Google updates its cell OS, fixing ten critical bugs, such as one particular remote code execution flaw.
Google patched ten critical bugs as portion of its December Android Security Bulletin. The worst of the bugs was tied to the Android media framework ingredient and presents attacker distant control of susceptible handsets.
Google did not expose the technological particulars of the critical flaw, tracked as CVE-2020-0458, and will most likely not until a vast majority of handsets are patched. The other nine critical bugs plugged this month by Google are tied to the fundamental Qualcomm chipsets and accompanying firmware, widespread on most Android telephones.
The critical Qualcomm bugs fixed had been every single rated 9.8 out of 10 in severity, working with the typical CVSS rating. 8 of these flaws ended up tied to the vendor’s subsystem software program that controls audio. One more bug, tracked as CVE-2020-11225, is tied to the Qualcomm Wi-Fi radio’s WLAN host conversation component.Bug descriptions are available by means of Qualcomm’s own December 2020 Security Bulletin, posted Monday. Quite a few of these critical flaws were being recognized as buffer-overflow bugs and buffer over-study vulnerabilities.
Just one the audio flaws, tracked as CVE-2020-11137, is identified as a “buffer about-read through issue in audio” that could be exploited remotely, in accordance to Qualcomm. It wrote, an attacker can develop disorders for an “integer multiplication overflow resulting in decrease buffer size allocation than envisioned [which] leads to memory access out of bounds resulting in achievable unit instability.”
The Wi-Fi bug is brought on when the chip is pressured to “buffer copy devoid of checking dimensions of enter in WLAN”. The result are situations ripe of a “classic buffer overflow” attack. This type of attack occurs when an adversary floods a method too substantially details. “The extra knowledge corrupts nearby place in memory. If attackers know the memory structure of a system, they can deliberately feed input that the buffer are unable to retail store, and overwrite spots that hold executable code, changing it with their have code,” describes Imperva.
Qualcomm credited a quantity of researchers for finding vulnerabilities which include Haikuo Xie of Huawei Security and Ying Wang of Baidu Security Lab and Jun Yao (姚俊) (@_2freeman) and Guang Gong (@oldfresher) of 360 Alpha Lab doing the job with 360 BugCloud. Other credited bug hunters integrated Ben Hawkes of Google Undertaking Zero and researcher Nick Landers.Set Ransomware on the Run: Save your place for “What’s Future for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what is coming in the ransomware world and how to battle back again.
Get the newest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Electronic Shadows, and Israel Barak, CISO at Cybereason, on new forms of attacks. Topics will consist of the most dangerous ransomware menace actors, their evolving TTPs and what your corporation wants to do to get ahead of the upcoming, unavoidable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.
Some areas of this article are sourced from: