Linux Kernel Has Security Flaw, Vendors Release Urgent Fix
Linux distro developers have announced that the Linux kernel contains a security flaw that could endanger devices with Android 4.0 Ice Cream Sandwich operating systems but a fix is currently being rolled out.
The flaw allows a local hacker to gain root accessibility to a target system through privilege escalation vulnerability.
According to Techworld, the security hole restricts the kernel from accessing the “/proc/<pid>/mem” file and the security advisory is CVE-2012-0056.
Only Linux versions 2.6.39 and above will contain such vulnerability, with Linux creator Linus Torvalds posting a patch to fix the issue on January 17, but before vendors could insert it into their distros (distributions), a proof of concept exploit code leaked online.
Ubuntu and Red Hat, leading Linux distributors, have already released patches to manage the vulnerability but others are yet to follow suit.
Security researcher Jason Donenfeld has a detailed exploit for the fault called ‘mempodipper’, and then Jay Freeman, creator of the Cydia app store for jailbroken iOS devices, used it as base to build a local root exploit for Android 4.0 Ice Cream Sandwich (ICS) known as ‘mempodroid‘.
“While Android itself is open, many of the devices that use it are not, and the Transformer Prime has a locked bootloader, making exploits such as this required to install custom software,” said Freeman.
A few existing Android devices have official and unofficial support for Android 4.0 ICS but ‘mempodroid’ could be useful for root access of gadgets running on Google’s operating system in the near future.