Date:03/04/19
The security issues tracked as CVE-2019-2027 and CVE-2019-2028 as part of the 2019-04-01 security patch level are critical vulnerabilities impacting the Media framework which could allow potential remote attackers to make use of specially crafted files "to execute arbitrary code within the context of a privileged process."
As detailed in the security bulletin, the atwo critical vulnerabilities impact all Android 7.0 or later devices but users should be safe against attacks after applying the latest Android security patch.
Including these two security flaws, Google has patched a total of 11 security vulnerabilities within AOSP, two of them being rated critical severity, while 9 have received a high severity level rating.
While the critical vulnerabilities allow malicious actors to perform RCE attacks against unpatched Android devices, the rest of them are either elevation of privileges or information disclosure flaws.
To be more exact, while the Framework CVE-2019-2026 allows a "local attacker to gain additional permissions bypass with user interaction" on Android 8.0 or later devices, the most severe of the other eight System security issues would "enable a local malicious application to execute arbitrary code within the context of a privileged process."
No reports of exploitation prior to disclosure
The 2019-04-05 security patch level lists another four System vulnerabilities of high and critical severity, with the most severe one of them making it possible for would-be remote attackers "using a specially crafted file to execute arbitrary code within the context of a privileged process."
According to Google, there were no "reports of active customer exploitation or abuse of these newly reported issues" and the severity assessment of the security issues patched in this month's security update are based on the effect their possible exploitation would have on compromised devices.
Google also says that all Android partners were alerted of all issues disclosed in this update at least a month prior to today's public disclosure.
Also, "source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours" with the AOSP links to be added to the security bulletin available HERE as soon as they are available.
Google Fixes Two Critical Android Code Execution Vulnerabilities
Two critical remote code execution (RCE) and nine high severity elevation of privileges (EoP) and information disclosure (ID) vulnerabilities were fixed by Google in the Android Open Source Project (AOSP) as part of security patch level 2019-04-01.The security issues tracked as CVE-2019-2027 and CVE-2019-2028 as part of the 2019-04-01 security patch level are critical vulnerabilities impacting the Media framework which could allow potential remote attackers to make use of specially crafted files "to execute arbitrary code within the context of a privileged process."
As detailed in the security bulletin, the atwo critical vulnerabilities impact all Android 7.0 or later devices but users should be safe against attacks after applying the latest Android security patch.
Including these two security flaws, Google has patched a total of 11 security vulnerabilities within AOSP, two of them being rated critical severity, while 9 have received a high severity level rating.
While the critical vulnerabilities allow malicious actors to perform RCE attacks against unpatched Android devices, the rest of them are either elevation of privileges or information disclosure flaws.
To be more exact, while the Framework CVE-2019-2026 allows a "local attacker to gain additional permissions bypass with user interaction" on Android 8.0 or later devices, the most severe of the other eight System security issues would "enable a local malicious application to execute arbitrary code within the context of a privileged process."
No reports of exploitation prior to disclosure
The 2019-04-05 security patch level lists another four System vulnerabilities of high and critical severity, with the most severe one of them making it possible for would-be remote attackers "using a specially crafted file to execute arbitrary code within the context of a privileged process."
According to Google, there were no "reports of active customer exploitation or abuse of these newly reported issues" and the severity assessment of the security issues patched in this month's security update are based on the effect their possible exploitation would have on compromised devices.
Google also says that all Android partners were alerted of all issues disclosed in this update at least a month prior to today's public disclosure.
Also, "source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours" with the AOSP links to be added to the security bulletin available HERE as soon as they are available.
Views: 427
©ictnews.az. All rights reserved.Similar news
- Cellphone Use May Raise Cancer Risk
- Australian police pushes cyber safety education
- Vietnam aims to lead in e-government
- Senate Website Gets Hacked
- US builds net for cyber war games
- Japan enacts anti-computer virus law
- India passes law vs e-waste
- Anonymous Declares War On The City Of Orlando
- Microsoft highlights evolving dangers as online identity data proliferates
- Consumers want internet security to be provided by banks
- Government facilities targets of cyber attack
- South Korean web attacks might been war drill
- Sri Lanka to Establish National Passport Database to Increase Border Security
- Hi-tech crime agencies set to employ information security professionals
- Phone hacking and online campaign bring down the News of the World