Ecco le novità dell'aggiornamento di settembre per gli smartphone Samsung
5 Settembre 2018 | Max Capitosti
SAMSUNG ANDROID CERCA Come avviene all'inizio di ogni mese, Samsung ha pubblicato l'elenco delle vulnerabilità risolte con l'ultimo aggiornamento Security Maintenance Release (SMR) destinato ai suoi smartphone più recenti.
Per quanto riguarda settembre 2018, l'aggiornamento pone rimedio a 18 vulnerabilità, una delle quali da considerare critica. La distribuzione dell'aggiornamento SMR di settembre inizierà in questi giorni, con molta probabilità a partire dai top di gamma Galaxy S9, Galaxy S9+ e Galaxy Note 9.
FACEBOOKSEGUICI SU
TELEGRAMNOTIZIE CORRELATE
Per quanto riguarda settembre 2018, l'aggiornamento pone rimedio a 18 vulnerabilità, una delle quali da considerare critica. La distribuzione dell'aggiornamento SMR di settembre inizierà in questi giorni, con molta probabilità a partire dai top di gamma Galaxy S9, Galaxy S9+ e Galaxy Note 9.
SMR-SEP-2018SEGUICI SU
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.
Google patches include patches up to Android Security Bulletin - Sep 2018 package. The Bulletin (Sep 2018) contains the following CVE items:
Critical
CVE-2017-18310, CVE-2017-18305, CVE-2017-18296, CVE-2017-15817, CVE-2018-9475, CVE-2018-9478, CVE-2018-9479, CVE-2018-9411, CVE-2018-9427
High
CVE-2018-11258, CVE-2018-9465, CVE-2018-11260, CVE-2017-18308, CVE-2017-18301, CVE-2017-18302, CVE-2017-18300, CVE-2017-18304, CVE-2017-18298, CVE-2017-18297, CVE-2017-18293, CVE-2017-18295, CVE-2017-18303, CVE-2017-18299, CVE-2017-18282, CVE-2017-18280, CVE-2018-5383, CVE-2018-9466, CVE-2018-9467, CVE-2018-9468, CVE-2018-9469, CVE-2018-9470, CVE-2018-9471, CVE-2018-9472, CVE-2018-9474, CVE-2018-9440, CVE-2018-9456, CVE-2018-9477, CVE-2018-9480, CVE-2018-9481, CVE-2018-9482, CVE-2018-9483, CVE-2018-9484, CVE-2018-9485, CVE-2018-9486, CVE-2018-9487
Moderate
CVE-2017-15814, CVE-2017-15851, CVE-2017-8261, CVE-2017-9711, CVE-2018-3587, CVE-2017-18307, CVE-2017-18306, CVE-2018-1068, CVE-2018-9439, CVE-2018-5904, CVE-2018-5905, CVE-2018-5909, CVE-2018-5903, CVE-2018-5910, CVE-2018-11263, CVE-2018-5908, CVE-2017-13322, CVE-2017-13295, CVE-2018-9488
Low
None
NSI
None
Already included in previous updates
CVE-2017-18309, CVE-2017-18294, CVE-2017-18292, CVE-2017-18281, CVE-2017-13077
Not applicable to Samsung devices
CVE-2018-9406, CVE-2018-11305, CVE-2017-18283, CVE-2017-18249, CVE-2018-9464, CVE-2018-9463, CVE-2018-9462
※ Please see Android Security Bulletin for detailed information on Google patches.
Along with Google patches, Samsung Mobile provides 18 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in 'Security software version', SMR Sep-2018 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.
SVE-2017-11857: Buffer overflow vulnerability in ecryptfs
Severity: Low
Affected versions: M(6.0) N(7.x) O(8.x) except exynos9610/9820 in all Platforms, M(6.0) except MSM8909 SC77xx/9830 exynos3470/5420, N(7.0) except MSM8939, N(7.1) except MSM8996 SDM6xx/M6737T
Reported on: Sep 11, 2017
Disclosure status: Privately disclosed.
The vulnerability allows an attacker to cause an integer underflow.
The patch inserts logic to check the size of the variable to prevent integer underflow.
SVE-2018-11806: Clipboard contents visible when device is locked
Severity: Moderate
Affected versions: N(7.x) O(8.X)
Reported on: April 30, 2018
Disclosure status: Privately disclosed.
Clipboard was not disabled for emergency contact picker while the device is locked.
The patch disabled the clipboard for emergency contact picker while the phone is locked.
SVE-2018-11989, SVE-2018-11990: Keyboard learned words leak when device is locked
Severity: Moderate
Affected versions: N(7.x) O(8.x)
Reported on: May 17, 2018
Disclosure status: Privately disclosed.
Prediction clipboard was not disabled for emergency contact picker while the device is locked.
The patch disabled the prediction clipboard for emergency contact picker while the phone is locked.
SVE-2018-11940: Rooting of device with custom image
Severity: High
Affected versions: N(7.0) devices with Qualcomm models using MSM8996 chipset
Reported on: May 12, 2017
Disclosure status: Privately disclosed.
The vulnerability allows an attacker to use a specially modified image to run scripts in INIT context.
The patch deleted all unnecessary execution commands in INIT.
SVE-2018-12053: QuickTools vulnerability
Severity: Moderate
Affected versions: O(8.x) S9 series, S8 series, S7 sereise, S6 series, Note FE, Note 8, Note 5
Reported on: May 25, 2018
Disclosure status: Privately disclosed.
The vulnerability allows location permission to bypass lockscreen when using the compass function in QuickTools.
The patch checks the lock state and allows permission.
SVE-2018-12458: Smartwatch Displaying Secure Folder Notification Contents
Severity: High
Affected versions: O(8.x)
Reported on: July 09, 2018
Disclosure status: Privately disclosed.
The vulnerability allows hidden content notifications of Secure Folder to be displayed in smartwatch.
The patches blocks notifications to smartwatches coming from Secure Folder.
SVE-2018-12757: Stack buffer overflow in Shannon Baseband
Severity: Critical
Affected versions: N(7.x) O(8.x) P(9.0) devices with Exynos chipset
Reported on: July 05, 2018
Disclosure status: Privately disclosed.
Stack buffer overflow vulnerability in Shannon Baseband components.
The applied patch adds check of length range to prevent buffer overflow.
SVE-2018-12761: Cache-attacks on AES-GCM implementation
Severity: Moderate
Affected versions: N(7.0) devices with Exynos exynos7420 chipset and O(8.0) devices with Exynos 8890/8996 chipset
Reported on: June 25, 2018
Disclosure status: Privately disclosed.
In Keymaster, AES implementations based on T-Tables are vulnerable and slow in comparison to CE(Cryptography Extension) instruction.
Keymaster is updated to use AES implementations based on CE(Cryptography Extension) instead of T-Tables, to enhance security and performance.
Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.
Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.
- Frèdèric Basse : SVE-2017-11857
- Andr Ess : SVE-2018-11806
- Bogdan : SVE-2018-11989, SVE-2018-11990, SVE-2018-12053
- Thomas Huntington : SVE-2018-11940
- Ovidiu Sirb : SVE-2018-12458
- Ben Lapid and Avishai Wool : SVE-2018-12761
FACEBOOKSEGUICI SU
TELEGRAMNOTIZIE CORRELATE
Samsung spiega le migliorie contenute nell'aggiornamento di sicurezza di agosto Samsung ha pubblicato i dettagli relativi all'aggiornamento Security Maintenance Release (SMR) relativo al mese di agosto, la cui distribuzione è iniziata in questi giorni sugli smartphone Galaxy S8 ... ULTIME NOTIZIE
Xiaomi Mix Flip - in arrivo a fine mese, in anteprima nuove immagini
Realme GT6 - una dotazione differente per la versione per il mercato della Cina
Redmi 13 5G - nuovo smartphone con Snapdragon 4 Gen 2 e fotocamera da 108MP
Oppo lancia i nuovi Reno 12 F 5G e Reno 12 FS 5G in Italia
OnePlus svela nuovi dettagli sulle novità in arrivo il 16 luglio
Vodafone - insieme a Meta per ottimizzare l'efficienza della rete
Nothing CMF Phone 1 - lo smartphone 5G economico con retro personalizzabile
OnePlus svela la gamma di prodotti per il Summer Launch Event del 16 luglio
Realme C61 - ufficiale il nuovo entry-level con resistenza a polvere e acqua IP54
Vivo Y28s 5G - ufficiale il nuovo smartphone di fascia media
Realme 12 4G - chip Snapdragon 685 e schermo OLED per la nuova variante senza 5G
Apple estende il software di diagnostica Self Service Repair in Europa