UPDATE
Google has released fixes for three critical-severity vulnerabilities in the Media framework of its Android operating system, which if exploited could allow a remote attacker to execute code.
The remote code execution (RCE) flaws are part of Google’s October 2019 Android Security Bulletin, which deployed fixes for high and critical-severity vulnerabilities tied to nine CVEs overall. Qualcomm, whose chips are used in Android devices, also patched 18 high and critical-severity vulnerabilities.
The three critical flaws (CVE-2019-2184, CVE-2019-2185, CVE-2019-2186) exist in Android’s Media framework. This framework includes support for playing a variety of common media types, so that users can easily utilize audio, video and images. Android operating systems 7.1.1, 7.1.2, 8.0, 8.1, 9 are specifically impacted by the critical flaws.
“The most severe of these issues is a critical security vulnerability in the Media framework component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” said Google in a Monday post. “We have had no reports of active customer exploitation or abuse of these newly reported issues.”
Also fixed was a high-severity elevation-of-privilege flaw (CVE-2019-2173) in the Android framework, which “could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.” And, two high-severity flaws (CVE-2019-2114, CVE-2019-2187) were discovered in the Android operating system that could “could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.”
Eighteen CVEs – including eight critical ones – were also patched, related to Qualcomm closed-source components, which are used in Android devices. The critical severity flaws exist across various Qualcomm technologies, including its kernel (CVE-2018-13916), multi-mode call processor (CVE-2019-2271), boot technology (CVE-2019-2251) and more.
Manufacturer Updates
Manufacturers of Android devices typically push out their own patches to address updates in tandem with or after the Google Security Bulletin.
Samsung said in a security maintenance release that it is releasing several of the Android security bulletin patches, including those addressing critical flaws CVE-2019-2284, CVE-2019-2285 and CVE-2019-2186, to major Samsung models. Meanwhile LG also rolled out patches covered by the October security bulletin (also addressing CVE-2019-2184, CVE-2019-2185 and CVE-2019-2186). Pixel devices, which run on Google’s Android operating system, received patches as part of Google’s October security update as well.
Threatpost has reached out to Nokia regarding any patches it plans to apply to its phones.
Google Zero Day Patch Rollout
While initially there was no sign of a recently revealed Android zero-day vulnerability — disclosed this week and actively being exploited in the wild — on Google’s official Android Security Bulletin, the bulletin was later updated to include a patch for the flaw. The zero-day flaw gives an attacker full control over 18 phone models including its flagship Pixel handset and devices made by Samsung, Huawei and Xiaomi.
The bug (CVE-2019-2215) was also mentioned in the Pixel update bulletin, which said “Pixel 1 and Pixel 2 devices will receive the patch for CVE-2019-2215 as part of the October update.”
This article was updated on Oct. 8 at 1 pm ET to reflect that the Android security bulletin was updated to include CVE-2019-2215.
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.
