Yesterday we learned about a potentially nasty situation brewing with the software on many Samsung Androids, as a vulnerability discovered in the SwiftKey-designed keyboard such phones shipped with could present an attacker with the opportunity to sneak some malicious code onto the handsets. And despite the security researchers having notified Samsung late last year, it wasn’t clear just which, if any phones had been patched to address the issue. We asked Samsung just what was going on in its efforts to patch the hole, and today the company’s issued a statement explaining what it’s up to.
From the sound of things, while the vulnerability hasn’t been fixed just yet, it’s going to be very soon. As the company explains, “Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days.”
Rather than issuing a full firmware update that could involve weeks of testing for each model, not to mention delays caused by carrier approval, the Knox security subsystem on Samsung phones gives the manufacturer a quick way to address situations just like this one. When that Knox policy update arrives in the next few days, Samsung phones should find themselves secure against this keyboard-software attack.
Samsung continues with its statement, “In addition to the security policy update, we are also working with Swiftkey to address potential risks going forward.” Sounds like a smart move to us.