Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Tsepz

macrumors 601
Original poster
Jan 24, 2013
4,891
4,699
Johannesburg, South Africa
If you have an update available do it ASAP on your Samsungs!
The monthly security updates from Samsung have started rolling out. If you own a Samsung smartphone that was sold from late 2014 onward, you'd better hope that update hits your device soon. Why so? Only the small matter of a "perfect 10" critical security vulnerability that can enable arbitrary remote code execution (RCE) if exploited. Oh yes, and that arbitrary RCE can happen without any user interaction needed, as this is a "zero-click" vulnerability. And if you think that sounds pretty serious, and it is, there's more to come: the vulnerability affects every Galaxy smartphone that Samsung has made from late 2014 onward.

 
If you have an update available do it ASAP on your Samsungs!


Damn. It’s a shame that people who have the smarts and knowledge to create this kind of thing don’t put their brainpower toward helping people instead of all this malicious behavior. If I were smart and educated enough that I could create something like this, I’d want to use those gifts to make the world a better place, not mess about in some poor shmuck’s phone. Jeez.

One thing I didn’t quite understand from that article was if this thing propagates from within the Samsung MMS app, is it contained safely within if you don’t open that message? They’re describing it as a zero click exploit. So I’m guessing once it’s in your messages it doesn’t matter if you ignore it or not.

I did recently get an update. I get so many updates so I don’t know even which one I’m on. I guess I should read the notes to see what’s being fixed. Sometimes I do, sometimes I don’t.

Thanks for passing along this warning.
 
Whoopsie.
I do hope we get an update from Samsung and see what they say. Sometimes news like this get abandoned so quickly that we never see anymore updates other than the initial reporting.
 
Damn. It’s a shame that people who have the smarts and knowledge to create this kind of thing don’t put their brainpower toward helping people instead of all this malicious behavior. If I were smart and educated enough that I could create something like this, I’d want to use those gifts to make the world a better place, not mess about in some poor shmuck’s phone. Jeez.

One thing I didn’t quite understand from that article was if this thing propagates from within the Samsung MMS app, is it contained safely within if you don’t open that message? They’re describing it as a zero click exploit. So I’m guessing once it’s in your messages it doesn’t matter if you ignore it or not.

I did recently get an update. I get so many updates so I don’t know even which one I’m on. I guess I should read the notes to see what’s being fixed. Sometimes I do, sometimes I don’t.

Thanks for passing along this warning.

Yeah, the big problem with this exploit will be the people in lesser supported regions that get updates late. A mate of mine has a Note10+ and on his network it seems they are about 2 patches behind. My S7 Edge and Note8 are also behind so all 3 of our Samsung devices are vulnerable.

Luckily I do not use the S7 Edge and Note8 anymore, but those that do are in a bit of trouble.

Hopefully Samsung finds a way to get this done properly, but I have my doubts about all regions and networks being patched before end of this month.
 
  • Wow
Reactions: 5105973
Yeah, the big problem with this exploit will be the people in lesser supported regions that get updates late. A mate of mine has a Note10+ and on his network it seems they are about 2 patches behind. My S7 Edge and Note8 are also behind so all 3 of our Samsung devices are vulnerable.

Luckily I do not use the S7 Edge and Note8 anymore, but those that do are in a bit of trouble.

Hopefully Samsung finds a way to get this done properly, but I have my doubts about all regions and networks being patched before end of this month.
Even in the US, I could not get any support for an unlocked S7. Thank goodness they now support unlocked phones, but it sure took them long enough!
 
  • Like
Reactions: Tsepz
Are there any updates on this? Any news about Samsung's response? Seems irresponsible for Forbes to report something as serious as this and then never do any follow up.

Interesting that no other channels of tech reviewers are talking about this, at least the ones I followed. Heck, the stupid Apple Mac Pro wheels are getting more coverage than this.
 
Are there any updates on this? Any news about Samsung's response? Seems irresponsible for Forbes to report something as serious as this and then never do any follow up.

Interesting that no other channels of tech reviewers are talking about this, at least the ones I followed. Heck, the stupid Apple Mac Pro wheels are getting more coverage than this.

ZDnet and 9to5Google also covered this:






PhoneArena has also covered it and then deleted the post, lol, who knows what happened there though. I think some of the blogs are trying to limit coverage due to the severity and the fact that most phones have not been patched nobody wants to be responsible for leading hackers to the exploit.
 
The linked article talks about the hacker needing to send like 50 to 300 MMS to someone to be successful. I'm not concerned about this.
 
  • Like
Reactions: jamezr
The linked article talks about the hacker needing to send like 50 to 300 MMS to someone to be successful. I'm not concerned about this.
Many security vulnerabilities are that, requiring certain things to happen.
Doesn't mean it should not be fixed, especially if it's affecting such a huge number of devices, from a tier 1 company like Samsung. It's very ignorant to dismiss this just because it's of no concern for you. :(
 
I have a galaxy S5 which was released in 2014. I don't use it for anything sensitive such as financial transactions because it hasn't received an update in years. I dont think it will get this security update.
 
The linked article talks about the hacker needing to send like 50 to 300 MMS to someone to be successful. I'm not concerned about this.
yeah the stars have to align just right for this exploit to happen. Sure it should get patched...but the risk here is pretty damn low. The exploit itself is more clickbait material than a risk to the general public.

First they have a reason to target you in the first place or find you among the gazilion devices out there.
Samsung Messages app, Qmage files could exploit Skia and bypass Android’s Address Space Layout Randomization protection. This attack takes multiple MMS messages since it takes time for the file to “guess” where the Skia is located. Once it is found, though, a final message can execute the attacker’s code.

The process generally takes around 100 minutes and between 50 and 300 messages to complete.
 
Last edited:
True, all the stars need to align. Which is why most users never update or upgrade until their contract is done. I mean many don't even know they need to update their phone. We are the crazy ones who keep checking every day!;)
 
Seems straightforward to mitigate. Just disable stock Samsung message, mail, browser, etc. apps and use different ones as default like Google Messages, Chrome, etc. Tried sending a .qmg file via MMS in Hangouts and it won't even accept the format. Chrome doesn't allow opening it either. Gmail doesn't yet filter .qmg but I don't think it auto previews.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.