Koodo Community
Question

Samsung May Security Update?


Where is the Samsung S20 May security update??

There is a level 10 security issue (remote code execution requiring no user interaction) that needs the fix that exists in the May update NOW!

 

Only the small matter of a “perfect 10″ critical security vulnerability that can enable arbitrary remote code execution (RCE) if exploited. Oh yes, and that arbitrary RCE can happen without any user interaction needed, as this is a “zero-click” vulnerability.

Samsung Confirms Critical Security Issue For Millions: Every Galaxy After 2014 Affected

 

Why is Telus delaying the release of this patch??

They skipped the April update altogether, and now we're well into May with no May security update.

This is simply negligent behavior. Push out the update for heaven's sake!

You are putting your users at a major risk!

 

Samsung releases patches EVERY month, why don't we see these same updates each month?? 


6 replies

Userlevel 7
Badge +4

I doubt that Telus is delaying a security update. They're likely working with fewer resources:

“***Update*** Due to the current climate surrounding COVID-19, some updates can be subject to delays due to quarantine initiatives happening around the world.  “

https://forum.telus.com/t5/Mobility/Software-Update-Schedule/ta-p/53566

 

It'll come when it comes is likely all we'll find out.

While I understand that priorities have necessarily had to shift give the situation, the security of Telus’s customers needs to be way up there on the priority list as well.

This specific exploit is a very special case.

  • There is a proof of concept online now that, even inexperienced bad actors (e.g.: ‘script kiddies’), can use to create exploits
  • This vulnerability can be exploited without any interaction from the phone owner
  • Once exploited, the attacker can execute ANY CODE THEY WANT on your phone. They can:
    • steal literally, every single piece of data on your device
    • they can install key loggers to record all of your passwords
    • they can install bot software to make your phone run the exploit on other phones
    • they can remotely view your camera
    • etc.. etc..

This is why “remote code execution” exploits are the most dangerous of all possible exploits. It literally gives the attacker 100% control of your device!

And the worst thing is… there is a fix available RIGHT NOW. All Telus has to do is SEND IT OUT. That’s it!

Userlevel 7
Badge +4

While I understand that priorities have necessarily had to shift give the situation, the security of Telus’s customers needs to be way up there on the priority list as well.

This specific exploit is a very special case.

  • There is a proof of concept online now that, even inexperienced bad actors (e.g.: ‘script kiddies’), can use to create exploits
  • This vulnerability can be exploited without any interaction from the phone owner
  • Once exploited, the attacker can execute ANY CODE THEY WANT on your phone. They can:
    • steal literally, every single piece of data on your device
    • they can install key loggers to record all of your passwords
    • they can install bot software to make your phone run the exploit on other phones
    • they can remotely view your camera
    • etc.. etc..

This is why “remote code execution” exploits are the most dangerous of all possible exploits. It literally gives the attacker 100% control of your device!

And the worst thing is… there is a fix available RIGHT NOW. All Telus has to do is SEND IT OUT. That’s it!

This is the risk of getting an android phone.

 

Have you tried updating with Smart Switch?

https://www.androidcentral.com/how-update-your-samsung-phone-smart-switch

Thanks for the Smart Switch link. I'll see if that can be used in this case.

However, this issue highlights the risk of having Telus as your carrier more than being Android related.

Another remote code execution exploit appeared on the iPhone just this April, and that was just as bad as this one:

Mateusz Jurczyk, the Project Zero researcher who found the vulnerability, told ZDNet that it could be exploited without any user-interaction being required. A so-called zero-click attack. Indeed, it’s the same kind of zero-click exploit that the Project Zero team found in the Apple ecosystem recently.

 

Google Surprises Apple iPhone, iPad, Mac Users: ‘Numerous New Vulnerabilities’ Revealed

https://www.forbes.com/sites/zakdoffman/2020/04/29/google-surprises-apple-users-with-numerous-new-security-issues/#2c6e8d6865dd

 

The only difference is that Telus actually pushes out patches from Apple as soon as they receive them (or allow Apple to directly send patches directly to users).

 

Samsung has already fixed the issue. The patch already exists. The only thing blocking Telus customers from getting this patch is Telus itself.

This is not an Android issue. This is not an Android vs iPhone issue. This is a 100% Telus issue. 

All they need to do is send out Samsung's regularly scheduled monthly security update.

 

Userlevel 7
Badge +4

Thanks for the Smart Switch link. I'll see if that can be used in this case.

However, this issue highlights the risk of having Telus as your carrier more than being Android related.

Another remote code execution exploit appeared on the iPhone just this April, and that was just as bad as this one:

Mateusz Jurczyk, the Project Zero researcher who found the vulnerability, told ZDNet that it could be exploited without any user-interaction being required. A so-called zero-click attack. Indeed, it’s the same kind of zero-click exploit that the Project Zero team found in the Apple ecosystem recently.

 

Google Surprises Apple iPhone, iPad, Mac Users: ‘Numerous New Vulnerabilities’ Revealed

https://www.forbes.com/sites/zakdoffman/2020/04/29/google-surprises-apple-users-with-numerous-new-security-issues/#2c6e8d6865dd

 

The only difference is that Telus actually pushes out patches from Apple as soon as they receive them (or allow Apple to directly send patches directly to users).

 

Samsung has already fixed the issue. The patch already exists. The only thing blocking Telus customers from getting this patch is Telus itself.

This is not an Android issue. This is not an Android vs iPhone issue. This is a 100% Telus issue. 

All they need to do is send out Samsung's regularly scheduled monthly security update.

 

Did Rogers or Bell get the update?  If so you can try to insert a Bell or Rogers sim to see if the update gets pushed

Badge +4

This exploit reminds me of the Stagefright bug a while back. The same RCE method was used by way of a specially crafted MMS message. The temporary fix back then was to disable auto-retrieval of single or group MMS messages which you can control within the messaging app until the security update is delivered to your device.

Stagefright bug

====

Latest exploit 2020, from the authors’ “Likely FAQ”:

Q: Are there any mitigations available to users against this and similar attacks, other than updating regularly?

A: For Samsung devices, these issues are fixed in the May 2020 patch. Generally speaking of image codecs, I am not aware of any generic mitigations against these types of bugs. One easy way to mitigate against attackers using exploits delivered specifically through MMS is to disable the "auto retrieve" option for multimedia messages in the Messages app.

See Likely FAQ near the bottom of the page  (ninth question/answer)

I’m not trying to downplay the severity of this exploit, we’ll just have to exercise a little patience until the security update rolls out.

Reply