When the Linux “Keyrings” vulnerability landed yesterday, headlines said it would affect “millions” of devices, partly because it was thought to be widely present in Android as well.
El Reg wondered at this, because it's not part of the recommended Android kernel configuration, so we're going to be a little bit smug: however many 'droids are vulnerable, it's not likely to be "66 per cent".
Google's Android security lead, Adrian Ludwig, has promised a fix by March 1. That's the bad news.
The good news: “We believe that the number of Android devices affected is significantly smaller than initially reported.
“We believe that no Nexus devices are vulnerable to exploitation by third party applications. Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents third party applications from reaching the affected code.
“Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in linux kernel 3.8, as those newer kernel versions [are] not common on older Android devices.”
Ludwig's not thrilled that the vulnerability landed without prior notice to the Android team, but Perception Point reckons it's now working with Google.
In an e-mail to The Register, Perception Point's Yevgeny Pats said it “looks like the CONFIG_KEYS are present in most Kernel builds in Android Operating Systems even though it is not present in the 'recommended' configuration.”
“We are working with Google now to check as posted in the blogpost if there is a way this vulnerability can be exploited with SELinux in enforcing state.”
It would seem that Google's already answered that question. ®