Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Samsung Confirms Critical Security Issue For Millions: Every Galaxy After 2014 Affected

Tsepz

Tsepz

macrumors 601
Original poster
Jan 24, 2013
4,887
4,698
Johannesburg, South Africa
If you have an update available do it ASAP on your Samsungs!
The monthly security updates from Samsung have started rolling out. If you own a Samsung smartphone that was sold from late 2014 onward, you'd better hope that update hits your device soon. Why so? Only the small matter of a "perfect 10" critical security vulnerability that can enable arbitrary remote code execution (RCE) if exploited. Oh yes, and that arbitrary RCE can happen without any user interaction needed, as this is a "zero-click" vulnerability. And if you think that sounds pretty serious, and it is, there's more to come: the vulnerability affects every Galaxy smartphone that Samsung has made from late 2014 onward.
Click to expand...

www.forbes.com

Samsung Confirms Critical Security Issue For Millions: Every Galaxy After 2014 Affected

Samsung has confirmed a "perfect 10" critical security issue that has been present in every Galaxy smartphone from late 2014 onward. Here's what you need to know.
www.forbes.com www.forbes.com
 
5

5105973

Cancelled
Sep 11, 2014
12,132
19,733
Tsepz said:
If you have an update available do it ASAP on your Samsungs!


www.forbes.com

Samsung Confirms Critical Security Issue For Millions: Every Galaxy After 2014 Affected

Samsung has confirmed a "perfect 10" critical security issue that has been present in every Galaxy smartphone from late 2014 onward. Here's what you need to know.
www.forbes.com www.forbes.com
Click to expand...
Damn. It’s a shame that people who have the smarts and knowledge to create this kind of thing don’t put their brainpower toward helping people instead of all this malicious behavior. If I were smart and educated enough that I could create something like this, I’d want to use those gifts to make the world a better place, not mess about in some poor shmuck’s phone. Jeez.

One thing I didn’t quite understand from that article was if this thing propagates from within the Samsung MMS app, is it contained safely within if you don’t open that message? They’re describing it as a zero click exploit. So I’m guessing once it’s in your messages it doesn’t matter if you ignore it or not.

I did recently get an update. I get so many updates so I don’t know even which one I’m on. I guess I should read the notes to see what’s being fixed. Sometimes I do, sometimes I don’t.

Thanks for passing along this warning.
 
  • Like
Reactions: alex cochez and Tsepz
I

ian87w

macrumors G3
Feb 22, 2020
8,704
12,638
Indonesia
Whoopsie.
I do hope we get an update from Samsung and see what they say. Sometimes news like this get abandoned so quickly that we never see anymore updates other than the initial reporting.
 
Tsepz

Tsepz

macrumors 601
Original poster
Jan 24, 2013
4,887
4,698
Johannesburg, South Africa
GrumpyMom said:
Damn. It’s a shame that people who have the smarts and knowledge to create this kind of thing don’t put their brainpower toward helping people instead of all this malicious behavior. If I were smart and educated enough that I could create something like this, I’d want to use those gifts to make the world a better place, not mess about in some poor shmuck’s phone. Jeez.

One thing I didn’t quite understand from that article was if this thing propagates from within the Samsung MMS app, is it contained safely within if you don’t open that message? They’re describing it as a zero click exploit. So I’m guessing once it’s in your messages it doesn’t matter if you ignore it or not.

I did recently get an update. I get so many updates so I don’t know even which one I’m on. I guess I should read the notes to see what’s being fixed. Sometimes I do, sometimes I don’t.

Thanks for passing along this warning.
Click to expand...

Yeah, the big problem with this exploit will be the people in lesser supported regions that get updates late. A mate of mine has a Note10+ and on his network it seems they are about 2 patches behind. My S7 Edge and Note8 are also behind so all 3 of our Samsung devices are vulnerable.

Luckily I do not use the S7 Edge and Note8 anymore, but those that do are in a bit of trouble.

Hopefully Samsung finds a way to get this done properly, but I have my doubts about all regions and networks being patched before end of this month.
 
  • Wow
Reactions: 5105973
5

5105973

Cancelled
Sep 11, 2014
12,132
19,733
Tsepz said:
Yeah, the big problem with this exploit will be the people in lesser supported regions that get updates late. A mate of mine has a Note10+ and on his network it seems they are about 2 patches behind. My S7 Edge and Note8 are also behind so all 3 of our Samsung devices are vulnerable.

Luckily I do not use the S7 Edge and Note8 anymore, but those that do are in a bit of trouble.

Hopefully Samsung finds a way to get this done properly, but I have my doubts about all regions and networks being patched before end of this month.
Click to expand...
Even in the US, I could not get any support for an unlocked S7. Thank goodness they now support unlocked phones, but it sure took them long enough!
 
  • Like
Reactions: Tsepz
I

ian87w

macrumors G3
Feb 22, 2020
8,704
12,638
Indonesia
Are there any updates on this? Any news about Samsung's response? Seems irresponsible for Forbes to report something as serious as this and then never do any follow up.

Interesting that no other channels of tech reviewers are talking about this, at least the ones I followed. Heck, the stupid Apple Mac Pro wheels are getting more coverage than this.
 
Tsepz

Tsepz

macrumors 601
Original poster
Jan 24, 2013
4,887
4,698
Johannesburg, South Africa
ian87w said:
Are there any updates on this? Any news about Samsung's response? Seems irresponsible for Forbes to report something as serious as this and then never do any follow up.

Interesting that no other channels of tech reviewers are talking about this, at least the ones I followed. Heck, the stupid Apple Mac Pro wheels are getting more coverage than this.
Click to expand...

ZDnet and 9to5Google also covered this:

9to5google.com

Samsung patches security vulnerability impacting all Galaxy phones sold since 2014

A security vulnerability on Samsung's Android phones sold since 2014 left the door open for attackers, but it's in the process of being patched.
9to5google.com 9to5google.com


www.zdnet.com

Samsung patches 0-click vulnerability impacting all smartphones sold since 2014

Samsung patched this month a critical bug discovered by Google security researchers.
www.zdnet.com www.zdnet.com



PhoneArena has also covered it and then deleted the post, lol, who knows what happened there though. I think some of the blogs are trying to limit coverage due to the severity and the fact that most phones have not been patched nobody wants to be responsible for leading hackers to the exploit.
 
macfacts

macfacts

macrumors 603
Oct 7, 2012
5,372
6,339
Cybertron
The linked article talks about the hacker needing to send like 50 to 300 MMS to someone to be successful. I'm not concerned about this.
 
  • Like
Reactions: jamezr
I

ian87w

macrumors G3
Feb 22, 2020
8,704
12,638
Indonesia
macfacts said:
The linked article talks about the hacker needing to send like 50 to 300 MMS to someone to be successful. I'm not concerned about this.
Click to expand...
Many security vulnerabilities are that, requiring certain things to happen.
Doesn't mean it should not be fixed, especially if it's affecting such a huge number of devices, from a tier 1 company like Samsung. It's very ignorant to dismiss this just because it's of no concern for you. :(
 
Shanghaichica

Shanghaichica

macrumors G5
Apr 8, 2013
14,725
13,245
UK
I have a galaxy S5 which was released in 2014. I don't use it for anything sensitive such as financial transactions because it hasn't received an update in years. I dont think it will get this security update.
 
jamezr

jamezr

macrumors P6
Aug 7, 2011
16,072
19,067
US
macfacts said:
The linked article talks about the hacker needing to send like 50 to 300 MMS to someone to be successful. I'm not concerned about this.
Click to expand...
yeah the stars have to align just right for this exploit to happen. Sure it should get patched...but the risk here is pretty damn low. The exploit itself is more clickbait material than a risk to the general public.

First they have a reason to target you in the first place or find you among the gazilion devices out there.
Samsung Messages app, Qmage files could exploit Skia and bypass Android’s Address Space Layout Randomization protection. This attack takes multiple MMS messages since it takes time for the file to “guess” where the Skia is located. Once it is found, though, a final message can execute the attacker’s code.

The process generally takes around 100 minutes and between 50 and 300 messages to complete.
Click to expand...
 
Last edited:
serpico007

serpico007

macrumors 6502
Sep 18, 2017
303
320
True, all the stars need to align. Which is why most users never update or upgrade until their contract is done. I mean many don't even know they need to update their phone. We are the crazy ones who keep checking every day!;)
 
  • Like
Reactions: yui4, Shanghaichica and jamezr
mi7chy

mi7chy

macrumors G4
Oct 24, 2014
10,625
11,296
Seems straightforward to mitigate. Just disable stock Samsung message, mail, browser, etc. apps and use different ones as default like Google Messages, Chrome, etc. Tried sending a .qmg file via MMS in Hangouts and it won't even accept the format. Chrome doesn't allow opening it either. Gmail doesn't yet filter .qmg but I don't think it auto previews.
 
  • Like
Reactions: serpico007 and jamezr
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom