PuntoCellulare.it
  2. Notizie
  3. Samsung annuncia l'aggiornamento alla sicurezza di ottobre

Samsung annuncia l'aggiornamento alla sicurezza di ottobre

2 Ottobre 2018 | Max Capitosti
SAMSUNG ANDROID CERCA
Samsung ha reso pubblici i dettagli dell'aggiornamento Security Maintenance Release (SMR) relativo al mese di ottobre, che la società intende iniziare a distribuire a partire dai prossimi giorni sui propri smartphone basati sul sistema operativo Android.

smr oct 2018

Le patch alla sicurezza per il mese di ottobre di Samsung pongono rimedio ad 11 vulnerabilità, scoperte nelle ultime settimane. I primi smartphone a ricevere gli aggiornamenti alla sicurezza saranno i top di gamma Galaxy S9, Galaxy S9+ e Galaxy Note 9, seguiti nel corso del mese da altri smartphone Samsung di recente commercializzazione.

SMR-OCT-2018
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin - Oct 2018 package. The Bulletin (Oct 2018) contains the following CVE items:

Critical
CVE-2016-10394, CVE-2018-11950, CVE-2018-5866, CVE-2018-11824, CVE-2018-9490, CVE-2018-9473, CVE-2018-9496, CVE-2018-9497, CVE-2018-9498, CVE-2017-13283, CVE-2018-9476, CVE-2018-9504

High
CVE-2017-5754, CVE-2018-11816, CVE-2018-11898, CVE-2018-11842, CVE-2018-11836, CVE-2018-11261, CVE-2016-10408, CVE-2017-18313, CVE-2017-18312, CVE-2017-18124, CVE-2018-3588, CVE-2018-11951, CVE-2018-11952, CVE-2018-5871, CVE-2018-5914, CVE-2018-11288, CVE-2018-11292, CVE-2018-11846, CVE-2018-9491, CVE-2018-9492, CVE-2018-9493, CVE-2018-9499, CVE-2018-9501, CVE-2018-9502, CVE-2018-9503, CVE-2018-9505, CVE-2018-9506, CVE-2018-9507, CVE-2018-9508, CVE-2018-9509, CVE-2018-9510, CVE-2018-9511

Moderate
CVE-2018-5832, CVE-2018-11270, CVE-2018-9452, CVE-2018-5390, CVE-2018-5391

Low
None

NSI
None

Already included in previous updates
CVE-2018-9384, CVE-2017-18314, CVE-2017-18311, CVE-2018-11290, CVE-2018-11287, CVE-2018-11855

Not applicable to Samsung devices
CVE-2017-15825, CVE-2018-11285, CVE-2018-11857, CVE-2018-11858, CVE-2018-11866, CVE-2018-11865

※ Please see Android Security Bulletin for detailed information on Google patches.

Along with Google patches, Samsung Mobile provides 11 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in 'Security software version', SMR Oct-2018 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.

SVE-2018-12852: Buffer overflow in the Trustlet

Severity: Critical
Affected Versions: N(7.x), O(8.X) devices with Exynos chipsets
Reported on: August 15, 2018
Disclosure status: Privately disclosed.
A buffer overflow vulnerability in esecomm trustlet allows an attacker to perform arbitrary code execution.
The patch adds proper validation of buffer length to prevent buffer overflow.

SVE-2018-12853: Invalid free in the Trustlet

Severity: Critical
Affected Versions: N(7.x), O(8.x) devices with Exynos chipsets
Reported on: August 15, 2018
Disclosure status: Privately disclosed.
An invalid free vulnerability in fingerprint trustlet allows an attacker to perform arbitrary code execution.
The patches deallocate the right pointer to prevent invalid free.

SVE-2018-12855: Incorrect usage of shared memory in the Trustlet

Severity: Critical
Affected Versions: N(7.x), O(8.X) devices with Exynos chipsets
Reported on: August 15, 2018
Disclosure status: Privately disclosed.
A vulnerability in vaultkeeper trustlet leaks shared memory address allowing an attacker to perform arbitrary code execution.
The patch adds proper validation of shared memory address.

SVE-2018-12881: Arbitrary memory write with the Trustlet

Severity: Critical
Affected Versions: N(7.x), O(8.X) devices with Exynos chipsets
Reported on: August 20, 2018
Disclosure status: This issue is publicly known.
A vulnerability in access control of secure driver allows arbitrary memory write in trustlets.
The patch restricts access control of memory access via secure APIs.

SVE-2018-12684: Clipoboard access in lockscreen

Severity: Moderate
Affected Versions: N(7.x), O(8.x), P(9.0)
Reported on: July 26, 2018
Disclosure status: Privately disclosed.
The clipboard content can be leaked without authorization when using physical keyboard.
The patch adds protection to hide clipboard contents immediately when device is locked.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements

We truly appreciate the following researchers for helping Samsung to improve the security of our products.

- Eloi Sanfelix: SVE-2018-12852, SVE-2018-12853, SVE-2018-12855, SVE-2018-12881
- Andr. Heß: SVE-2018-12684
SEGUICI SU
FACEBOOKSEGUICI SU
TELEGRAM
ULTIME NOTIZIE
    xiaomi mix flipXiaomi Mix Flip - in arrivo a fine mese, in anteprima nuove immaginirealme gt6Realme GT6 - una dotazione differente per la versione per il mercato della Cinaredmi 13 5gRedmi 13 5G - nuovo smartphone con Snapdragon 4 Gen 2 e fotocamera da 108MPreno 12 f 5gOppo lancia i nuovi Reno 12 F 5G e Reno 12 FS 5G in Italiasummer launch eventOnePlus svela nuovi dettagli sulle novità in arrivo il 16 lugliovodafone metaVodafone - insieme a Meta per ottimizzare l'efficienza della retenothing cmf phone 1Nothing CMF Phone 1 - lo smartphone 5G economico con retro personalizzabileoneplus summer launch eventOnePlus svela la gamma di prodotti per il Summer Launch Event del 16 lugliorealme c61Realme C61 - ufficiale il nuovo entry-level con resistenza a polvere e acqua IP54vivo y28s 5gVivo Y28s 5G - ufficiale il nuovo smartphone di fascia mediarealme 12 4gRealme 12 4G - chip Snapdragon 685 e schermo OLED per la nuova variante senza 5Gapple self service repairApple estende il software di diagnostica Self Service Repair in Europa