implements Linux’s keyrings facility, which is “primarily a way for drivers to retain or cache security data, authentication keys, encryption keys, and other data”.

Any machine with Linux Kernel 3.8 or higher is vulnerable, he said, including tens of millions of Linux PCs and servers, both 32-bit and 64-bit. “Every Linux server needs to be patched as soon the patch is out”, Yevgeny Pats, co-founder and CEO of Perception Point, told Threat Post. The bug, outlined in more depth here but described as “fairly straightforward”, can ultimately allow an attacker to pose as a local user and gain root access to a device.

Using the vulnerability – which has existed since 2012 – an attacker can delete files, install programs and view private information. On smartphones running Android versions KitKat and later, it can allow a malicious app to break out of the normal security sandbox to gain control of underlying OS functions. While Perception Point says the sensitivity has yet to be exploited, the risk is still real for now. The reportedly vulnerability has been around for nearly three years.

Unfortunately for Android users, security updates like this can be slow in coming, if you even get them at all. Major Linux distributors are expected to release a patch for the bug this week.

There is no evidence that the vulnerability has been exploited in the wild. According to a study released today (Jan. 19) by the Ann Arbor, Michigan-based security firm Duo, Android devices are now spread out over at least 10 versions of the mobile operating system, and there are thousands of different Android devices, making it hard to issue one patch that would protect all users.

On Tuesday, the Perception Point research team penned a blog post explaining the bug and walking through their proof-of-concept exploit, as well as noting that the bug had been reported to those maintaining the kernel.