News

October Android update fixes critical RCE vulnerabilities

Google has released patches for three critical RCE vulnerabilities in the Android OS multimedia libraries (Media framework). Exploiting these vulnerabilities allows an attacker remotely execute a code, but the October Android update seems to fix them.

In total, the October patch set for Android covers almost three dozen vulnerabilities of high and critical severity levels, 17 of them in Qualcomm components.

“The greatest danger is a critical vulnerability in the Media framework component, which allows, using a specially created file, remotely execute arbitrary code in the context of a privileged process. We did not receive notifications about the active exploitation of new vulnerabilities or abuse”, – said in a Google Newsletter.

Three critical vulnerabilities in the Android multimedia application framework (CVE-2019-2184, CVE-2019-2185, CVE-2019-2186) are especially dangerous for OS versions 7.1.1, 7.1.2, 8.0, 8.1 and 9.

In the Framework component, was patched a privilege escalation bug (CVE-2019-2173 of a high degree of danger, “allowing a local malicious application to bypass user interaction requirements and gain access to additional permissions.”

Read also: Canonical releases major updates to Linux kernel in Ubuntu

Two other equally dangerous vulnerabilities were fixed in the components of the System level (CVE-2019-2114 and CVE-2019-2187). One of them is similar to CVE-2019-2173, the other threatens to disclose confidential information.

Eight vulnerabilities in Qualcomm’s closed source components are recognized as critical. They affect various company developments: the QuRT real-time kernel (CVE-2018-13916), the multimode call processing processor (CVE-2019-2271), the boot mechanism (CVE-2019-2251), etc.

The initial version of the newsletter on new Android patches did not contain information about the recently announced 0-day bug, which attackers are already using in attacks. According to the authors of the find, the vulnerability registered as CVE-2019-2215 allows root access to mobile devices of 18 models, including Pixel and gadgets Samsung, Huawei and Xiaomi.

The day after publication, Google updated the newsletter, adding to the list of vulnerability CVE-2019-2215. According to the developer, it contains Binder, a kernel component that provides interprocess communication. With its help, an already downloaded malicious application will be able to execute any code in the context of a privileged process.

Vulnerability CVE-2019-2215 is also mentioned in the new Pixel bulletin. It says that Pixel 1 and 2 will receive the corresponding patch as part of the October update, and Pixel 3 and 3a this problem does not affect.

Other Android device manufacturers typically release their security bulletins at the same time as Google or later. Samsung’s October announcement lists new critical vulnerabilities in the Media framework; patches for them are already included in the updates for the company’s Android devices.

The bugs CVE-2019-2184, CVE-2019-2185 and CVE-2019-2186 are also listed in the LG bulletin, along with three dozen other vulnerabilities, mostly of a high degree of danger. Threatpost also sent a request to Nokia to share its plans in connection with the release of new patches for Android.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

Back to top button