Project Zero, a team of security analysts employed by Google and tasked with finding zero-day exploits, has found 11 high-impact security issues in the Samsung Galaxy S6 Edge.
Launched in April, the S6 Edge and flat screen S6 are predicted by researcher Counterpoint to reach 50 million sales by the end of the year.
Arthur Goldstuck, World Wide Worx MD, said the design of the S6 Edge was one of the most significant shifts in the mobile market this year.
Natalie Silvanovich, official Project Zero planner of bug bashes, wrote in a blog post this week: "We wanted to see how quickly bugs would be resolved when we reported them. We chose the Samsung Galaxy S6 Edge, as it is a recent high-end device with a large number of users."
Within a week of investigating different vulnerabilities, the Project Zero team found 11 risks. These included a directory traversal bug that allows a file to be written as system, and permission weakness in the e-mail software that allows attackers to forward e-mails to another account.
"Overall, we found a substantial number of high-severity issues, though there were some effective security measures on the device which slowed us down," says Silvanovich. "The weak areas seemed to be device drivers and media processing. We found issues very quickly in these areas through fuzzing and code review."
Silvanovich says there were three logic issues that are trivial to exploit. "These types of issues are especially concerning, as the time to find, exploit and use the issue is very short."
The motivation for looking into the S6 Edge (and other smartphones), says Silvanovich, is because the majority of Android devices are not made by Google but use the Android OS.
These external companies, known as original equipment manufacturers (OEMs), "introduce additional (and possibly vulnerable) code into Android devices." Silvanovich also notes OEMs decide the frequency of security updates.
Reporting the issues
After detection, all risks were reported to Samsung and eight of the 11 risks were fixed in the October update. The company has said the remaining issues will be fixed this month.
Silvanovich says fortunately the remaining three appear to be lower severity issues.
Two require an image to be opened in Samsung Gallery, "which does not have especially high privileges and is not used by default to open images received remotely via e-mail or SMS (so an exploit would require the user to manually download the image and open it in Gallery)," says Silvanovich.
"The other unfixed issue allows an attacker to execute JavaScript embedded in e-mails, which increases the attack surface of the e-mail client, but otherwise has unclear impact.
"It is promising that the highest severity issues were fixed and updated on-device in a reasonable time frame."
Samsung S6 Edge users are urged to keep their software updated.
Share
