The September Android security bulletin tackled critical- and high-severity flaws tied to 53 CVEs overall.
Google patched a critical vulnerability in the Media Framework of its Android functioning program, which if exploited could guide to distant code execution attacks on susceptible units.
In general, Google preset flaws tied to 53 CVEs as aspect of its September security updates for the Android running program, released on Tuesday. As part of this, Qualcomm, whose chips are employed in Android products, patched a blend of higher and critical-severity vulnerabilities tied to 22 CVEs.
“The most severe of these issues is a critical security vulnerability in the Media Framework part that could enable a distant attacker making use of a specifically crafted file to execute arbitrary code within just the context of a privileged method,” in accordance to the Android security update.
Android Media Framework contains aid for playing a wide variety of widespread media styles, so people can quickly benefit from audio, video clip and images. The flaw (CVE-2020-0245) makes it possible for RCE in Android versions 8., 8.1 and 9 – but that severity is reduced to “high” and the impression in its place is info disclosure for Android edition 10.
Over and above this critical-severity glitch, the Android Media Framework also features 5 other large-severity info disclosure flaws (CVE-2020-0381, CVE-2020-0383, CVE-2020-0384, CVE-2020-0385, CVE-2020-0393) and an elevation of privilege issue (CVE-2020-0392).
Two other critical vulnerabilities were patched, present in the Android System area. These integrated an RCE flaw (CVE-2020-0380) and facts disclosure flaw (CVE-2020-0396) that each influence Android versions 8., 8.1, 9 and 10.
These flaws could make it possible for “a remote attacker employing a specially crafted transmission to execute arbitrary code in just the context of a privileged procedure,” according to Google. The Procedure also consists of two higher-severity elevation of privilege faults (CVE-2020-0386, CVE-2020-0394) and an info disclosure (CVE-2020-0379) hole.
10 high-severity vulnerabilities also exist in the Android Framework, which is a set of APIs – consisting of system equipment and consumer interface style equipment – that allow for builders to rapidly and easily generate applications for Android phones. These include four elevation of privilege flaws (CVE-2020-0074, CVE-2020-0388, CVE-2020-0391, CVE-2020-0401) and 6 info disclosure faults (CVE-2020-0382, CVE-2020-0389, CVE-2020-0390, CVE-2020-0395, CVE-2020-0397, CVE-2020-0399).
Google also rolled out patches for flaws in various 3rd-get together factors in its Android ecosystem. These incorporate four large severity flaws impacting MediaTek elements (MediaTek and Google collaborate on Android TV’s Ultra High definition Tv platform) – which includes issues impacting the audio driver of Android Tv set.
Three superior-severity flaws in the Android kernel, in the meantime, consist of an elevation of privileges flaw in the storage subsystem (CVE-2020-0402) and a single in the USB driver (CVE-2020-0404), as well as an information disclosure flaw (CVE-2020-0407). Finally, 22 higher- and critical-severity flaws were fixed in Qualcomm components, including 5 flaws in the kernel. The remaining Qualcomm flaws ended up in closed-resource parts.
Manufacturers of Android products typically press out their possess patches to address updates in tandem with or soon after the monthly security bulletin. Samsung said in a September security release that it is releasing a number of of the Android security bulletin patches to important Samsung models. And, according to a bulletin, a security update for Pixel units, which run on Google’s Android working technique, is “coming before long.”
In August, Google unveiled patches addressing a higher-severity issue in its Framework element, which if exploited could enable distant code execution (RCE) on Android cellular products. General, 54 superior-severity flaws were being patched as element of Google’s August security updates.
On Wed Sept. 16 @ 2 PM ET: Learn the strategies to operating a thriving Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Working a Effective Bug Bounty Program“. Hear from top Bug Bounty Application experts how to juggle general public versus non-public systems and how to navigate the challenging terrain of controlling Bug Hunters, disclosure guidelines and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.
Some components of this write-up is sourced from: