Search engine and tech giant Google just published the January Android Security Bulletin. The latest report contains details of the seven vulnerabilities in the Android OS. One of these was given a critical rating since it affects Android OS versions 8, 8.1, and 9, which means Android users running on one of these operating systems must install the January security update as soon as it becomes available.
The critical flow called CVE-2020-0002 is in the Android Media Framework, which is a remote code execution or RCE flaw. This vulnerability could allow a remote attacker using a specially designed file to execute arbitrary code in the context of a privileged process, says Google. What does this imply?
The search engine giant does not say the entire details of Android security issues until users' devices are patched. Through this, attackers will not easily exploit flaws. While it does not seem like a remarkable issue at face value, the issue allows attackers to run commands on devices as a privileged user, says security researcher Sean Wright.
It is almost certain that a malicious app installed on a device could exploit its critical vulnerability, but it is not yet clear if the vulnerability is remotely exploitable, adds the security researcher. It would be really bad if it is remotely exploitable, notes Wright. But, if it is, we would have seen a higher rating and more visibility of the issue.
In Dec. 2019, Google patched a critical Android 8, 9, and 10 issues, which turned out into a permanent denial of service threat. Security researchers last month shared another dangerous Android vulnerability called Strandhogg that enables malware to pose as legit apps. In Oct. 2019, Android users discovered that they were at risk after the keyboard app called ai.type surfaced, which allowed unauthorized purchases of millions of premium digital content.
Chipmaker Qualcomm, whose chips are in most Android devices, released a patch to fix 29 vulnerabilities named in the latest Google Android Security Bulletin. The most severe of these was associated with its rtlwifi driver. "The most severe vulnerability in this section could enable a proximate attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process," noted Google's Android security bulletin.
Android smartphone makers already received notifications a month before search engine, and tech giant Google publishes the Android security bulletin. But, as Android users are already aware of the situation, waiting time for the smartphone maker to release the latest update could be frustrating. In recent security maintenance released by Samsung this month, it states that it will release the CVE-2020-0002 patch along with some other Android fixes to its handset models.
