Samsung appears to be sticking to the commitment it made in August 2015 when it vowed to distribute monthly security updates to its flagship smartphones to prevent them from being open to any major intrusions, like the Stagefright vulnerability which infected over 20,000 devices last year or the Heartbleed loophole that shook the Android ecosystem back in 2014, as the South Korean company has started pushing out Google’s latest security patch for the Galaxy S6 trio and the Galaxy Note 5.
This latest upgrade fixes a multitude of issues, including a handful of “critical” bugs, which could have resulted in devices being remotely accessed if not dealt with correctly. Some patches have purposely been left anonymous, presumably for security reasons, because if they were highlighted, hackers would have had the means to execute a system-wide attack prior to the upgrade being completed.
The changelog can be seen below:
Severity: Medium
Affected versions: KK(4.4) and L with APQ8084, MSM8974, and MSM8974pro chipset
Reported on: September 25, 2015
Disclosure status: This issue is publicly known.
A vulnerability using without checking the boundary of buffers can lead to memory corruption.
The applied patch avoids an illegal access to memory by checking the boundary.
Severity: High
Affected versions: L(5.0/5.1)
Reported on: October 10, 2015
Disclosure status: This issue is publicly known.
The combination of allowing unprivileged local applications to access some providers and having SQL injection (SQLi) vulnerability can enable any application to access all messages from ‘SecEmail.
The supplied patch prevents SQLi vulnerability by changing query code and unprivileged access by restricting the permission.
Severity: Critical
Affected versions: KK(4.2/4.3/4.4), L(5.0/5.1)
Reported on: October 7, 2015
Disclosure status: This issue is publicly known.
When a malformed BMP image is scanned by a facial recognition library, it can trigger an arbitrary code execution as overwriting the return address from a stack or a register.
The newly released ‘libfacerecognition’ library includes a defense code for prevention of memory corruption.
Severity: Critical
Affected versions: L(5.0/5.1)
Reported on: November 7, 2015
Disclosure status: This issue is publicly known.
A malformed JPEG file can make memory corruption due to a flaw in ‘libQjpeg.so’ and it is possible to be used to exploit vulnerability.
The newly released ‘libQjpeg’ library includes a defense code for prevention of memory corruption.
Severity: Critical
Affected versions: All devices supporting FRP/RL
Reported on: November 11, 2015
Disclosure status: This issue is publicly known.
A vulnerability from download mode can reset FRP/RL partition by using ‘Odin’ protocol.
The applied patch is concerned with bootloader which is a confidential part even inside of Samsung.
Severity: Low
Affected versions: KK(4.4), L(5.0/5.1)
Reported on: October 30, 2015
Disclosure status: This issue is publicly known.
A vulnerability without proper exception handling in system services can lead to crash by calling malicious service commands.
The applied patch prevents crash by checking the condition of service commands.
As is the norm, this update is being distributed in stages. To see if it’s ready for your device head into Settings, scroll to the bottom and tap on “About Device”, hit “System Updates”, then select “Check for updates”. Alternatively, you can wait until you receive a push notification prompting you to install the update.
Source: Samsung
