Android security: Samsung plugs six OS and seven Galaxy-specific bugs

Samsung is making good on its commitment to deliver monthly Android security patches and fixes specific to its own hardware.
Written by Liam Tung, Contributing Writer

Samsung's flagship Galaxy smartphones are being patched but it's not clear whether the firm's low- and mid-range devices will see the updates.

Image: Samsung

Samsung has released security fixes both for the flaws that Google fixed earlier this month and for multiple bugs separately affecting its flagship Galaxy models.

Following Google's monthly fixes for its own Nexus devices in early January, Samsung has now disclosed details of the bugs it will be patching to remedy vulnerabilities in its flagship hardware. The update contains a blend of bugs in Google's update and others that Samsung has addressed independently.

Devices to receive this month's updates include the Galaxy S6, S6 edge+, S6 edge, and S5, as well as the Note 5, Note 4, and Note Edge. Its Galaxy Tab S2 and Tab S also receive the monthly updates. However, it's not clear whether Samsung's low- and mid-range devices will see the updates.

The security patches are part of the commitment Samsung made last August to join Google's monthly Android patching process in response to the Stagefright bugs last year.

Samsung launched a mobile security blog in October, where it posts details about available patches, though the site currently lacks the clarity offered by Google in its monthly Android security report.

However, Samsung does appear to be attempting to make it simpler for users to understand its patching. For example, it recently began displaying on devices the Android security patch level corresponding to Google's Nexus patches.

Samsung's update for the month includes six of the 12 vulnerabilities that Google fixed in Security Patch Level January 1, 2016. Google notified Samsung and other Android partners of the issues in Android on December 7.

Samsung's update also includes fixes for seven vulnerabilities specific to its own devices, though it currently only lists six of them.

One of three critical bugs in the update affects the Face Recognition library in the Galaxy S6 running Android KitKat and Lollipop.

"When a malformed BMP image is scanned by a facial-recognition library, it can trigger an arbitrary code execution," Samsung notes.

A second critical bug only affects Galaxy S6 devices running Lollipop. "A malformed JPEG file can make memory corruption due to a flaw in 'libQjpeg.so' and it is possible to be used to exploit vulnerability," Samsung notes.

The third critical vulnerability affects all Samsung devices that support FRP/RL, which probably refers to the Factory Reset Protection feature added to some Samsung devices running Android 5.1 Lollipop and higher.

The feature is designed to prevent anyone initiating a factory reset unless they have the associated Google account credentials or lockscreen details.

According to Samsung, this bug can be exploited via Odin, the software used to flash firmware on Samsung devices.

"A vulnerability from download mode can reset FRP/RL partition by using Odin protocol. The applied patch is concerned with bootloader which is a confidential part even inside Samsung," the company noted.

Read more about Samsung and Android security

Editorial standards