Google Patches Critical .PNG Image Bug

Eleven critical bugs will be patched as part of the February Android Security Bulletin.

Google has patched a critical vulnerability in its current and legacy versions of its Android operating system, which allow an attacker to send a specially crafted Portable Network Graphics (.PNG) image file to a targeted device and execute arbitrary code.

In its February Android Security Bulletin, Google lists three critical Android Framework vulnerabilities (CVE-2019-1986, CVE-2019-1987, CVE-2019-1988), one of which is associated with the .PNG bug. Impacted versions of its Android OS range from Nougat (7.0) to its current Pie (9.0).

“The most severe of these issues is a critical security vulnerability in (the Android) Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process,” according to the security bulletin.

An attacker exploiting the flaw could remotely take over a vulnerable Android device by sending a booby-trapped image or tricking a user into following a malicious link sent via a mobile message service. Google said that it has no reports that any of the vulnerabilities listed in its February security bulletin have been exploited in the wild.

“The severity assessment is based on the effect that exploiting the (.PNG) vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed,” according to the Android security bulletin.

The Framework vulnerabilities accounted for three of 11 critical bugs reported Monday. In all, Google released 42 fixes of which 30 were rated high severity. Four of the bugs were tied to Android hardware components made by NVIDIA and five to chip maker Qualcomm.

Updates to Google Pixel and other vendor phones (Samsung, LG and etc.) will commence or become available within 48 hours of the Monday bulletin posting. “Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours,” Google wrote.

Detailed descriptions of CVEs associated with Google’s February Android Security Bulletin are expected in the days ahead.

For its part, LG posted Monday six patches for critical vulnerabilities impacting its handsets along with 21 high-severity bug and one moderate. One of the critical fixes (CVE-2018-11847) is left over from January and tied to an unspecified Qualcomm component.

Qualcomm posted some information regarding several CVEs that were part of the February bulletin. For example, the critical bug CVE-2018-11289 is identified as a buffer-copy flaw originating from a Qualcomm chip function where “data truncation during higher to lower type conversion which causes less memory allocation than desired can lead to a buffer overflow.”

Suggested articles

Discussion

  • Alan Miller on

    I don't recall where, but I've seen mention that Chrome on Android devices uses its own version of the library that handles PNG files. According to a Firefox for Android developer, Firefox uses libpng (https://hg.mozilla.org/mozilla-central/file/tip/media/libpng) not the system library. This still leaves other apps (social media, messaging, etc.) as possible PNG exploit paths, but at least most browsers shouldn't be an issue.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.