Lucene search

threatpostLindsey O'DonnellTHREATPOST:17E00AD621A0ECD9F90FE97E083BF4AC
HistoryJan 05, 2021 - 8:21 p.m.

Google Warns of Critical Android Remote Code Execution Bug

Lindsey O'Donnell

Google has fixed two critical bugs affecting its Android handsets. The more serious flaws exists in the Android System component and allow remote attackers to execute arbitrary code.

The two critical vulnerabilities are part of Google’s January Android security bulletin, released Monday. The security update addressed 43 bugs overall for the Android operating systems. As part of this, Qualcomm, whose chips are used in Android devices, patched a mix of high- and critical-severity vulnerabilities tied to 15 bugs.

The critical-severity flaws include a remote-code-execution flaw in Google’s Android System component (CVE-2021-0316), the core of the Android operating system.

2020 Reader Survey: Share Your Feedback to Help Us Improve

Another flaw, rated serious, is a denial-of-service issue (CVE-2021-0313) in the Android Framework component, which is a set of APIs (consisting of system tools and user interface design tools) that allow developers to quickly and easily write apps for Android phones.

“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process,” according to Google. Both critical flaws are fixed in Android versions 8.0, 8.1, 9, 10 and 11.

Beyond these critical-severity issues, Google fixed a tangle of 13 high-severity flaws in its Framework. This included eight elevation-of-privilege issues (CVE-2021-0303, CVE-2021-0306, CVE-2021-0307, CVE-2021-0310, CVE-2021-0315, CVE-2021-0317, CVE-2021-0318, CVE-2021-0319); four information disclosure glitches (CVE-2021-0304, CVE-2021-0309, CVE-2021-0321, CVE-2021-0322) and one DoS flaw (CVE-2019-9376).

Three high-severity bugs were found in Media Framework (which offers support for playing a variety of common media types, so users can easily utilize audio, video and images). These include a RCE flaw tied to CVE-2016-6328, and two information disclosure flaws tied to CVE-2021-0311 and CVE-2021-0312.

Google also rolled out patches for flaws in various third-party components in its Android ecosystem. This included three high-severity flaws in the kernel (CVE-2020-10732, CVE-2020-10766, CVE-2021-0323), which could enable a local malicious application to bypass operating system protections that isolate application data from other applications. A high-severity vulnerability (CVE-2021-0301) was also fixed in the MediaTek component.

Finally, 15 critical and high-severity flaws were addressed in Qualcomm components, including ones affecting the kernel (CVE-2020-11233), display (CVE-2020-11239, CVE-2020-11261, CVE-2020-11262), camera (CVE-2020-11240) and audio components (CVE-2020-11250).

The fixes come after a hefty December Android security update, where Google patched ten critical bugs, including one tied to the Android media framework component that could give attacker remote control of vulnerable handsets.

Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chains prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited:Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.