Overlooked Linux Bug Puts 'Tens Of Millions' Of Computers And Phones At Risk

Overlooked Linux Bug Puts 'Tens of Millions' of Computers and Phones at Risk

A bug that's been present in Linux for almost three years can be used by hackers to gain almost total control over a device, say security researchers. It could affect tens of millions of PCs and servers, as well as 66 per cent of all Android phones and tablets. Perception Point reports that the newly discovered bug, which is snappily known as CVE-2016-0728, sits in the operating system's keyring, which is used to store things like security data, authentication keys and encryption keys so that they can't be used by any old app. The team at Perception Point, however, has identified a bug — and built a proof-of-concept attack — that makes it possible to replace an item from the keyring that's temporarily stored in memory with some code.

That code is then executed by the kernel — the crucial bit of an OS that translates input and output requests from software into actions that the CPU has to carry out. The code could be used to do all kinds of things — gaining root access to a server, gaining control of the entire OS on an Android phone, or even attacking hardware that runs an embedded version of Linux, like a router.

The bug affects the Linux kernel in version 3.8, which was released in early 2013, so it also affects any Android device running KitKat or later. Perception Point notes that it has not observed "any exploit targeting this vulnerability in the wild," but it does "recommend that security teams examine potentially affected devices and implement patches as soon as possible."

Ars Technica notes that major Linux distributions are expected to receive a fix this week, but it may take far longer for your Android handset to get an update. As ever, be vigilant.

Canonical has already rolled out an update for Ubuntu OSes.

[Perception Point via Ars Technica]

Image by Mike Holloway


Comments

    I would suggest that for most Android handsets the Sun will go red giant phase before they ever get an update. Enjoy your never to be updated high security risk phones Android-philes.

      So a bug that hasn't been seen to have been exploited in over 3 years Vs Apple's Gatekeeper that is being actively exploited and has not been fixed in over 6 months?

    interesting... non a peep from the Android crowd? Usually pretty quick to voice the superiority of it when there is an issue with iOS...

      Maybe because its a bug with Linux in general, not just Android?

      Plus they probably have better things to do rather than try to stir up flame wars.

    Devices with Android 5.0 version and above are protected because their policy prevents third party applications from reaching the affected code.

Join the discussion!

Trending Stories Right Now