As a result, if you have physical access to the Android device, an attacker can increase privileges in the context of the kernel and take control of the system.
“To exploit the vulnerability, the attacker must be able to execute low privilege code on the target system”, — the researchers write.
Details of the code and how the attack is conducted is not reported. The severity of the vulnerability is rated at 7.8 on a CVSS scale.
A report on it was submitted to Google almost six months ago, in mid-March. The developer confirmed the vulnerability and promised to prepare a patch, although the timing of its release is not assigned. Since the patch never appeared, the researchers decided to unveil a dangerous find.
“Given the nature of the vulnerability, the only salvation so far is to limit interaction with the service. You can only allow it for clients and servers associated with it with legitimate procedures. This restriction can be introduced in a variety of ways, in particular using firewall rules or whitelisting”, – say ZDI researchers.
This vulnerability was released after the publication of the next set of patches for Android. Unfortunately, there was no necessary patch in it again.
On Tuesday, September 3, Google announced the removal of 15 dangerous bugs in its OS for mobile devices. Among others, two critical vulnerabilities of remote code execution in the multimedia libraries included in the Media framework were patched. According to the developer’s bulletin, the operation of CVE-2019-2176 and CVE-2019-2108 allows using a specially created file to execute arbitrary code in the context of a privileged process.
The components of the Framework are closed five high-risk vulnerabilities; four of them threaten privilege escalation, one – disclosure of confidential information. Five similar bugs were announced in System; the sixth (CVE-2019-2177) allowed remotely execute any code in the system.
The new Google newsletter also informs users about the elimination of two vulnerabilities in the components of NVIDIA production and about three dozen in Qualcomm products. Concerning the latter, the most dangerous for Android are CVE-2019-10533 and CVE-2019-2258 that were contained in closed-source components.
“LGE has released a set of patches as part of the monthly Android security update program. Of the fixed vulnerabilities, the most serious is a critical bug in the Media framework”, – said LG company.
September updates for Android devices at the same time announced by Samsung. A new patch set covers the vulnerabilities mentioned in the Google Newsletter, as well as a dozen bugs specific to Samsung products.
About News-bpudepi.today News-bpudepi.today pop-ups can not launch out of the blue. If you have actually…
About Doguhtam.xyz Doguhtam.xyz pop-ups can not expose out of nowhere. If you have clicked some…
About News-xlixoti.com News-xlixoti.com pop-ups can not introduce out of nowhere. If you have actually clicked…
About Ducesousightion.com Ducesousightion.com pop-ups can not introduce out of the blue. If you have actually…
About News-xlabica.live News-xlabica.live pop-ups can not launch out of the blue. If you have actually…
About Mergechain.co.in Mergechain.co.in pop-ups can not expose out of the blue. If you have clicked…