Earlier this month, a small cybersecurity company made big news after it publicly disclosed a zero-day bug in the Linux kernel.
The kernel is the heart of the operating system, so kernel bugs of this sort often allow regular programs – applications that are supposed to have their power restricted by the kernel – to “promote” themselves to perform usually-prohibited tasks, such as reading private data or modifying other software illegally.
This sort of attack is known as an EoP, short for elevation of privilege.
The company that discovered the bug, an Israeli start-up called Perception Point, said the buggy code is in Linux 3.8 and potentially affects “millions” of Linux computers and servers and “66% of Android devices.”
Fortunately, the extent of the threat to Android users may have been overstated, as Android’s security chief Adrian Ludwig disputed Perception Points’s claims in a post on Google Plus.
Ludwig says the number of Androids affected is “significantly smaller than initially reported.”
Many devices running Android 4.4 KitKat and below are not affected because the version of Linux with the buggy code (Linux 3.8) is “not common” on older devices, Ludwig said.
And even though Android devices with Android 5.0 and above do have the vulnerable code, Ludwig claims they are protected because Security-Enhanced Linux (SELinux) on those Android versions “prevents third-party applications from reaching the affected code.”
Regardless, Perception Point is standing by its claims.
The company said that it has been working on an exploit to get around SELinux, which it may publish in upcoming blog posts, and “anyway the most important thing for now is to patch it as soon as you can.”
Patching may well be a problem for the vast majority of Android users.
Ludwig said Google has released a security patch to open source and partners, but the fix will not be issued until March updates.
Google Nexus devices will get the update automatically over the air, but users of non-Google devices will have to wait for vendors and carriers to issue the patch.
That means the vast majority of Android devices could remain unsecured for a long time.