Qualcomm has patched a handful of vulnerabilities in its devices that if exploited could leave Android OS kernels open to privilege escalation or denial of service (DoS) attacks.
According to notes published earlier today by Michael Orlando, a vulnerability analyst at the United States Computer Emergency Readiness Team (CERT), the vulnerabilities could be exploited if an attacker got a user to install a specially crafted android application. Once said app was executed, attackers could gain control of the device via privilege escalation or DoS.
Specifically, if installed, a malicious app would affect the device “by passing a specially crafted input to diagchar_ioctl call of Diagnostics (DIAG) kernel mode driver for Android,” (CVE-2012-4220, CVE-2012-4221) according to a vulnerability summary on mobile open source community CodeAurora.org. The write-up also claims a separate DoS attack could be triggered by exploiting a graphics kernel mode driver (CVE-2012-4222) on the devices.
The updates can be downloaded and installed by Android users running the Gingerbread, Ice Cream Sandwich and Jelly Bean operating systems at Code Aurora.