With a bunch of security fixes released Vulnerability-related.PatchVulnerability and more on the way , details have been made public Vulnerability-related.DiscoverVulnerability of a Bluetooth bug that potentially allows miscreants to commandeer nearby devices . This Carnegie-Mellon CERT vulnerability advisory on Monday laid out Vulnerability-related.DiscoverVulnerability the cryptographic flaw : firmware or operating system drivers skip a vital check during a Diffie-Hellman key exchange between devices . The impact : a nearby eavesdropper could “ intercept and decrypt and/or forge and inject device messages ” carried over Bluetooth Low Energy and Bluetooth Basic Rate/Enhanced Data Rate ( BR/EDR ) wireless connections between gizmos . In other words , you can potentially snoop on supposedly encrypted communications between two devices to steal Attack.Databreach their info going over the air , and inject malicious commands . To pull this off , you must have been within radio range and transmitting while the gadgets were initially pairing . The bug 's status in Android is confusing : while it does n't appear in the operating system project 's July monthly bulletin , phone and tablet manufacturers like LG and Huawei list the bug as being patched Vulnerability-related.PatchVulnerability in the , er , July security update . Microsoft has declared itself in the clear . The CERT note says fixes are needed both in software and firmware , which should be obtained from manufacturers and developers , and installed – if at all possible . We 're guessing for random small-time Bluetooth gizmos , it wo n't be very easy to prise an update out of the vendors , although you should have better luck with bigger brand gear . So , make sure you 're patched via the usual software update mechanisms , or just look out for nearby snoops , and be ready to thwart them , when pairing devices . Manufacturers were warned in January , it appears , so have had plenty of time to work on solutions . Indeed , silicon vendor patches for CVE-2018-5383 are already rolling out Vulnerability-related.PatchVulnerability among larger gadget and device makers , with Lenovo and Dell posting updates Vulnerability-related.PatchVulnerability in the past month or so . Linux versions prior to 3.19 do n't support Bluetooth LE Secure Connections and are therefore not vulnerable , we 're told .

The chipmaker says the patches will arrive Vulnerability-related.PatchVulnerability within a few weeks and AMD device owners shouldn ’ t worry about the reported flaws Vulnerability-related.DiscoverVulnerability . AMD is addressing Vulnerability-related.PatchVulnerability several vulnerabilities discovered Vulnerability-related.DiscoverVulnerability in its Ryzen and EPYC chips , and rolling out Vulnerability-related.PatchVulnerability updates for millions of devices `` in the coming weeks . '' The 13 vulnerabilities came to public Vulnerability-related.DiscoverVulnerability attention clouded in controversy . The security company CTS Labs gave AMD less than 24 hours notice before releasing the information to the public . Standard vulnerability disclosure Vulnerability-related.DiscoverVulnerability practices call for giving companies at least 90 days ' notice so they can fix Vulnerability-related.PatchVulnerability the flaws before researchers go public Vulnerability-related.DiscoverVulnerability and hackers can start causing trouble . Had CTS Labs given AMD that same courtesy , the issues would have been addressed Vulnerability-related.PatchVulnerability within a week of the notification . `` Each of the issues cited can be mitigated Vulnerability-related.PatchVulnerability through firmware patches and a standard BIOS update , which we plan to release Vulnerability-related.PatchVulnerability in the coming weeks , '' said Sarah Youngbauer , AMD 's senior spokeswoman . `` We believe this provides a good example of why the more standard 90-day notification window for such notifications exist . '' In the original vulnerability report Vulnerability-related.DiscoverVulnerability , CTS Labs said that it would take `` several months '' to fix Vulnerability-related.PatchVulnerability the issues and that some hardware flaws `` cannot be fixed Vulnerability-related.PatchVulnerability . '' AMD disagreed with that timeline , and said it would provide more information in several weeks . The chipmaker said the issues were not with its hardware , but with firmware , or software that 's embedded in hardware . It 'll be sending Vulnerability-related.PatchVulnerability fixes for all 13 vulnerabilities through patches and BIOS updates . According to AMD 's technical assessment , each of the flaws required administrative access . `` Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research , '' Papermaster said in a statement . Critics also took issue with another aspect of the CTS Labs report , pointing out the legal disclaimer on the company 's website : `` You are advised that we may have , either directly or indirectly , an economic interest in the performance of the securities of the companies whose products are the subject of our reports . '' Last Wednesday , CTS Labs ' chief financial officer and co-founder , Yaron Luk-Zilberman , a former hedge fund manager , said it did n't have `` any investment ( long or short ) in Intel or AMD . ''

Merely a day after rolling out Vulnerability-related.PatchVulnerability the December 2018 security patch early , Samsung has now revealed Vulnerability-related.PatchVulnerability the details of the latest security maintenance release . The Galaxy Xcover 4 is the first smartphone to get Vulnerability-related.PatchVulnerability this update . Samsung will be releasing Vulnerability-related.PatchVulnerability the patch for more compatible devices in the coming weeks . It has detailed the contents of this patch as part of its monthly security maintenance release process . The update includes patches from Google for Android in addition to patches from Samsung for its custom software . The December 2018 security patch has fixes for six critical vulnerabilities discovered Vulnerability-related.DiscoverVulnerability in the Android operating system . The most severe vulnerability in the framework section could enable a malicious app to run unapproved code in the context of a privileged process . However , no moderate or low-risk vulnerabilities were required to be patched Vulnerability-related.PatchVulnerability in this latest security maintenance release . The update Vulnerability-related.PatchVulnerability does bring Vulnerability-related.PatchVulnerability quite a patches for 40 Samsung Vulnerabilities and Exposures ( SVE ) items . This includes a vulnerability in the Secure Folder app which could have allowed access without authentication . Another vulnerability in the app could have resulted in the exposure of the gallery app without authentication . Therefore , Samsung will now get down to the business of rolling out Vulnerability-related.PatchVulnerability the December 2018 security patch to supported devices . We should expect some handsets to start receiving it within the next few days . The company may start rolling it out to high-end devices first .

Merely a day after rolling out Vulnerability-related.PatchVulnerability the December 2018 security patch early , Samsung has now revealed Vulnerability-related.PatchVulnerability the details of the latest security maintenance release . The Galaxy Xcover 4 is the first smartphone to get Vulnerability-related.PatchVulnerability this update . Samsung will be releasing Vulnerability-related.PatchVulnerability the patch for more compatible devices in the coming weeks . It has detailed the contents of this patch as part of its monthly security maintenance release process . The update includes patches from Google for Android in addition to patches from Samsung for its custom software . The December 2018 security patch has fixes for six critical vulnerabilities discovered Vulnerability-related.DiscoverVulnerability in the Android operating system . The most severe vulnerability in the framework section could enable a malicious app to run unapproved code in the context of a privileged process . However , no moderate or low-risk vulnerabilities were required to be patched Vulnerability-related.PatchVulnerability in this latest security maintenance release . The update Vulnerability-related.PatchVulnerability does bring Vulnerability-related.PatchVulnerability quite a patches for 40 Samsung Vulnerabilities and Exposures ( SVE ) items . This includes a vulnerability in the Secure Folder app which could have allowed access without authentication . Another vulnerability in the app could have resulted in the exposure of the gallery app without authentication . Therefore , Samsung will now get down to the business of rolling out Vulnerability-related.PatchVulnerability the December 2018 security patch to supported devices . We should expect some handsets to start receiving it within the next few days . The company may start rolling it out to high-end devices first .

It ’ s a new month which means another security patch from Google has been released Vulnerability-related.PatchVulnerability and it ’ s currently rolling out Vulnerability-related.PatchVulnerability to Pixel and select Nexus devices . The September 5 , 2018 patch includes fixes for almost 60 vulnerabilities that were found Vulnerability-related.DiscoverVulnerability in the AOSP repository . The update also includes in-car Bluetooth performance improvements for Pixel devices . Google resolved Vulnerability-related.PatchVulnerability 24 problems on September 1 , 2018 , and patched Vulnerability-related.PatchVulnerability an additional 35 on September 5 , 2018 . Before the patch , a remote attacker could execute arbitrary code using a “ specially crafted file … within the context of a privileged process. ” Fortunately , just like with most issues that ’ re fixed Vulnerability-related.PatchVulnerability through security patches , Google states that it has not received a single report of an attacker using this vulnerability to harm a customer . In addition to the security fixes , Google has listed some of the improvements this update brings to its handsets : Improve battery charge in Retail Mode ( Pixel 2 , Pixel 2 XL ) Improve SW Version reporting ( Pixel , Pixel XL , Pixel 2 , Pixel 2 XL ) Improve audio quality over car speakers ( Pixel , Pixel XL , Pixel 2 , Pixel 2 XL ) If you don ’ t want to wait for the September security patch to make its way to your phone , you can download the latest factory image or OTA file from the links below . From there , you can either flash a fresh build to your phone or sideload the OTA update . And in usual Essential fashion , the company has begun rolling out Vulnerability-related.PatchVulnerability the September security patch to the Essential Phone within hours of it becoming available for Google ’ s hardware . On top of the fixed vulnerabilities , Essential states that the update includes various audio and accessibility fixes .

It ’ s a new month which means another security patch from Google has been released Vulnerability-related.PatchVulnerability and it ’ s currently rolling out Vulnerability-related.PatchVulnerability to Pixel and select Nexus devices . The September 5 , 2018 patch includes fixes for almost 60 vulnerabilities that were found Vulnerability-related.DiscoverVulnerability in the AOSP repository . The update also includes in-car Bluetooth performance improvements for Pixel devices . Google resolved Vulnerability-related.PatchVulnerability 24 problems on September 1 , 2018 , and patched Vulnerability-related.PatchVulnerability an additional 35 on September 5 , 2018 . Before the patch , a remote attacker could execute arbitrary code using a “ specially crafted file … within the context of a privileged process. ” Fortunately , just like with most issues that ’ re fixed Vulnerability-related.PatchVulnerability through security patches , Google states that it has not received a single report of an attacker using this vulnerability to harm a customer . In addition to the security fixes , Google has listed some of the improvements this update brings to its handsets : Improve battery charge in Retail Mode ( Pixel 2 , Pixel 2 XL ) Improve SW Version reporting ( Pixel , Pixel XL , Pixel 2 , Pixel 2 XL ) Improve audio quality over car speakers ( Pixel , Pixel XL , Pixel 2 , Pixel 2 XL ) If you don ’ t want to wait for the September security patch to make its way to your phone , you can download the latest factory image or OTA file from the links below . From there , you can either flash a fresh build to your phone or sideload the OTA update . And in usual Essential fashion , the company has begun rolling out Vulnerability-related.PatchVulnerability the September security patch to the Essential Phone within hours of it becoming available for Google ’ s hardware . On top of the fixed vulnerabilities , Essential states that the update includes various audio and accessibility fixes .

Researchers say Vulnerability-related.DiscoverVulnerability several Motorola handset models are vulnerable Vulnerability-related.DiscoverVulnerability to a critical kernel command line injection flaw that could allow a local malicious application to execute arbitrary code on the devices . The two affected Motorola models are the Moto G4 and Moto G5 . The warnings Vulnerability-related.DiscoverVulnerability come from Aleph Research which said Vulnerability-related.DiscoverVulnerability it found Vulnerability-related.DiscoverVulnerability the vulnerability on up-to-date handsets running the latest Motorola Android bootloader . Motorola said patches to fix Vulnerability-related.PatchVulnerability the vulnerability in both devices are expected this month . “ Exploiting the vulnerability allows the adversary to gain an unrestricted root shell . ( And more ! ) , ” wrote Roee Hay , manager of Aleph Research . He said Vulnerability-related.DiscoverVulnerability vulnerable versions of the Motorola Android bootloader allow for a kernel command-line injection attack . The vulnerability ( CVE-2016-10277 ) is the same one found Vulnerability-related.DiscoverVulnerability by Aleph Research earlier this year and fixed Vulnerability-related.PatchVulnerability by Google in May , impacting Vulnerability-related.DiscoverVulnerability the Nexus 6 Motorola bootloader . “ By exploiting the vulnerability , a physical adversary or one with authorized USB fastboot access to the device could break the secure/verified boot mechanism , allowing him to gain unrestricted root privileges , and completely own the user space by loading a tampered or malicious image , ” wrote Hay . Despite the fact the vulnerability had been patched Vulnerability-related.PatchVulnerability for the Nexus 6 , Hay said the Moto G4 and G5 were still vulnerable Vulnerability-related.DiscoverVulnerability to the same kernel command line injection flaw . “ In the previous blog post , we suggested that CVE-2016-10277 could affect Vulnerability-related.DiscoverVulnerability other Motorola devices . After receiving a few reports on Twitter that this was indeed the case we acquired a couple of Motorola devices , updated to the latest available build we received over-the-air , ” the researcher wrote on Wednesday . Motorola told Threatpost via a statement that , “ A patch will begin rolling out Vulnerability-related.PatchVulnerability for Moto G5 within the next week and will continue until all variants are updated Vulnerability-related.PatchVulnerability . The patch for Moto G4 is planned to start deployment Vulnerability-related.PatchVulnerability at the end of the month and will continue until all variants are updated Vulnerability-related.PatchVulnerability . ” Researchers were able to trigger the vulnerability on the Moto devices by abusing the Motorola bootloader download functionality in order to swap in their own malicious initramfs ( initial RAM file system ) at a known physical address , named SCRATCH_ADDR . “ We can inject a parameter , named initrd , which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address , ” the researcher wrote . Next , using malicious initramfs to load into a customized boot process they were able to gain root shell access to the device . Hay ’ s research into the Motorola bootloaders began in January when he identified Vulnerability-related.DiscoverVulnerability a high-severity vulnerability ( CVE-2016-8467 ) impacting Vulnerability-related.DiscoverVulnerability Nexus 6/6P handsets . That separate vulnerability allowed attackers to change the bootmode of the device , giving access to hidden USB interfaces . Google fixed Vulnerability-related.PatchVulnerability the issue by hardening the bootloader and restricting it from loading custom bootmodes . “ Just before Google released Vulnerability-related.PatchVulnerability the patch , we had discovered Vulnerability-related.DiscoverVulnerability a way to bypass it on Nexus 6 , ” Hay said in May of the second CVE-2016-10277 vulnerability . In an interview with Hay by Threatpost he said Vulnerability-related.DiscoverVulnerability , “ Yes , they are both bootloader vulnerabilities . The CVE-2016-10277 can be considered a generalization of CVE-2016-8467 , but with a much stronger impact , ” he said Vulnerability-related.DiscoverVulnerability .