Linux vulnerability puts millions of people at risk — Android users should panic


There are so many reasons to use a Linux-based operating system. Most often, people tell me that they switched because of a dissatisfaction with Microsoft’s Windows. The second most common reason people tell me that they use Linux is for security — a lack of malware. While operating systems such as Ubuntu, Fedora and Debian are rock solid, no operating system is impervious to viruses or trojans. The moment you feel 100 percent safe, you have effectively let your guard down.

While Linux-based operating systems are arguably more secure than Windows, every so often a vulnerability pops up to bring users down to Earth. Today, a rather nasty such vulnerability rocks the Linux community, as millions are at risk. And yes, this includes the oft-denounced Android.

“While the vulnerability has existed since 2012, our team discovered the vulnerability only recently, disclosed the details to the Kernel security team, and later developed a proof-of-concept exploit. As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets). While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible”, says Perception Point Research Team.

The team further explains, “the vulnerability affects any Linux Kernel version 3.8 and higher. SMEP and SMAP will make it difficult to exploit as well as SELinux on Android devices. Maybe we’ll talk about tricks to bypass those mitigation in upcoming blogs, anyway the most important thing for now is to patch it as soon as you can”.

Yikes. We are literally talking about millions upon millions of Linux users here, folks. What’s particularly scary is that it could have been exploited since 2012. While the Perception Point Research Team has not discovered an active exploit in the wild, it doesn’t mean state-sponsored hackers or spies haven’t already been utilizing it in secret. Remember, the nastiest vulnerabilities are the ones that haven’t been made public yet.

While mainstream Linux desktop and server distributions such as Ubuntu, Fedora, CentOS, and more will be imminently patched, sadly, Android users largely won’t be. Remember, with the exception of Nexus devices, operating system updates come few and far between — if ever. Even if the manufacturer releases a patch, cellular providers must approve it.

Ultimately, there are many millions of Android devices — countless, really — which will remain vulnerable forever. Users will have to decide whether to use it as-is or throw it in a wood-chipper. Quite frankly, I would never trust my data on a machine with known vulnerabilities — I’d opt for the chipper.



If you want to read more about the vulnerability, you can do so here. You can even download the exploit source here.