Google has released patches addressing high-severity flaws in its System component. The flaws could be remotely exploited to gain access to additional permissions. Overall, 50 flaws were patched as part of Google's October security update for the Android operating system, released on Monday.
Google has released patches addressing high-severity flaws in its System component. The flaws could be remotely exploited to gain access to additional permissions.
Overall, 50 flaws were patched as part of Google’s October security update for the Android operating system, released on Monday. As part of this, Qualcomm, whose chips are used in Android devices, patched a mix of high- and critical-severity vulnerabilities tied to 22 CVEs.
Two elevation of privilege (EoP) issues, the most serious of the flaws, exist in the Android System component, the core of the operating system that’s on Android phones. These are two vulnerabilities (CVE-2020-0215 and CVE-2020-0416) that can be exploited remotely by an attacker using a specially crafted transmission. The flaws are fixed in Android versions 8.0, 8.1, 9, 10 and 11.
Also fixed in System are eight high-severity information-disclosure flaws (CVE-2020-0377, CVE-2020-0378, CVE-2020-0398, CVE-2020-0400, CVE-2020-0410, CVE-2020-0413, CVE-2020-0415 and CVE-2020-0422).
Three high-severity flaws also exist in the Media Framework (which offers support for playing a variety of common media types, so users can easily utilize audio, video and images). The three (CVE-2020-0213, CVE-2020-0411, CVE-2020-0414) could lead to remote information disclosure with no additional execution privileges needed.
Google also fixed five high-severity flaws in the Framework component, which is a set of APIs (consisting of system tools and user interface design tools) that allow developers to quickly and easily write apps for Android phones. These include two EoP flaws (CVE-2020-0420 and CVE-2020-0421), which enable a local malicious application to bypass user-interaction requirements in order to gain access to additional permissions. Three information-disclosure flaws (CVE-2020-0246, CVE-2020-0412, CVE-2020-0419) were also fixed.
Finally, Google fixed a high-severity EoP flaw (CVE-2020-0408) in Android runtime, the application runtime environment used by the Android OS. The vulnerability, which could enable a local attacker to execute arbitrary code within the context of an application that uses the library, was fixed in versions 8.0, 8.1, 9, 10 and 11.
Google also rolled out patches for flaws in various third-party components in its Android ecosystem. One such flaw (CVE-2020-0423) exists in the kernel, which could enable a local attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. Also fixed were several MediaTek components, including ones affecting the keyinstall, widevine and ISP components.
Finally, 22 critical and high-severity flaws were addressed in Qualcomm components, including four high-severity flaws in the kernel component (CVE-2020-11125, CVE-2020-11162, CVE-2020-11173, CVE-2020-11174) and six critical flaws (CVE-2020-3654, CVE-2020-3657, CVE-2020-3673, CVE-2020-3692, CVE-2020-11154 and CVE-2020-11155) in “closed-source components.”
vulnerabilities web security (cve-2020-0215 android android security update cve-2020-0416 elevation of privilege framework google information disclosure kernel media framework october 2020 pixel qualcomm samsung
Admins should patch their Citrix ADC and Gateway installs immediately.
Google is rolling out 35 security fixes, and a new password feature, in Chrome 86 versions for Windows, Mac, Android and iOS users. Google's Chrome 86: Critical Payments Bug, Password Checker Among Security Notables ... Google is rolling out 35 security fixes, and a new password feature, in Chrome 86 versions for Windows, Mac, Android and iOS ...
Researchers identified serious flaws in Qualcomm’s Snapdragon SoC and the Hexagon architecture that impacts nearly half of Android handsets.
Google's new release of Chrome 85.0.4183.121 for Windows, Mac, and Linux fixes 10 security flaws.
The majority of the bugs in Cisco’s Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) software can enable denial of service (DoS) on affected devices.