Sign in with
Sign up | Sign in

Samsung Patching Security Hole Found in Exynos SoCs

By - Source: AndroidCentral | B 8 comments

A software fix should be available soon, Samsung said.

AndroidCentral reports that Samsung is currently working on a quick software fix that will patch a security hole recently discovered in the company's in-house Exynos 4210 and 4412 SoCs.

During this past weekend, an exploit was discovered in the two Exynos 4 chips that could give a malicious app complete control over the affected device's RAM. In turn, this would allow hackers to root the device and leave it wide open for additional malicious apps and activities.

"The security hole is in kernel, exactly with the device /dev/exynos-mem," reads a post over on the XDA Developers forum. "This device is R/W by all users and give access to all physical memory. Its like /dev/mem but for all."

Devices that use Samsung's Exynos 4210 and 4412 SoCs include select Galaxy S 2 models, the Galaxy Note, the Galaxy Note 2, and the Galaxy Tab 2 tablet. As of this writing, Samsung has yet to issue a fix, but the CyanogenMod team has developed a patch and thrown it into its CyanogenMod 10.1 nightlies release -- support for CM10 and CM9 is coming soon.

"As of this morning, the patches for Exynos 4412 and 4210 have been merged into our 10.1 source," the CyanogenMod team said on Google+. "10.1 nightlies from this evening forward are not affected. We will also be working on adapting the patch to our jellybean and ics branches where necessary."

Meanwhile, here is Samsung's official statement about the Exynos bug:

Samsung is aware of the potential security issue related to the Exynos processor and plans to provide a software update to address it as quickly as possible.

The issue may arise only when a malicious application is operated on the affected devices; however, this does not affect most devices operating credible and authenticated applications.

Samsung will continue to closely monitor the situation until the software fix has been made available to all affected mobile devices.

 

Contact Us for News Tips, Corrections and Feedback

Display 8 Comments.
This thread is closed for comments
  • -4 Hide
    house70 , December 20, 2012 10:50 AM
    CM team 1 - Samsung team 0
    CM team unpaid - Samsung team paid

    WTF?
  • 7 Hide
    azraa , December 20, 2012 10:58 AM
    So what?
    Its still better to have it open source, so people can read every last intruction. With other systems we never hear of bugs because probably those are all covered up.

    Good to hear they found that mistake, this kind of stuff keeps engineers up to date and more aware at their tasks.
  • 7 Hide
    InvalidError , December 20, 2012 11:35 AM
    Computer-illiterate technology journalists/sensationalists mis-attributing a software design flaw to hardware...

    I hate when journalists write about something they clearly have no clue about just for the headline.
  • -4 Hide
    rantoc , December 20, 2012 12:13 PM
    azraaSo what?Its still better to have it open source, so people can read every last intruction.


    Its both ways - A skilled hacker (not speaking script kiddies here) could with less effort find weaknesses in the open source's code than closed source that requires some additional steps to identify the weaknesses - The same goes the other way. If its open source there are more eyes on the code and thus also more likely to find the weak spots and plug them...

    So yeah its both ways when speaking about security!
  • 0 Hide
    A Bad Day , December 20, 2012 12:40 PM
    azraaSo what?Its still better to have it open source, so people can read every last intruction. With other systems we never hear of bugs because probably those are all covered up.Good to hear they found that mistake, this kind of stuff keeps engineers up to date and more aware at their tasks.


    For example, Citi Bank had a major URL flaw where hackers could simply replace some numbers in the URL and log into random accounts. Then then built an automated number generator/enterer to break into hundreds of thousands of accounts.

    The website designer stated that security and features are incompatible.

    But no one in the public knew about the flaw, because the bank never revealed it for obvious reasons.
  • 0 Hide
    house70 , December 20, 2012 1:01 PM
    rantocIts both ways - A skilled hacker (not speaking script kiddies here) could with less effort find weaknesses in the open source's code than closed source that requires some additional steps to identify the weaknesses - The same goes the other way. If its open source there are more eyes on the code and thus also more likely to find the weak spots and plug them... So yeah its both ways when speaking about security!

    It is both ways, but not equally so - an open-source Linux distro is considered far more secure than other OSes. Even the fact that the CM devs were able to plug the hole faster than Samsung itself speaks for the advantage of open-source.
    My first comment was directed at Samsung - looks like they need new blood in their software division.
  • 1 Hide
    dark_knight33 , December 20, 2012 1:14 PM
    A Bad DayFor example, Citi Bank had a major URL flaw where hackers could simply replace some numbers in the URL and log into random accounts. Then then built an automated number generator/enterer to break into hundreds of thousands of accounts.The website designer stated that security and features are incompatible.But no one in the public knew about the flaw, because the bank never revealed it for obvious reasons.


    That's still highly irresponsible. With all of the website hacking going on, a flaw like that could expose millions of people to theft and fraud. Something Citi would eventually be found negligent for. OTH, if Citi had used OSS, a hole of that magnitude would likely have been found and fixed before the code ever went live. OSS will always be more secure, and fixed faster than close source.
  • 1 Hide
    mouse24 , December 20, 2012 2:10 PM
    A Bad DayFor example, Citi Bank had a major URL flaw where hackers could simply replace some numbers in the URL and log into random accounts. Then then built an automated number generator/enterer to break into hundreds of thousands of accounts.The website designer stated that security and features are incompatible.But no one in the public knew about the flaw, because the bank never revealed it for obvious reasons.


    If no one in the public knew about it than how do you know about it?