An Israeli security research firm has come forward with a troubling discovery. A zero-day vulnerability in the Linux kernel has left “tens of millions” of Linux PCs and servers exposed, along with 66 percent of Android phones and tablets. And it’s been there for nearly three years.
In a blog post detailing the issue, Perception Point researchers say that problem stems from the Linux keyring facility, essentially a locker where apps can stash authentication and encryption keys, security data, and other sensitive info. The bug, outlined in more depth here but described as “fairly straightforward,” can ultimately allow an attacker to pose as a local user and gain root access to a device.
This is bad! Root access can allow an attacker to do everything from installing malicious programs to deleting files to reading sensitive information on the device. Gaining access is also a simple enough matter; an attacker could use a simple phishing link to infiltrate the device.
As far as Perception Point can tell, nobody so far. That’s some comfort, but maybe not much given the large number of potential targets.
“While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild,” says the Perception Point post, “we recommend that security teams examine potentially affected devices and implement patches as soon as possible.”
In addition to the “tens of millions” of Linux PCs and servers running Linux Kernel version 3.8 and higher, because Android shares some code with Linux, the vulnerability affects any Android device running version 4.4 or later. As of January 4, that adds up to 69.4 percent of all Android devices, even more than the researchers estimated. Basically, if you’ve bought or upgraded your Android device within the last two years or so, that device is vulnerable.
How Serious Is This?
That something this potentially devastating went unnoticed for years is absolutely serious, especially given that Perception Point was able to put together a proof of concept exploit. In terms of actual exposure, the answer is mixed.
Things are already looking up on the enterprise side. Red Hat and Ubuntu have released their updates already, so now it’s just up to admins to implement them.
Android’s a slightly tricker story. While Google recently kicked off a monthly security update program, the company hasn’t yet said if a fix for this particular bug will be included in February’s, if not sooner. Even if it is, the update will need to work its way through the labyrinthine processes of the various carriers and hardware manufacturers that customize the operating system to their own liking. In short, there’s no telling how long it might take for all Android devices to be in the clear, if ever.
The good news is that all you really need to do to protect yourself is avoid suspicious links that might give a malicious actor access to your device. And if and when that security update does come through, install it. ASAP.