Yesterday we reported that select Samsung handsets running its TouchWiz UI were affected by a flaw that could allow them to be remotely wiped after clicking on a malicious link. Samsung has now confirmed it has patched the flaw for its flagship Galaxy SIII handset.
Samsung is urging Galaxy SIII owners to update to the latest version of its software to ensure they are protected against the flaw. Here’s Samsung’s official statement:
We would like to assure our customers that the recent security issue concerning the GALAXY S III has already been resolved through a software update. We recommend all GALAXY S III customers to download the latest software update, which can be done quickly and easily via the Over-The-Air (OTA) service.
Handsets vulnerable to the exploit also included the Galaxy S II series, the Galaxy S Advance, Galaxy Beam, and Galaxy Ace.
We’re asking Samsung to confirm whether it has released patches for all affected handsets.
The problem apparently lies with how Samsung’s TouchWiz dialer handles USSD codes, and also how the stock browser handles the “tel:” protocol handler. As well as dodgy links, it can also be triggered by scanning a malicious QR code.
The vulnerability came to light at a recent security conference in Argentina, demoed by Technical University Berlin researcher Ravi Borgaonkar.