Various Samsung devices to get January security update

January 26, 2016

Views: 1326

Samsung has announced that its monthly Security Maintenance Release (SMR) update for January is now available. Due to the number of vulnerabilities that were exposed last year generally for Android devices (and some for Samsung devices only), the Korean gadget manufacturer has made its commitment to security clear by giving out monthly SMR updates starting in October last year. Looks like this will continue on, as Samsung announced that the January SMR is rolling out devices starting today.

The announcement was not clear on which devices will be getting the SMR update for the month. From experience, all of the flagship devices usually get the update, plus a range of its midrange and older devices as well. If your device is one of these – the Samsung Galaxy S5, Galaxy S6, Galaxy S6 edge, Galaxy S6 edge+, Galaxy Note 4, Galaxy Note Edge, Galaxy Note 5, Galaxy Tab S, and the Galaxy Tab S2 – you can rest assured that you’ll most likely be getting the update.

To be clear, this is separate from the monthly security update that Google releases for Android as well. The update, per the announcement, deals with the following issues:

SVE-2015-4958: msm_sensor_config security issues
Severity: Medium
Affected versions: KK(4.4) and L with APQ8084, MSM8974, and MSM8974pro chipset
Reported on: September 25, 2015
Disclosure status: This issue is publicly known.
A vulnerability using without checking the boundary of buffers can lead to memory corruption.
The applied patch avoids an illegal access to memory by checking the boundary.

SVE-2015-5081: Exposed provider and SQLi in SecEmailSync
Severity: High
Affected versions: L(5.0/5.1)
Reported on: October 10, 2015
Disclosure status: This issue is publicly known.
The combination of allowing unprivileged local applications to access some providers and having SQL injection (SQLi) vulnerability can enable any application to access all messages from ‘SecEmail.
The supplied patch prevents SQLi vulnerability by changing query code and unprivileged access by restricting the permission.

SVE-2015-5109: Samsung Galaxy S6: android.media.process Face Recognition Memory Corruption (MdConvertLine)
Severity: Critical
Affected versions: KK(4.2/4.3/4.4), L(5.0/5.1)
Reported on: October 7, 2015
Disclosure status: This issue is publicly known.
When a malformed BMP image is scanned by a facial recognition library, it can trigger an arbitrary code execution as overwriting the return address from a stack or a register.
The newly released ‘libfacerecognition’ library includes a defense code for prevention of memory corruption.

SVE-2015-5110: Samsung Galaxy S6: libQjpeg je_free Crash
Severity: Critical
Affected versions: L(5.0/5.1)
Reported on: November 7, 2015
Disclosure status: This issue is publicly known.
A malformed JPEG file can make memory corruption due to a flaw in ‘libQjpeg.so’ and it is possible to be used to exploit vulnerability.
The newly released ‘libQjpeg’ library includes a defense code for prevention of memory corruption.

SVE-2015-5131: FRP/RL Bypass issue by hacking tools
Severity: Critical
Affected versions: All devices supporting FRP/RL
Reported on: November 11, 2015
Disclosure status: This issue is publicly known.
A vulnerability from download mode can reset FRP/RL partition by using ‘Odin’ protocol.
The applied patch is concerned with bootloader which is a confidential part even inside of Samsung.

SVE-2015-5133: IAndroidShm IAPAService service DoS
Severity: Low
Affected versions: KK(4.4), L(5.0/5.1)
Reported on: October 30, 2015
Disclosure status: This issue is publicly known.
A vulnerability without proper exception handling in system services can lead to crash by calling malicious service commands.
The applied patch prevents crash by checking the condition of service commands.

We recommend that you guys just wait for the update notification to arrive. You can also try to force this by tapping on the “System Updates” section in your phone settings, but why rush? It will most likely get to you at some point in time during the month anyways.

VIA: SlashGear


Tags: , , ,