The most major bugs are elevation-of-privilege issues in the Android Technique element (CVE-2020-0215 and CVE-2020-0416).
Google has unveiled patches addressing superior-severity flaws in its Program element. The flaws could be remotely exploited to obtain access to extra permissions.
In general, 50 flaws were being patched as section of Google’s Oct security update for the Android running program, released on Monday. As section of this, Qualcomm, whose chips are made use of in Android units, patched a blend of superior- and critical-severity vulnerabilities tied to 22 CVEs.
Two elevation of privilege (EoP) issues, the most really serious of the flaws, exist in the Android Process ingredient, the core of the functioning method which is on Android phones. These are two vulnerabilities (CVE-2020-0215 and CVE-2020-0416) that can be exploited remotely by an attacker making use of a specifically crafted transmission. The flaws are fixed in Android versions 8., 8.1, 9, 10 and 11.
Also fixed in Procedure are 8 high-severity data-disclosure flaws (CVE-2020-0377, CVE-2020-0378, CVE-2020-0398, CVE-2020-0400, CVE-2020-0410, CVE-2020-0413, CVE-2020-0415 and CVE-2020-0422).
Three significant-severity flaws also exist in the Media Framework (which delivers support for taking part in a range of typical media sorts, so customers can very easily use audio, video and photographs). The 3 (CVE-2020-0213, CVE-2020-0411, CVE-2020-0414) could direct to distant details disclosure with no supplemental execution privileges necessary.
Google also preset 5 significant-severity flaws in the Framework component, which is a set of APIs (consisting of process instruments and user interface layout resources) that allow for builders to speedily and quickly produce applications for Android telephones. These involve two EoP flaws (CVE-2020-0420 and CVE-2020-0421), which help a local destructive software to bypass user-interaction demands in purchase to acquire obtain to extra permissions. A few details-disclosure flaws (CVE-2020-0246, CVE-2020-0412, CVE-2020-0419) were also preset.
At last, Google preset a superior-severity EoP flaw (CVE-2020-0408) in Android runtime, the software runtime atmosphere used by the Android OS. The vulnerability, which could allow a neighborhood attacker to execute arbitrary code within the context of an software that makes use of the library, was set in versions 8., 8.1, 9, 10 and 11.
Google also rolled out patches for flaws in various 3rd-get together parts in its Android ecosystem. One this sort of flaw (CVE-2020-0423) exists in the kernel, which could permit a nearby attacker working with a specially crafted file to execute arbitrary code inside of the context of a privileged approach. Also preset had been quite a few MediaTek elements, like kinds affecting the keyinstall, widevine and ISP elements.
Lastly, 22 critical and high-severity flaws had been tackled in Qualcomm factors, together with four high-severity flaws in the kernel ingredient (CVE-2020-11125, CVE-2020-11162, CVE-2020-11173, CVE-2020-11174) and 6 critical flaws (CVE-2020-3654, CVE-2020-3657, CVE-2020-3673, CVE-2020-3692, CVE-2020-11154 and CVE-2020-11155) in “closed-resource components.”
Companies of Android equipment generally push out their have patches in tandem with or after the Google Security Bulletin. Samsung mentioned in an October Android Security Update that it is releasing a number of patches, which includes those addressing critical flaws CVE-2019-13994, CVE-2020-3634, CVE-2019-10629, CVE-2019-10628 and CVE-2020-3621 that have an effect on big Samsung designs.
Also, a individual bulletin reported a security update for Pixel devices is “coming quickly.”
Android has faced different security issues in the past. In August, for instance, Google launched patches addressing a large-severity issue in its Framework component, which if exploited could enable distant code-execution (RCE) on Android cellular devices.
On October 14 at 2 PM ET Get the most recent data on the increasing threats to retail e-commerce security and how to halt them. Register today for this No cost Threatpost webinar, “Retail Security: Magecart and the Increase of e-Commerce Threats.” Magecart and other danger actors are driving the growing wave of on line retail usage and racking up huge quantities of customer victims. Locate out how websites can steer clear of getting to be the subsequent compromise as we go into the getaway time. Be part of us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.
Some pieces of this article are sourced from: