Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.
Google patches include patches up to Android Security Bulletin - February 2017 package.
The Bulletin (February 2017) contains the following CVE items:
CVE-2016-2108(C), CVE-2016-3915(H), CVE-2016-3916(H), CVE-2015-1465(H), CVE-2016-6729(C), CVE-2015-8964(H), CVE-2016-7915(H), CVE-2016-6786(H), CVE-2016-6787(H), CVE-2016-1583(H), CVE-2016-8399(M), CVE-2016-8405(M), CVE-2016-8410(M), CVE-2016-6690(L), CVE-2015-3288(C), CVE-2015-5706(C), CVE-2016-9120(C), CVE-2016-8412(H), CVE-2016-8444(H), CVE-2016-7042(H), CVE-2017-0403(H), CVE-2016-5345(H), CVE-2016-9754(H), CVE-2016-8468(M), CVE-2016-8470(M), CVE-2016-8471(M), CVE-2016-8472(M), CVE-2016-3853(M), CVE-2017-0399(M), CVE-2017-0400(M), CVE-2017-0401(M), CVE-2017-0402(M), CVE-2016-6754(H), CVE-2017-0388(H), CVE-2017-0405(C), CVE-2017-0406(C), CVE-2017-0407(C), CVE-2017-0409(H), CVE-2016-5552(H), CVE-2017-0410(H), CVE-2017-0411(H), CVE-2017-0412(H), CVE-2017-0415(H), CVE-2017-0416(H), CVE-2017-0417(H), CVE-2017-0418(H), CVE-2017-0419(H), CVE-2017-0422(H), CVE-2017-0425(M), and CVE-2017-0426(M).
Along with Google patches, Samsung Mobile provides 7 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.
Severity: Medium
Affected versions: L(5.0/5.1), M(6.0)
Reported on: August 4, 2016
Disclosure status: Privately disclosed.
There are two SVoice vulnerabilities. One is a Hare hunting vulnerability with insufficient verification when installing applications, and the other allows the provider to be seized by any other applications that uses custom provider without declaring any permission.
The patch fixes SVoice to find the exact applications with proper verification and adds protection to the provider by declaring required permission.
Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0)
Reported on: September 21, 2016
Disclosure status: Privately disclosed.
The vulnerability in several Recevier components of InputMethod application can result in crash and restart system UI when the malformed serializable objects are passed.
The patch complements the exception handling routine to prevent crash.
Severity: Low
Affected versions: M(6.0), N(7.0)
Reported on: September 16, 2016
Disclosure status: Privately disclosed.
The vulnerability exposes contact information and list of installed applications in the system-accessible log.
The patch removes the problematic code.
¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.
We truely appreciate the following researchers for helping Samsung to improve the security of our products.
- Quhe of Ant-financial Light-Year Security Lab : SVE-2016-7123
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2016-7180
'취약점 정보2' 카테고리의 다른 글
GarageBand 10.1.6 update (0) | 2017.02.15 |
---|---|
lg모바일 2월 정기 업데이트 내역 (0) | 2017.02.13 |
Norton 22.9 Product Update available now (0) | 2017.02.13 |
jira XSS 취약점 (0) | 2017.02.13 |
Netween E110i 제품 사용 주의 권고 (0) | 2017.02.13 |