I dabble in Android security myself, I just want to point out that every single app I have encountered that Trend Micro flagged has been a false positive warning about an exploit that isn't actually present. The cause of this appears to be that those apps include files or snippets of code also used by some well known exploits, but by themselves are not harmful. Rookie mistake.

Note that if you search well, you will find various security folk slamming Trend Micro all over the place. As such, I wouldn't put too much faith in whatever Trend Micro has published, they don't exactly appear up to speed on matters.

After some further investigation, it seems all these exploits are fixed in the latest 4.2 leaked firmware for the SGS3, so ... they're actually fixed, just maybe not rolled out yet.

The Exynos memory bug (often referred to as ExynosAbuse exploit) was released publicly and fixed rather quickly. This seems to be the way for Samsung - responsible disclosure just doesn't work with them. This has been proven time and again.

See comment subject. Doesn't come with Windows 8. Guaranteed.

So, what you're saying is, you agree with my first point, but to put my comment into perspective, you're going to state exactly my second point ?

As is always the case with /., if the subject is a question, the answer is no.

Unless you let enough time pass, then the answer to this case is most certainly yes. Nobody knows how much time that would be, though.

I may have completely misunderstood what this is about, but you can actually build the SDK from the Android source available through repo/git. You do not need to agree to any license terms beforehand to do this. Does this not work around the entire issue that TFA is complaining about ?

If not, kindly elaborate.

Who said anything about rushing ? That specific problem has been known for a long time, and most affected devices have received several updates since then. The fix is literally a one-liner in the kernel source, disabling "secure erase". When a user "resets to factory settings" (e.g. wipe all user data) the device performs an erase command. Somewhere in Android 3.x or 4.0 Google changed the default behavior from normal erase to a secure erase. The eMMC chips Samsung used were never properly tested for this, and due to a bug in the firmware of said eMMC chips, the flash memory would be corrupted during a secure erase, rendering the device completely unusable.

It's pretty much a jackpot affair, you hit the factory reset button, x% chance you end up with a full brick. Custom firmware users were much more likely to run into this because often a custom firmware would perform a factory reset upon installation - and a normal user would rarely use this function. But you did not need to run any custom software for this - it can happen on a fully original device without any modifications or even apps installed.

A few months ago, Samsung finally issued a fix - but this fix disabled secure erase being triggered by the format command itself, instead of disabling secure erase in the actual kernel. As a result, custom firmware users would still brick left and right, due to using Google-private update binaries that did not have this call disabled. They put a band-aid on the issue instead of actually fixing it (a one-liner to disable "secure erase" at kernel level (because it never actually works correctly) and revert to "normal erase" always).

Now, I have discussed these issues in person with high-level Samsung engineers, and in their opinion, how they fixed it is correct - even though an exploit like the one presented in this article allows a malicious attacker to hard-brick your device at will, thanks to this eMMC bug. Incidentally, that is exactly what I myself, as well as a number of other developers from the enthusiast community, have kept telling Samsung: with the current solution, all you need is an exploit and a viral app, and you could well end up with millions of hard-bricks.

Note that Samsung does usually warranty on a full hard-brick, so it doesn't have to be a real problem for the end-user, but if this got out of hand, it could easily cost Samsung millions and millions of dollars in repair costs. Just because it hasn't happened yet and it really is not that likely it will occur, it is certainly possible.

This is not a hardware design flaw. Whatever makes you think that ? The reason it affects so many Exynos4 devices is because the exploitable code is present in the main code they base most Exynos4 Android firmwares on. It's certainly fixable by Samsung.

"although it would have been nice if he reported it to Samsung a little in advance of the release of the problem"

While that would have been nice, it is very debatable if it is wise. With Samsung, you just don't know. Security holes have been reported to Samsung that have been fixed nigh instantly, while other well known problems that can cause hard-bricks (device becomes a non-recoverable paperweight) on various devices have been known for almost a year - including the fixes - and the issue is still present in the latest firmwares.

And in the exploit author's defense (as if needed), he actually says somewhere he didn't know whom to contact so he just put it on XDA, assuming it would somehow get to the right people. And even though it is weekend, I'm sure various Samsung engineers on the right levels are aware of the problem :) The not knowing who to contact thing is a valid issue - if you don't have any "ins" at Samsung, it's actually pretty hard getting this kind of information to the right people.

Strangely, TFA makes no mention of an app built to actually use this exploit to install SuperSU (root access management app): http://forum.xda-developers.com/showthread.php?t=2050297 - i.e. what most users consider getting rooted.

Of course, this exploit can be used by any app, and a user can use the core exploit manually to install SuperSU (or Superuser) to let Play apps that need root (but don't contain this exploit ;)), but the linked method does all the work for you already.

As is the rule with "Ask Slashdot", the answer to the question is "no".

I haven't had a dedicated desk phone in years. Lots of people don't even have their own desks anymore. Skype/IM or if really needed many companies (at least over here) will give you a smartphone just for work purposes.

All Nexus devices can be rooted in 30 seconds or less .... by design.