joined:Nov 9, 2004
It's important to actually read these kernel alerts. So, old androids are in zero danger from this, because this comes with kernel 3.8 or later only. They are in danger from every other known exploit for unpatched androids, but given the dispersion of android systems, and the consistent failure by phone vendors to apply timely updates to their android releases, it's best to just think of all non google sourced android systems as essentially vulnerable. And not just old, I have an android 4.4.2, recently updated, which runs linux 3.4, ie, zero risk from this exploit.
The vulnerability is notable because it's exploitable in a wide array of settings. On servers, people with local access can exploit it to achieve complete root access. On smartphones running Android versions KitKat and later, it can allow a malicious app to break out of the normal security sandbox to gain control of underlying OS functions.
I'm not convinced this explanation is technically right because they tend to be extremely sloppy in their reporting. I read the actual report:
but I'm not up on the specifics enough to know if this is truly a local only exploit, which almost ALL are, by the way, and thus of almost no risk to web servers etc, or if it can be exploited via ssh or ssl or apache etc.
However, if it's only local access, which means, you're sitting at the machine typing into its terminal/console, then the risk to servers is close to zero, and, again, the server would have to be running that kernel, which most servers probably aren't doing, since they are long term frozen pool releases. Depends. I've always laughed at local only exploits because the entire notion is so absurd, as I like to note, if someone is sitting directly in front of your system with access to the hardware, you have much bigger security issues than a tiny weakness in the kernel, since they already have your machine, lol.
Same for android risk, google expressed very little concern about the issue, saying it doesn't apply to most android releases.
Of course, android is already long since established as the windows of mobile phone security, so it's not like patching this in your android would suddenly make android secure.