Google updates its mobile OS, fixing ten critical bugs, which include 1 distant code execution flaw.
Google patched 10 critical bugs as section of its December Android Security Bulletin. The worst of the bugs was tied to the Android media framework ingredient and provides attacker remote handle of susceptible handsets.
Google did not expose the technological details of the critical flaw, tracked as CVE-2020-0458, and will probably not right until a greater part of handsets are patched. The other 9 critical bugs plugged this month by Google are tied to the underlying Qualcomm chipsets and accompanying firmware, popular on most Android telephones.
The critical Qualcomm bugs preset were being each individual rated 9.8 out of 10 in severity, utilizing the common CVSS score. Eight of these flaws had been tied to the vendor’s subsystem application that controls audio. One more bug, tracked as CVE-2020-11225, is tied to the Qualcomm Wi-Fi radio’s WLAN host communication ingredient.Bug descriptions are obtainable by way of Qualcomm’s very own December 2020 Security Bulletin, posted Monday. Numerous of these critical flaws were being discovered as buffer-overflow bugs and buffer more than-go through vulnerabilities.
One the audio flaws, tracked as CVE-2020-11137, is determined as a “buffer around-read issue in audio” that could be exploited remotely, according to Qualcomm. It wrote, an attacker can develop situations for an “integer multiplication overflow ensuing in decrease buffer dimension allocation than envisioned [which] causes memory access out of bounds ensuing in doable gadget instability.”
The Wi-Fi bug is induced when the chip is forced to “buffer copy without the need of checking dimensions of enter in WLAN”. The consequence are problems ripe of a “classic buffer overflow” attack. This form of attack occurs when an adversary floods a application as well considerably knowledge. “The surplus information corrupts close by area in memory. If attackers know the memory format of a method, they can intentionally feed input that the buffer can’t keep, and overwrite spots that keep executable code, replacing it with their very own code,” describes Imperva.
Qualcomm credited a number of scientists for getting vulnerabilities such as Haikuo Xie of Huawei Security and Ying Wang of Baidu Security Lab and Jun Yao (姚俊) (@_2freeman) and Guang Gong (@oldfresher) of 360 Alpha Lab doing work with 360 BugCloud. Other credited bug hunters provided Ben Hawkes of Google Job Zero and researcher Nick Landers.Set Ransomware on the Operate: Save your location for “What’s Up coming for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware environment and how to combat back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of assaults. Matters will involve the most hazardous ransomware risk actors, their evolving TTPs and what your corporation demands to do to get forward of the up coming, inescapable ransomware attack. Sign up here for the Wed., Dec. 16 for this LIVE webinar.
Some parts of this article are sourced from:
threatpost.com