Google insists Linux bug is not a major threat

by: John DyeJanuary 21, 2016

Google logo Android head

Earlier this week, news broke that an exploitable bug in the Linux kernel made vulnerable tens of millions of Linux machines and up to 66% of all Android devices. Some understandably-raised eyebrows rippled through the tech world, and comments and forums foamed with argument regarding how serious this threat really was. Now, Google has announced via a Google+ post that far fewer Android devices are affected by this issue than were previously reported.

In contrast to Perception Point’s report, Google claims that all Android 5.0 Lollipop devices, including the entire Nexus line, have an extra layer of security called SELinux that would render any exploits of this bug useless. What’s more, most devices running Android 4.4 and earlier use code older than Linux kernel 3.8, meaning they do not contain the bug. This makes the list of affected devices markedly slimmer than the previously reported 66%.

Android-malwareSee also: Linux bug renders vulnerable 66% of all Android devices11

Nevertheless, Google has created a patch for the bug and is mandating that it be pushed out to all devices no later than March 1, 2016. The company also expressed some mild irritation that the Android Security Team was not informed of the bug prior to the information going public. Caught flat-footed, the team had to scramble to analyze how widely this bug really impacted the Android ecosystem while simultaneously creating solutions to be implemented on affected devices.

The general response to this proclamation is an outbreath of held-in air, but some commenters are still expressing concern. What are your thoughts regarding this Linux bug and the drama surrounding its announcement? Is Google downplaying the threat? Is Perception Point exaggerating the scale of this vulnerability? Let us know your thoughts in the comments below!

Next: 16 best antivirus Android apps and anti-malware Android apps

  • Luka Bulatović

    If SELinux is rendering the exploit useless then why the patch… I’m not sure this is so harmless as Google says. However I very much like that is mandatory for OEMs to patch it by March and I’m more interested to hear more about that.

    • Hunter Miller

      I wish Google did this with every single Android update.

    • dubs

      They’re not requiring OEMs to update all their devices. They’re requiring the patch to be included in all future updates of OEM software effective March 1. So if you are at or near the end of your device’s upgrade life, it’s highly likely that you’ll never see this security patch.

      • Luka Bulatović

        “Google has created a patch for the bug and is mandating that it be pushed out to all devices no later than March 1, 2016” Well, it could be even before March. I’ve got a Galaxy S6 so patch will come… Eventually. Just as Marshmallow. And knowing Samsung probably on March 1…

    • D’ohrk!

      Best Practices.

    • John Doe

      It says Lollipop 5.0 (Only, as not including 5+ or 6+) and all Nexus phones, which is confusing ..
      So 5.1 and on are open to this hack even if you have a Nexus phone?

      Next, do all Android phones get the monthly security updates? or only phones
      with Lollipop and above?
      So far I have seen my Nexus 5 and GF’s BB Priv get their monthly updates onthrough
      Telus ..

      • Luka Bulatović

        I believe it’s Lollipop 5.0+ (including Marshmallow). I have an S6 on 5.1.1 and it’s SE status is Enforcing. So it is present on devices with Android version higher than 5.0

        • John Doe

          S6 still on 5.1.1 …Hmmm

  • Vinicius Lima Silva

    selinux can set to enforced or permissive. Depending on what ROM you’re using, if it is set to permissive, it is a best practice to make a security patch to be sure that no harm will be caused

  • Durval Menezes

    I have worked with internet and *ix security in general, and Linux specially, since 1995 and I think it can be safely said that:

    1) For “normal” Linux users, this bug is not very exploitable: it requires the ability for the attacker to run arbitrary code as a non-root user on the attacked machine. This IMHO makes it a non-issue for even older, SELinux-less Android, at least for normal users who will run only apps which are java-like pcode (and on top of that, on phones whose CPUs would take many hours — and potentially days) to run this CPU-intensive exploit.

    2) On the other hand, this bug would be *very* exploitable on certain contexts, ie whenever remote/untrusted users can run arbitrary code on a machine. This is true for example on jail-like contexts, and on web hosting setups (think uploadable cgi scripts).

    Some further thoughts:

    a) Regardless of how exploitable this bug seems to be or not, it’s a shame that such a thing has been lurking in the Linux kernel for the best part of 4 years, and it shows how flawed the current Linux kernel development model is, ie, no longer having separate, minor-version-numbered “stable” and “development” branches as last seen on 2.5.x/2.6.x days. The current “free-for-all” model, where everything goes into a”current” version which could be later labeled as “longterm”, can be convenient and labor-saving for kernel yahoos^H^H^H^H^H^Hdevelopers, but has produced a number of monstrosities besides this one (the data-eating ext4 bug of a few years ago comes to mind, but there are many other examples).

    b) This also goes on to support my long held opinion that the latest “reliable/stable” Linux kernel version was 2.6.32.x; I plan to keep on running it on all my production-level machines (including my work laptop) at least until RH phases out EL6.

    c) When that day comes, due to these kernel shenanigans and some other “stuff” happening in systemlike-but-not-kernel-land (eg, systemd and the whole Wayland/Mir and Unity/GNOME3/KDE4 brouhahas), I plan to have long switched back to a BSD-derived system (probably FreeBSD if it hasn’t gone the same way by then, or NetBSD if it has). There’s no point to keep using a system which prizes showy stuff more than security, reliability and overall good engineering, which is less and less is the case with Linux.