​Google confirms new Linux hole not a big deal for Android

Sometimes a security "hole" is really a tiny security "leak."
Written by Steven Vaughan-Nichols, Senior Contributing Editor

The headlines made Perception Point-reported Linux and Android security vulnerability, aka CVE-2016-0728, sound terrible. For example, "Zero-Day Flaw Found in 'Linux Kernel' leaves Millions Vulnerable." Ah... not so much, more like thousands. Maybe.


Actually, this Linux zero-day security flaw was mostly harmless. Now, Google, has revealed, as expected, on Android this security "hole" was more of a security "leak."

Adrian Ludwig, Android's lead security engineer, wrote on Google+ that Google took the problem seriously. Other Google sources added that they did so because they were aware of the problem via the upstream Linux kernel security team. Perception Point, which had claimed that the "vulnerability has implications for ... 66 percent of all Android devices (phones/tablets)." had not bothered to tell them about the problem.

Fortunately, because of the upstream work of the Linux team, Google was ready with a patch. Ludwig wrote: "We have prepared a patch, which has been released to open source and provided to partners today. This patch will be required on all devices with a security patch level of March 1 2016 or greater."

Yes, that means it's not out yet but Android users probably don't need it anyway. Ludwig added, "We believe that no Nexus devices are vulnerable to exploitation by 3rd party applications. Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents third party applications from reaching the affected code. Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in linux kernel 3.8, as those newer kernel versions not common on older Android devices."

Last, but not least, Google is "now investigating the claims made about the significance of this issue to the Android ecosystem. [But,] We believe that the number of Android devices affected is significantly smaller than initially reported."

You think?

A far more serious Android security problem is that one-third of Android users don't bother to use a passcode to secure their lockscreen.

Seriously, there are real security problems on Android and Linux. All operating systems have them. But, before screaming that the security skies are falling, let's make sure there's a real problem before flying into a panic.

Related Stories:

Editorial standards