A bug that’s been present in Linux for almost three years can be used by hackers to gain almost total control over a device, say security researchers. It could affect tens of millions of PCs and servers, as well as 66 percent of all Android phones and tablets.
Perception Point reports that the newly discovered bug, which is snappily known as CVE-2016-0728, sits in the operating system’s keyring, which is used to store things like security data, authentication keys and encryption keys so that they can’t be used by any old app. The team at Perception Point, however, has identified a bug—and built a proof-of-concept attack—that makes it possible to replace an item from the keyring that’s temporarily stored in memory with some code.
That code is then executed by the kernel—the crucial bit of an OS that translates input and output requests from software into actions that the CPU has to carry out. The code could be used to do all kinds of things—gaining root access to a server, gaining control of the entire OS on an Android phone, or even attacking hardware that runs an embedded version of Linux, like a router.
The bug affects the Linux kernel in version 3.8, which was released in early 2013, so it also affects any Android device running KitKat or later.Perception Point notes that it has not observed “any exploit targeting this vulnerability in the wild,” but it does “recommend that security teams examine potentially affected devices and implement patches as soon as possible.”
Ars Technica notes that major Linux distributions are expected to receive a fix this week, but it may take far longer for your Android handset to get an update. As ever, be vigilant.
Update: Canonical has already rolled out an update for Ubuntu OSes.