Google has released patches addressing high-severity flaws in its System component. The flaws could be remotely exploited to gain access to additional permissions.
Overall, 50 flaws were patched as part of Google’s October security update for the Android operating system, released on Monday. As part of this, Qualcomm, whose chips are used in Android devices, patched a mix of high- and critical-severity vulnerabilities tied to 22 CVEs.
Two elevation of privilege (EoP) issues, the most serious of the flaws, exist in the Android System component, the core of the operating system that’s on Android phones. These are two vulnerabilities (CVE-2020-0215 and CVE-2020-0416) that can be exploited remotely by an attacker using a specially crafted transmission. The flaws are fixed in Android versions 8.0, 8.1, 9, 10 and 11.
Also fixed in System are eight high-severity information-disclosure flaws (CVE-2020-0377, CVE-2020-0378, CVE-2020-0398, CVE-2020-0400, CVE-2020-0410, CVE-2020-0413, CVE-2020-0415 and CVE-2020-0422).
Three high-severity flaws also exist in the Media Framework (which offers support for playing a variety of common media types, so users can easily utilize audio, video and images). The three (CVE-2020-0213, CVE-2020-0411, CVE-2020-0414) could lead to remote information disclosure with no additional execution privileges needed.
Google also fixed five high-severity flaws in the Framework component, which is a set of APIs (consisting of system tools and user interface design tools) that allow developers to quickly and easily write apps for Android phones. These include two EoP flaws (CVE-2020-0420 and CVE-2020-0421), which enable a local malicious application to bypass user-interaction requirements in order to gain access to additional permissions. Three information-disclosure flaws (CVE-2020-0246, CVE-2020-0412, CVE-2020-0419) were also fixed.
Finally, Google fixed a high-severity EoP flaw (CVE-2020-0408) in Android runtime, the application runtime environment used by the Android OS. The vulnerability, which could enable a local attacker to execute arbitrary code within the context of an application that uses the library, was fixed in versions 8.0, 8.1, 9, 10 and 11.
Google also rolled out patches for flaws in various third-party components in its Android ecosystem. One such flaw (CVE-2020-0423) exists in the kernel, which could enable a local attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. Also fixed were several MediaTek components, including ones affecting the keyinstall, widevine and ISP components.
Finally, 22 critical and high-severity flaws were addressed in Qualcomm components, including four high-severity flaws in the kernel component (CVE-2020-11125, CVE-2020-11162, CVE-2020-11173, CVE-2020-11174) and six critical flaws (CVE-2020-3654, CVE-2020-3657, CVE-2020-3673, CVE-2020-3692, CVE-2020-11154 and CVE-2020-11155) in “closed-source components.”
Manufacturers of Android devices typically push out their own patches in tandem with or after the Google Security Bulletin. Samsung said in an October Android Security Update that it is releasing several patches, including those addressing critical flaws CVE-2019-13994, CVE-2020-3634, CVE-2019-10629, CVE-2019-10628 and CVE-2020-3621 that affect major Samsung models. The security update for Pixel devices has also arrived.
Android has faced various security issues in the past. In August, for instance, Google released patches addressing a high-severity issue in its Framework component, which if exploited could enable remote code-execution (RCE) on Android mobile devices.
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.