Google Fixes Critical Android RCE Flaw

google android

Google’s first security update of 2020 addressed seven high and critical severity Android flaws.

Google kicked off its first Android Security Bulletin of 2020 patching a critical flaw in its Android operating system, which if exploited could allow a remote attacker to execute code. Compared to last year’s monthly tally, the number of CVEs patched this month were relatively few.

The remote-code-execution (RCE) flaw was one of several critical- and high-severity vulnerabilities that made up seven CVEs tracked overall this month. Qualcomm, whose chips are used in Android devices, also patched a mix of 29 high and medium-severity vulnerabilities as part of the January bulletin.

Google said its’ critical vulnerability (CVE-2020-0002) exists in Android’s Media framework, which includes support for playing a variety of common media types, so that users can easily utilize audio, video and images. Android operating systems 8.0, 8.1 and 9 are specifically impacted by the bug.

“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” according to Google in the bulletin.

Also fixed were high-severity elevation-of-privilege flaws (CVE-2020-0001, CVE-2020-0003) and a denial of service flaw (CVE-2020-0004) in the Android framework, which “could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.”

And, three high-severity flaws (CVE-2020-0006, CVE-2020-0007, CVE-2020-0008) were discovered in the Android operating system that could “could lead to remote information disclosure with no additional execution privileges needed.”

Technical details on each of the CVEs is limited, that is until handsets are patched and the fear of those bugs being exploited by hackers is significantly reduced.

Twenty-nine CVEs – all high-severity except for one critical one – were also patched, related to Qualcomm components, which are used in Android devices.  The critical severity flaw existed in the Qualcomm Realtek “rtlwifi driver” (CVE-2019-17666) and could lead to remote code execution. The “rtlwifi” driver is a software component used to allow certain Realtek Wi-Fi modules, used in Linux devices, to communicate with the Linux operating system.

Manufacturer Updates

Manufacturers of Android devices typically push out their own patches to address updates in tandem with or after the Google Security Bulletin. Samsung said in a security maintenance release that it is releasing several of the Android security bulletin patches, including, CVE-2020-0002, to major Samsung models.

Fixes for LG, Nokia and Pixel devices are coming soon but have yet to be posted.

The security bulletin is the first of the year for Google. The company in December released an update stomping out three critical-severity vulnerabilities in its Android operating system — one of which could result in “permanent denial of service” on affected mobile devices if exploited. The December 2019 Android Security Bulletin deployed fixes for critical, high and medium-severity vulnerabilities tied to 15 CVEs overall.

Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.

Suggested articles

Discussion

  • Ben on

    Acording to the Security Bulletin, Android version 10 is also impacted by CVE-2020-0002, but at a moderate severity instead of Critical.
  • Mark on

    Pity google don't send updates direct to Huwai p30 pro, not had updates since Oct 19,ooen to hackers.
  • Andrew on

    Pity? That's not on Google, that's on Huwai (sp? Meh, it's all the same) for wanting to make a buck off of selling cheap hardware while washing their hands of actually maintaining the drivers/firmware for the hardware components. These crappy phone manufacturers have no interest in maintaining updated images once Google updates AOSP as there's no money in that. They simply want to "take the money and run". Stick with the name brand products rather than some crap hacked together from poorly understood/outdated stolen intellectual property.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.