Go straight to the menu Go straight to the text

Security Post

Special Security Updates for High Impact Security Issues

On 01 Jun 2018 by Samsung Mobile Security

As the leading provider of mobile device, Samsung recognizes the importance of protecting our users' security and privacy.

Samsung has been diligently rolling out regular security updates for majority of the mobile devices since October of 2015. In an effort to protect users of devices not covered by regular security updates from high impact security vulnerabilities, Samsung is rolling out a large scale security updates, named Quadnicks Security Update, which includes patches for BroadPWN, Blueborne, KRACK, and Meltdown and Spectre.

This is not the first time Samsung has rolled out large scale security updates for devices not covered by regular security updates to address high impact security vulnerabilites. In 2017, Samsung released large scale security updates, named Triplex Security Update to address security vulnerabilities including Stagefright, Quadrooter, and DirtyCOW.

About speculative execution vulnerabilities in ARM-based CPUs

On 11 Jan 2018 by Samsung Mobile Security

Overview

Security researchers have discovered several methods, named Meltdown and Spectre, which allow a process with normal user privilege to perform unauthorized reads of memory data in privileged process by abusing speculative execution technique that has been widely adopted in modern high-end CPUs.

Google has released a separate patch that effectively mitigates issues identified by Meltdown and Spectre by restricting access to high performance timers and making it difficult to utilize such attack methods. Samsung already received the separate patch from Google as part of Android Security Bulletin and started rolling out patches as part of January 2018 Security Update. In order to reduce confusion, Samsung has added the Samsung Security Index, which can be found in Settings > about device > Security software version. SMR Jan-2018 Release MS (MS stands for Meltdown and Spectre) includes all patches from Samsung and Google from January 2018 Security Update as well as the patch mentioned above.

There are no known instances of these attack methods being exploited out in the wild at this time. These attacks methods rely on installed malware to execute a successful exploit of the vulnerabilities, and we recommend our users to download software only from trusted app stores such as Galaxy Apps and Google Play Store.
We will continue to work closely with our partners to provide further mitigations for these vulnerabilities and will release them in upcoming Security Updates as they are made available.

Background

Most modern high-end CPUs implement speculative execution in order to improve performance by operating multiple instructions at once with an assumption that CPU predictions are likely to be true. CPUs normally continue execution when the predictions are valid, but side effects may occur during rollback of these speculative executions when CPUs predictions are invalid. Attack methods introduced in Meltdown and Spectre take advantage of these side effects to gain unauthorized access to memory data in high privileged process from user privileged process. 

Spectre

Two attack methods referred to Spectre are CVE-2017-5753 “bounds check bypass” and CVE-2017-5715 “branch target injection". These attack methods abuse side effects by tricking the CPU to start speculative predictions and accessing privileged data during validity checks of CPU predictions.
Analyses from our partners show that these attack methods are extremely difficult to exploit; and the separate patch from Google (CVE-2017-13218) effectively mitigates these vulnerabilities by making exploitations difficult to utilize. 

Meltdown

Attack method referred to Meltdown is CVE-2017-5754 “rogue data cache load”, and it enables a rogue process to read kernel memory via execution of crafted series of instructions.
Analyses from our partners show that only selected numbers of Samsung devices are affected by this vulnerability; and the separate patch from Google (CVE-2017-13218) also effectively mitigate this vulnerability by making it harder to exploit. 

Official launch of Samsung Mobile Security Rewards Program

On 07 Sep 2017 by Samsung Mobile Security

Samsung is officially launching our Mobile Security Rewards Program, a new vulnerability rewards program which invites members of the security community to assess the integrity of Samsung’s mobile devices and associated software to identify potential vulnerabilities in those products.

Samsung’s Mobile Security Rewards program is the latest initiative to demonstrate our steadfast commitment to working in close partnership with the security research community and enabling secure experiences for all our customers.

For more information, please visit here.