Google’s Android operating system for smartphones received its first-ever Security Update of the New Year. Google’s first security update of 2020 addressed seven Android flaws classified as high and critical. While the number and severity rating might appear concerning, the Android OS has been getting better at keeping hackers and malicious code writers away.
Google’s first Android Security Bulletin of 2020 included a patch for a critical flaw in the smartphone operating system. The flaw, if properly and successfully executed, could potentially allow a hacker to execute arbitrary, unauthorized, and possibly malicious code. The security flaw, now patched, was remote executable. In other words, it didn’t require the hacker to be in physical possession of the Android device and didn’t require the attacker to be on the same network to execute the hack.
Google Android 2020 Security Update Patches Remote Coder Execution (RCE) Flaw:
Google issued this year’s first Security Patch Update for Android OS, and it contains protection against a Remote Coder Execution (RCE) flaw, which was one of seven critical- and high-severity vulnerabilities. The Google News Bulletin briefly mentions the vulnerabilities, but doesn’t offer details owing to security concerns,
“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.”
Are you a Chrome user? Google has released an updated to address security vulnerabilities for Windows, mac, and Linux systems that could allow a remote attacker to gain control of an affected system.
CCS recommends users update ASAP.
— U of G IT (@uofgccs) January 8, 2020
The search giant, who also develops and maintains the world’s most widely used smartphone operating system, noted that the RCE security flaw, officially tagged CVE-2020-0002, and marked as ‘Severe’, exists in Android’s Media framework. The framework includes support for playing a variety of common media types. Needless to add, this forms the very basis of smartphone multimedia usage and consumption as it allows users to listen to audio, and access video and images.
The CVE-2020-0002 RCE Security Flaw affects Android operating systems versions 8.0, 8.1 and 9. Although Google has specifically indicated, the latest Android version 10 appears to be largely immune to the flaw. In addition to the CVE-2020-0002 bug, Google also fixed high-severity Elevation of Privilege flaws (CVE-2020-0001, CVE-2020-0003).
Google Fixes Critical Android RCE Flaw | Threatpost https://t.co/FxxwLUZx2m
— Ralph Collum (@Optimus__Prime) January 8, 2020
The company also addressed a Denial of Service (DoS) flaw (CVE-2020-0004) in the Android framework, which “could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.” The remaining three security vulnerabilities, tagged CVE-2020-0006, CVE-2020-0007, CVE-2020-0008 could “could lead to remote information disclosure with no additional execution privileges needed.”
Apart from these flaws, Google also patched twenty-nine other vulnerabilities. Incidentally, they were majorly related to Qualcomm components. The severity flaw, tagged as CVE-2019-17666, and flagged as ‘Critical’, existed in the Qualcomm Realtek “RTLWiFi driver”. It could lead to Remote Code Execution attack. The RTLWiFi driver allows certain Realtek Wi-Fi modules to communicate within and with the devices running Linux operating system.
Google pixel 3a security update, available now! pic.twitter.com/m6QxCafUV7
— Fdo Aguilar (@Fdo_Aguilar) January 6, 2020
The last Google Security Update of 2019 patched three vulnerabilities with critical-severity in the Android operating system. The December 2019 Android Security Bulletin deployed fixed a total of 15 vulnerabilities, which were spread under Critical, High and Medium severity ratings.