Known as CVE-2016-0728, the bug was found by researchers at Perception Point who say it has been around since 2012. It could give hackers access to “tens of millions” of Linux PCs and servers and up to 66 percent of all Android devices.
The flaw is present in all versions of the Linux kernel newer than version 3.8. For Android, this affects devices running 4.4 KitKat or newer. The issue is present in the 32-bit and 64-bit versions of the kernel.
The bug allows an external attacker to obtain root access to the operating system, giving them full control of the device and the ability to run their own programs or send sensitive user data home. The high-risk vulnerability originates in the Linux “keyring” store, a component of the kernel that encrypts the user’s login details so other apps can access it securely when required without knowing the user’s actual password.
The Linux kernel team has been notified of the bug. A patch should be delivered to affected desktop systems shortly but Android smartphones may not be updated for months. Many older devices are unlikely to be fixed at all.
The good news is that Perception Point has not found any evidence of the bug being exploited maliciously so far. It believes it is the first group to uncover the vulnerability, although that doesn’t stop hackers from developing attacks to use against the millions of Android devices likely to remain at risk for the rest of their lives.
Perception Point notes that newer Android devices do include some protection that would make any exploit attempt more difficult. SELinux protects the kernel from unauthorised access but is not a perfect system. An attacker intent on gaining access to the device would be able to do so and certainly has the incentive to keep trying when the reward is full access to the phone as its root user.
On desktop computers and servers, the SMEP and SMAP systems work in a similar way to SELinux but only make exploiting the flaw more difficult rather than rendering it impossible to attack. Linux computer users and server administrators are advised to install the kernel patch as soon as it heads their way while Android users will have to hope their manufacturer decides to ship an update.
