Google’s Android November 2021 security updates plug 18 flaws in the framework and technique components and 18 much more in the kernel and vendor factors.
Between Google’s November Android security updates is a patch for a zero-day weak spot that “may be under limited, qualified exploitation,” the corporation claimed.
Out of this month’s batch of 39 patches, 18 of them plug flaws in the framework and method parts and yet another 18 handle vulnerabilities in the kernel and vendor elements.
Use-After-Free of charge Flaw in the Kernel
Google explained the just one that attackers may well be picking aside – CVE-2021-1048 – as caused by a use-following-free (UAF) vulnerability in the kernel. UAF bugs permit for code substitution by applying a dangling pointer in dynamic memory. In this situation, it can be exploited for regional escalation of privilege and, when paired with a remote code execution (RCE) bug, an exploit could allow attackers to achieve administrative manage over a qualified program.
The internet titan kept its lips zipped about the particulars of the assaults exploiting CVE-2021-1048, but the truth that they’re targeted raises the risk of nation-condition superior persistent risk (APT) teams carrying them out for espionage.
There’s precedent for that: Earlier this 12 months, Android units were targeted in an espionage campaign that adapted the LodaRAT – identified for concentrating on Windows units – to also go after Android products in a marketing campaign that targeted Bangladesh.
Most Critical Issues
The most significant of the updates handle two critical remote code execution (RCE) vulnerabilities – tracked as CVE-2021-0918 and CVE-2021-0930 – in the Method part. The flaws could enable a distant attacker to execute arbitrary code inside of the context of a privileged approach by sending a specially crafted transmission to targeted devices.
“The severity assessment is based on the impact that exploiting the vulnerability would potentially have on an affected device, assuming the system and services mitigations are turned off for advancement functions or if properly bypassed,” in accordance to the security update.
There are two more critical security flaws resolved in this month’s patches: CVE-2021-1924 and CVE-2021-1975, both equally of which have an impact on Qualcomm factors.
However a further critical flaw can be located in Android Tv distant services – which allows Android phones or tablets to be employed as a distant for an Android Tv set. This one’s a different RCE, tracked as CVE-2021-0889. A nearby attacker who manages to exploit CVE-2021-0889 could creep up, silently pair with a Television, and execute arbitrary code with no privileges or user conversation demanded.
Higher-Severity Issues
Yet another 29 bugs are rated as significant-severity, with patches addressing vulnerabilities in the Framework, Media Framework, Technique, kernel, Android Television set, MediaTek and Qualcomm factors.
Google issued a different security advisory for Pixel devices.
Verify out our free approaching dwell and on-desire online city halls – exclusive, dynamic discussions with cybersecurity experts and the Threatpost neighborhood.
Some parts of this article are sourced from:
threatpost.com