Rabitə və İnformasiya Texnologiyaları Nazirliyinin elektron xəbər xidməti

Google Fixes Two Critical Android Code Execution Vulnerabilities


Two critical remote code execution (RCE) and nine high severity elevation of privileges (EoP) and information disclosure (ID) vulnerabilities were fixed by Google in the Android Open Source Project (AOSP) as part of security patch level 2019-04-01.
 
The security issues tracked as CVE-2019-2027 and CVE-2019-2028 as part of the 2019-04-01 security patch level are critical vulnerabilities impacting the Media framework which could allow potential remote attackers to make use of specially crafted files "to execute arbitrary code within the context of a privileged process."
 
As detailed in the security bulletin, the atwo critical vulnerabilities impact all Android 7.0 or later devices but users should be safe against attacks after applying the latest Android security patch.
 
Including these two security flaws, Google has patched a total of 11 security vulnerabilities within AOSP, two of them being rated critical severity, while 9 have received a high severity level rating.
 
While the critical vulnerabilities allow malicious actors to perform RCE attacks against unpatched Android devices, the rest of them are either elevation of privileges or information disclosure flaws.
 
To be more exact, while the Framework CVE-2019-2026 allows a "local attacker to gain additional permissions bypass with user interaction" on Android 8.0 or later devices, the most severe of the other eight System security issues would "enable a local malicious application to execute arbitrary code within the context of a privileged process."
 
No reports of exploitation prior to disclosure
 
The 2019-04-05 security patch level lists another four System vulnerabilities of high and critical severity, with the most severe one of them making it possible for would-be remote attackers "using a specially crafted file to execute arbitrary code within the context of a privileged process."
 
According to Google, there were no "reports of active customer exploitation or abuse of these newly reported issues" and the severity assessment of the security issues patched in this month's security update are based on the effect their possible exploitation would have on compromised devices.
 
Google also says that all Android partners were alerted of all issues disclosed in this update at least a month prior to today's public disclosure.
 
Also, "source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours" with the AOSP links to be added to the security bulletin available HERE as soon as they are available.






03/04/19    Çap et