Google patched a critical vulnerability in the Media Framework of its Android operating system, which if exploited could lead to remote code execution attacks on vulnerable devices.
Overall, Google fixed flaws tied to 53 CVEs as part of its September security updates for the Android operating system, released on Tuesday. As part of this, Qualcomm, whose chips are used in Android devices, patched a mix of high and critical-severity vulnerabilities tied to 22 CVEs.
“The most severe of these issues is a critical security vulnerability in the Media Framework component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” according to the Android security update.
Android Media Framework includes support for playing a variety of common media types, so users can easily utilize audio, video and images. The flaw (CVE-2020-0245) allows RCE in Android versions 8.0, 8.1 and 9 – but that severity is lowered to “high” and the impact instead is information disclosure for Android version 10.
Beyond this critical-severity glitch, the Android Media Framework also includes five other high-severity information disclosure flaws (CVE-2020-0381, CVE-2020-0383, CVE-2020-0384, CVE-2020-0385, CVE-2020-0393) and an elevation of privilege issue (CVE-2020-0392).
Two other critical vulnerabilities were patched, existing in the Android System area. These included an RCE flaw (CVE-2020-0380) and information disclosure flaw (CVE-2020-0396) that both affect Android versions 8.0, 8.1, 9 and 10.
These flaws could allow “a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process,” according to Google. The System also includes two high-severity elevation of privilege errors (CVE-2020-0386, CVE-2020-0394) and an information disclosure (CVE-2020-0379) hole.
Ten high-severity vulnerabilities also exist in the Android Framework, which is a set of APIs – consisting of system tools and user interface design tools – that allow developers to quickly and easily write apps for Android phones. These include four elevation of privilege flaws (CVE-2020-0074, CVE-2020-0388, CVE-2020-0391, CVE-2020-0401) and six information disclosure errors (CVE-2020-0382, CVE-2020-0389, CVE-2020-0390, CVE-2020-0395, CVE-2020-0397, CVE-2020-0399).
Component Vulnerabilities
Google also rolled out patches for flaws in various third-party components in its Android ecosystem. These include four high severity flaws affecting MediaTek components (MediaTek and Google collaborate on Android TV’s Ultra HD TV platform) – including issues affecting the sound driver of Android TV.
Three high-severity flaws in the Android kernel, meanwhile, include an elevation of privileges flaw in the storage subsystem (CVE-2020-0402) and one in the USB driver (CVE-2020-0404), as well as an information disclosure flaw (CVE-2020-0407). Finally, 22 high- and critical-severity flaws were fixed in Qualcomm components, including five flaws in the kernel. The remaining Qualcomm flaws were in closed-source components.
Manufacturers of Android devices typically push out their own patches to address updates in tandem with or after the monthly security bulletin. Samsung said in a September security release that it is releasing several of the Android security bulletin patches to major Samsung models. And, according to a bulletin, a security update for Pixel devices, which run on Google’s Android operating system, is “coming soon.”
In August, Google released patches addressing a high-severity issue in its Framework component, which if exploited could enable remote code execution (RCE) on Android mobile devices. Overall, 54 high-severity flaws were patched as part of Google’s August security updates.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.