Samsung ha pubblicato i dettagli relativi agli aggiornamenti alla sicurezza che si appresta a rilasciare a breve per i suoi smartphone Android. La diffusione di queste informazioni rientra nella nuova politica adottata dalla casa coreana, (ma anche da altri leader di mercato) che prevede una maggiore considerazione degli aggiornamenti di questo genere.
L'aggiornamento di dicembre di Samsung recepisce tutte le migliorie in tema di sicurezza messe a punto da Google per questo mese. Non tutti gli exploit a cui è stato posto rimedio vengono elencati, in modo da proteggere gli utenti che non hanno ancora ricevuto gli aggiornamenti.
Gli aggiornamenti alla sicurezza riguardano in particolare gli smartphone
Galaxy S5,
Galaxy S6,
Galaxy S6 Edge,
Galaxy S6 Edge+,
Galaxy Note 4,
Galaxy Note 5,
Galaxy Note Edge e i tablet Galaxy Tab S e Galaxy Tab S2
SMR-DEC-2015
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.
Google patches include all patches up to Android Security Bulletin - December 2015 package.
The Bulletin (December 2015) has 24 items, which also contain the following 19 CVE items:
CVE-2015-6616*, CVE-2015-6617, CVE-2015-6619, CVE-2015-6633, CVE-2015-6634, CVE-2015-6618, CVE-2015-6620*, CVE-2015-6621, CVE-2015-6622, CVE-2015-6623, CVE-2015-6624, CVE-2015-6625, CVE-2015-6626*, CVE-2015-6627, CVE-2015-6628*, CVE-2015-6629, CVE-2015-6630, CVE-2015-6631*, CVE-2015-6632*.
(* Stagefright related CVE items)
※ Please see Android Security Bulletin for detailed information on Google patches.
Along with Google patches, Samsung Mobile provides 9 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.
SVE-2015-4018: Buffer overflow in datablock_write
Affected versions: KK(4.4) and above
Reported on: May 13, 2015
Disclosure status: This issue is publicly known.
A vulnerability writing received data without any inspection can lead to buffer overflow.
The supplied patch prevents a buffer overflow by checking if the size of source data is smaller than the destination buffer's.
SVE-2015-5068: Remove FRP Lock
Affected versions: Selected models including S6(TMO/SPR/USC only), Note5 and later which don't use Samsung FRP
Reported on: October 22, 2015
Disclosure status: This issue is publicly known.
A vulnerability allowing the access to MyFiles before finishing Setup-Wizard enables to bypass the FRP lock by installing a malicious application.
The fix blocks the practice of Factory Reset before finishing Setup-Wizard.
SVE-2015-5123: Samsung Galaxy Edge baseband process vulnerability
Affected versions: Selected models including Galaxy S6/S6 Edge, Galaxy S6 Edge+, and Galaxy Note5 with Shannon333 chipset
Reported on: November 12, 2015
Disclosure status: This issue is publicly known.
A vulnerability generating a stack overflow enables an attacker to run remote codes on the vulnerable devices by pushing a malicious code from a fake base station.
The supplied patch prevents a stack overflow problem.
In addition, the following CVEs are included as part of Samsung security patches:
CVE-2014-8173, CVE-2015-5697, CVE-2015-6252
※ Some of the CVE items in certain models were already included in previous maintenance release(s) such that they may not be included in this package.
¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.