Morioh
Login
Mitchel Carter

Mitchel Carter

3 years ago

Google has released patches addressing high-severity flaws in its System component. The flaws could be remotely exploited to gain access to additional permissions.

Overall, 50 flaws were patched as part of Google’s October security update for the Android operating system, released on Monday. As part of this, Qualcomm, whose chips are used in Android devices, patched a mix of high- and critical-severity vulnerabilities tied to 22 CVEs.

Two elevation of privilege (EoP) issues, the most serious of the flaws, exist in the Android System component, the core of the operating system that’s on Android phones. These are two vulnerabilities (CVE-2020-0215 and CVE-2020-0416) that can be exploited remotely by an attacker using a specially crafted transmission. The flaws are fixed in Android versions 8.0, 8.1, 9, 10 and 11.

Also fixed in System are eight high-severity information-disclosure flaws (CVE-2020-0377, CVE-2020-0378, CVE-2020-0398, CVE-2020-0400, CVE-2020-0410, CVE-2020-0413, CVE-2020-0415 and CVE-2020-0422).

Three high-severity flaws also exist in the Media Framework (which offers support for playing a variety of common media types, so users can easily utilize audio, video and images). The three (CVE-2020-0213, CVE-2020-0411, CVE-2020-0414) could lead to remote information disclosure with no additional execution privileges needed.

Google also fixed five high-severity flaws in the Framework component, which is a set of APIs (consisting of system tools and user interface design tools) that allow developers to quickly and easily write apps for Android phones. These include two EoP flaws (CVE-2020-0420 and CVE-2020-0421), which enable a local malicious application to bypass user-interaction requirements in order to gain access to additional permissions. Three information-disclosure flaws (CVE-2020-0246, CVE-2020-0412, CVE-2020-0419) were also fixed.

Finally, Google fixed a high-severity EoP flaw (CVE-2020-0408) in Android runtime, the application runtime environment used by the Android OS. The vulnerability, which could enable a local attacker to execute arbitrary code within the context of an application that uses the library, was fixed in versions 8.0, 8.1, 9, 10 and 11.

Components

Google also rolled out patches for flaws in various third-party components in its Android ecosystem. One such flaw (CVE-2020-0423) exists in the kernel, which could enable a local attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. Also fixed were several MediaTek components, including ones affecting the keyinstall, widevine and ISP components.

Finally, 22 critical and high-severity flaws were addressed in Qualcomm components, including four high-severity flaws in the kernel component (CVE-2020-11125, CVE-2020-11162, CVE-2020-11173, CVE-2020-11174) and six critical flaws (CVE-2020-3654, CVE-2020-3657, CVE-2020-3673, CVE-2020-3692, CVE-2020-11154 and CVE-2020-11155) in “closed-source components.”

#vulnerabilities #web security #(cve-2020-0215 #android #android security update #cve-2020-0416 #elevation of privilege #framework #google #information disclosure #kernel #media framework #october 2020 #pixel #qualcomm #samsung

Google Rolls Out Fixes for High-Severity Android System Flaws

threatpost.com

Google Rolls Out Fixes for High-Severity Android System Flaws

Google has released patches addressing high-severity flaws in its System component. The flaws could be remotely exploited to gain access to additional permissions. Overall, 50 flaws were patched as part of Google's October security update for the Android operating system, released on Monday.

1.25 GEEK