Linux security threats on the rise
Security threats to Linux, an open source computer operating system (OS), have been increasing over the past few years.
This is according to security solutions vendor, Trend Micro, which says Linux PCs, servers or devices running Android KitKat 4.4 and higher are at risk due to a previously undiscovered Linux flaw.
It adds that with the explosion of Linux-based Android devices, the mobile OS has become the most attractive target for attackers.
Linux was originally developed as a free operating system for personal computers based on the Intel x86 architecture, but has since been ported to more computer hardware platforms than any other OS. Because of its dominance on smartphones, Android, which is built on top of the Linux kernel, has the largest installed base of all general-purpose operating systems.
Israeli IT security firm Perception Point found the latest bug indexed as CVE-2016-0728, which has existed for almost three years since Linux kernel version 3.8 was released in 2013.
The vulnerability could allow people with local access to servers to exploit it and gain complete root access. Similarly, on Android phones running version 4.4 (KitKat) and later, it could allow a malicious app to control underlying OS functions.
According to Perception Point, "this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66% of all Android devices." Android now powers more than 1.4 billion phones and tablets across the globe.
Once exploited, Trend Micro says, attackers could execute code on the Linux kernel and extract cached security data.
"Android's biggest issue is its fragmentation problem - where multiple versions of Android are present and in use - which then results in many users running outdated versions of the OS that may be riddled with vulnerabilities and security flaws. Leaving users with old versions of Android poses security risks such as unpatched vulnerabilities and new features which users won't be able to use," Trend Micro says.
Google has confirmed it is releasing a fix for this issue. "We have prepared a patch, which has been released to open source and provided to partners. This patch will be required on all devices with a security patch level of 1 March 2016," says Adrian Ludwig from the Android Security Team.
"In addition, since this issue was released without prior notice to the Android Security Team, we are now investigating the claims made about the significance of this issue to the Android ecosystem. We believe that the number of Android devices affected is significantly smaller than initially reported.
"We believe that no Nexus devices are vulnerable to exploitation by third-party applications. Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents third-party applications from reaching the affected code."