Samsung pubblica i dettagli dell'aggiornamento SMR di marzo

SMR-MAR-2017

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin - March 2017 package.

The Bulletin (March 2017) contains the following CVE items:
CVE-2015-8816(C), CVE-2014-9781(H), CVE-2016-3843(C), CVE-2016-6674(H), CVE-2016-6675(H), CVE-2014-9675(H), CVE-2016-6728(C), CVE-2016-7910(C), CVE-2016-6757(M), CVE-2016-8406(M), CVE-2016-6690(L), CVE-2015-3288(C), CVE-2016-8422(C), CVE-2016-8423(C), CVE-2016-8415(H), CVE-2017-0404(H), CVE-2016-8452(H), CVE-2017-0399(M), CVE-2017-0400(M), CVE-2017-0402(M), CVE-2017-0395(M), CVE-2016-8418(C), CVE-2017-0437(H), CVE-2017-0438(H), CVE-2017-0439(H), CVE-2016-8419(H), CVE-2016-8420(H), CVE-2016-8421(H), CVE-2017-0440(H), CVE-2017-0441(H), CVE-2017-0442(H), CVE-2017-0443(H), CVE-2016-8476(H), CVE-2016-8414(M), CVE-2017-0451(M), CVE-2017-0423(M), CVE-2016-9806(C), CVE-2016-8655(H), CVE-2016-9793(H), CVE-2016-8416(M), CVE-2016-8477(M), CVE-2016-2182(C), CVE-2017-0466(C), CVE-2017-0467(C), CVE-2017-0468(C), CVE-2017-0469(C), CVE-2017-0470(C), CVE-2017-0471(C), CVE-2017-0472(C), CVE-2017-0473(C), CVE-2017-0474(C), CVE-2017-0475(C), CVE-2017-0478(H), CVE-2017-0479(H), CVE-2017-0480(H), CVE-2017-0481(H), CVE-2017-0482(H), CVE-2017-0483(H), CVE-2017-0484(H), CVE-2017-0485(H), CVE-2017-0486(H), CVE-2017-0487(H), CVE-2017-0488(H), CVE-2017-0390(H), CVE-2017-0392(H), CVE-2017-0489(M), CVE-2017-0490(M), CVE-2017-0491(M), CVE-2017-0495(M), CVE-2017-0496(M), CVE-2017-0497(M), CVE-2017-0498(M), and CVE-2017-0499(L).
* Severity : (C)-Critical, (H)-High, (M)-Moderate, (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.

Along with Google patches, Samsung Mobile provides 12 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.

SVE-2016-7797: Restricted account security flaw

Severity: Medium
Affected versions: L(5.0/5.1), M(6.0) all tablet devices
Reported on: December 4, 2016
Disclosure status: Privately disclosed.
A vulnerability allows an unauthorized user to create additional user accounts in tablets resulting in unauthorized access to user data in external storage.
The patch protects tablet devices by removing "add user" feature on lockscreen interface.

SVE-2016-7930: Multiple Buffer Overflow in Qualcomm Bootloader

Severity: Critical
Affected versions: Galaxy S5 with Qualcomm AP chipset
Reported on: December 20, 2016
Disclosure status: Privately disclosed.
A buffer overflow vulnerability exist in Qualcomm bootloader.
The patch prevents buffer overflow by removing the problematic source code.

SVE-2017-8114, SVE-2017-8116, and SVE-2017-8117: Crash on AudioService via unprotected intent

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.0)
Reported on: January 12, 2017
Disclosure status: Privately disclosed.
Lack of appropriate exception handling in some receivers of the AudioService application allows attackers crash the system easily resulting in a possible DoS attack.
The patch prevents system crashes by handling unexpected exceptions.

¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Costandinos "Dino" Tsagaratos : SVE-2016-7797
- Frèdèric Basse : SVE-2016-7930
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2017-8114, SVE-2017-8116, SVE-2017-8117