But there are some differences in the evaluation of the vulnerability which was announced a few days back by the Israel-based firm Perception Point.
The firm said the flaw would affect all versions of the kernel from 3.8 onwards; it permitted the escalating of local privileges to root status. It was said to be due to a flaw in the keyring facility which encrypts and retains information, encryption keys and certificates and provides them to applications.
Perception Point claimed all platforms, including ARM, are vulnerable, thus differentiating the flaw from many others which only affect the x86 and AMD platforms. This effectively meant all Android devices with 3.8 kernels and above were affected and could be potentially exploited by means of a malicious mobile app.
In his announcement, Ludwig said the patch released by Google would be required on all devices which had a security patch level of March 1, 2016. When an Android device is manufactured, information is provided about the date to which it is patched and this is this refers to.
|
|
"We believe that no Nexus devices are vulnerable to exploitation by 3rd party applications," he wrote.
"Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents 3rd party applications from reaching the affected code."
This contradicts the advisory put out by Red Hat when it released its own patch for the flaw, saying that use of SELinux did not mitigate the issue. The other big Linux company, SUSE, has released its own patch.
Ludwig added: "Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in linux kernel 3.8, as those newer kernel versions (are) not common on older Android devices."
Release of the patch does not mean that it will be available to users any time soon as each device is patched only by its vendor.
