Yes, you read that right: it’s time patch your servers, your phones and your IoT devices for the same vulnerability.
The reason for this need to patch broadly is a new vulnerability in the Linux kernel (CVE-2016-0728) that was discovered by the Perception Point Research Team. The kernel is the core of the Linux operating system and so present in everything that runs Linux. Since Linux powers not just servers but also Android phones and devices and many IoT devices, a Linux kernel vulnerability has broad-reaching consequences.
This particular vulnerability is a local elevation of privilege vulnerability. In itself, that’s not a critical issue. But local elevation of privilege vulnerabilities can be used in conjunction with other vulnerabilities, especially in apps and applications, to mount more serious attacks.
The Perception Point Research Team notes that this vulnerability affects around 66 percent of Android devices. It’s unknown how broadly this affects IoT devices.
The most important thing about Android and IoT devices once again is the updating story. Most of the Android and IoT devices that are vulnerable to this will never be fixed and so always vulnerable.
The Linux kernel has been updated to address this vulnerability and patches are being built and distributed for the major Linux distributions, so you should update your servers when you can.
But for your vulnerable Android phone/devices and IoT devices, once again you have to see if there’s a viable update story or not.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.