본문 바로가기

취약점 정보2

삼성모바일 2월 업데이트 패치 내역

728x90

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung. 

Google patches include patches up to Android Security Bulletin - February 2017 package. 

The Bulletin (February 2017) contains the following CVE items: 
CVE-2016-2108(C), CVE-2016-3915(H), CVE-2016-3916(H), CVE-2015-1465(H), CVE-2016-6729(C), CVE-2015-8964(H), CVE-2016-7915(H), CVE-2016-6786(H), CVE-2016-6787(H), CVE-2016-1583(H), CVE-2016-8399(M), CVE-2016-8405(M), CVE-2016-8410(M), CVE-2016-6690(L), CVE-2015-3288(C), CVE-2015-5706(C), CVE-2016-9120(C), CVE-2016-8412(H), CVE-2016-8444(H), CVE-2016-7042(H), CVE-2017-0403(H), CVE-2016-5345(H), CVE-2016-9754(H), CVE-2016-8468(M), CVE-2016-8470(M), CVE-2016-8471(M), CVE-2016-8472(M), CVE-2016-3853(M), CVE-2017-0399(M), CVE-2017-0400(M), CVE-2017-0401(M), CVE-2017-0402(M), CVE-2016-6754(H), CVE-2017-0388(H), CVE-2017-0405(C), CVE-2017-0406(C), CVE-2017-0407(C), CVE-2017-0409(H), CVE-2016-5552(H), CVE-2017-0410(H), CVE-2017-0411(H), CVE-2017-0412(H), CVE-2017-0415(H), CVE-2017-0416(H), CVE-2017-0417(H), CVE-2017-0418(H), CVE-2017-0419(H), CVE-2017-0422(H), CVE-2017-0425(M), and CVE-2017-0426(M).

* Severity : (C)-Critical,   (H)-High,   (M)-Moderate,   (L)-Low


※ Please see Android Security Bulletin for detailed information on Google patches.



Along with Google patches, Samsung Mobile provides 7 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release. 


SVE-2016-6942: Security issue on package name check logic on SVoice


Severity: Medium
Affected versions: L(5.0/5.1), M(6.0)
Reported on: August 4, 2016
Disclosure status: Privately disclosed. 
There are two SVoice vulnerabilities. One is a Hare hunting vulnerability with insufficient verification when installing applications, and the other allows the provider to be seized by any other applications that uses custom provider without declaring any permission.
The patch fixes SVoice to find the exact applications with proper verification and adds protection to the provider by declaring required permission.


SVE-2016-7123: Crash on InputMethod via unprotected receiver using specific intent


Severity: Low 
Affected versions: KK(4.4), L(5.0/5.1), M(6.0)
Reported on: September 21, 2016
Disclosure status: Privately disclosed. 
The vulnerability in several Recevier components of InputMethod application can result in crash and restart system UI when the malformed serializable objects are passed.
The patch complements the exception handling routine to prevent crash.


SVE-2016-7180: Contact list leakage in logfile via broadcasting unprotected intent


Severity: Low 
Affected versions: M(6.0), N(7.0)
Reported on: September 16, 2016
Disclosure status: Privately disclosed. 
The vulnerability exposes contact information and list of installed applications in the system-accessible log.
The patch removes the problematic code.


¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements


We truely appreciate the following researchers for helping Samsung to improve the security of our products. 

- Quhe of Ant-financial Light-Year Security Lab : SVE-2016-7123 
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2016-7180 

728x90

'취약점 정보2' 카테고리의 다른 글

GarageBand 10.1.6 update  (0) 2017.02.15
lg모바일 2월 정기 업데이트 내역  (0) 2017.02.13
Norton 22.9 Product Update available now  (0) 2017.02.13
jira XSS 취약점  (0) 2017.02.13
Netween E110i 제품 사용 주의 권고  (0) 2017.02.13