Google fail? This new Critical zero-day Android vuln is TWO years old!

Google warns of Android kernel vulnerability being exploited. It's almost two years old, but suddenly it's Critical. Oops.

Android Google root vulnerability
Credit: Lam Eason (cc:by-nd)

Android has horrible new security hole, says Google. Not only that, but Google admits the bug's been known about since April 2014, and is being exploited -- SKY FALLING; FILM AT 11.

Somehow, Google seems to know that the exploit isn't malicious. I suppose that's reassuring, so long as you trust la GOOG in this. But how long is it going to take your handset vendor and carrier to actually send you the update?

In IT Blogwatch, bloggers prepare to patch CVE-2015-1805.  curated these bloggy bits for your entertainment.


What’s all the panic about? Abner Li is tenacious—Linux kernel root vulnerability affects many Android devices:

A large number of Android devices...running kernel versions 3.4 [to] 3.14 [have] a vulnerability that allows an app to gain root access. ... A rooting app for the Nexus 5 and 6 that abuses the vulnerability has been made publicly available.

Users would have to reflash the entire operating system...to fix the issue. ... Google will release a security update...to Nexus devices. ... It will be up to OEMs to implement the fix.


Use the sauce. Google's anonymous security gnomes released this Security Advisory:

Google has become aware of a rooting application using an unpatched local elevation of privilege vulnerability...(CVE-2015-1805). ... We already block installation of rooting applications that use this vulnerability...using Verify Apps.

To provide a final layer of defense for this issue, partners were provided with a patch. ... Source code patches for this issue have been released to...AOSP.

This issue is rated as a Critical severity issue. ... We encourage all customers to accept updates to their devices. ... Android devices with a security patch level of March 18 [or] April 2, 2016 and later are not vulnerable.


Scary stuff. And Dan Goodin adds to the panic, speaking of “permanent device compromise”:

Millions of Android phones...are vulnerable to attacks that can...take control of core functions almost permanently. [It] allows apps to gain nearly unfettered "root" access.

Linux developers fixed it in April 2014 but [not] identified it as a security threat. ... Android developers failed to patch it even after [it was] in February 2015.

[You] should carefully consider the risks before knowingly installing a rooting app. [You] should also avoid apps available in third-party marketplaces, since they are more likely to...exploit the vulnerability maliciously.


So be careful out there, kids. And don't root, right? WRONG, says FeRDNYC, who's fed up of FUD:

This security flaw and its exploit have nothing to do with rooting. ... A "rooted" Android device is one in which superuser privileges...are made available to userland software under certain conditions...at the user's discretion by means of a confirmation dialog.

This privilege-elevation vulnerability [allows] a malicious app to gain superuser privileges without the user's authorization. [It's] a security flaw on unrooted and rooted devices alike.


Oh. How did we get here, anyway? Here's a good point from microlith:

[It's] because of the way Google, SoC vendors, and handset vendors...take some old-ass kernel, dump a bunch of poorly-written drivers into it, and go. ... This is why Linux is near 4.5, while handsets...come with nearly 4 year old kernels.


Ancient kernels and 23-month-old vulns. Oh dear. John Anon goes on and on: [You're fired -Ed.]

For many Android users, one of the clear benefits of ‘rooting’ a device is that they can gain access to a deeper level of the operating system. ... However, the downside of rooting is that changes made at the root level also have the ability to cause damage [or] give certain apps abilities you might not want them to have.

To be clear, this is not a new issue. ... This flaw dates back almost two years. ... A fix for this flaw had already been scheduled [but now] a new security update is in the process of being put together for Nexus devices.


You have been reading IT Blogwatch by , who curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or itbw@richi.uk.
Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.