Google has been running Project Zero for some time now, with the mission of seeking out bugs in software, notifying the software makers and then notifying the public should nothing be fixed in an effort to force something to be done. Previously, Google has taken on Windows and OS X with Project Zero bugs but this time it is Samsung in the firing line for 11 serious flaws with the Galaxy S6 Edge.
Google describes the issues with Samsung's device as “high-impact”, meaning they are quite serious indeed. Flaws include script injections, driver issues, image parsing issues, permissions weaknesses and a directory traversal bug, which allows a file to be written in unexpected locations.
Google's Project Zero blog post goes in-depth on to each of the 11 security flaws found within the Galaxy S6 Edge. As of right now, most of them are actually fixed, but three tricky ones remain, including the script injection bug and two specific image parsing errors: “The majority of these issues were fixed on the device we tested via an OTA update within 90 days, though three lower-severity issues remain unfixed. It is promising that the highest severity issues were fixed and updated on-device in a reasonable time frame.”
This was all part of an internal contest between two of Google's Project Zero security teams. They chose the Galaxy S6 Edge as it is a decent example of a high-profile, recently released Android smartphone.
KitGuru Says: Google has been taking it on itself to try and make devices more secure. It is good to see that Samsung was willing to work with Google and fix the major bugs within the 90 day limit before going public, though a few problems still remain. I do wonder if similar issues would carry over to Samsung's other devices as well.