Security Experts:

Google Patches Critical RCE Vulnerabilities in Android's System Component

Google this week released the April 2020 set of security patches for the Android operating system to address over 50 vulnerabilities, including four critical issues in the System component.

All of the four critical bugs addressed this month in Android’s System could lead to remote code execution, and all impact Android 8.0, 8.1, 9, and 10. Fixes for the flaws will be delivered to all devices running the 2020-04-01 security patch level or newer.

The vulnerabilities are tracked as CVE-2020-0070, CVE-2020-0071, CVE-2020-0072, and CVE-2020-0073.

“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes in an advisory.

Patches for eight other issues were included in the 2020-04-01 security patch level, namely six vulnerabilities in the Framework component (four high risk elevation of privilege, one high severity information disclosure, and one moderate risk information disclosure), and two in Media framework (both high severity elevation of privilege flaws).

The second part of Google’s April 2020 Android Security Bulletin will arrive on devices as 2020-04-05 security patch level, delivering patches for 43 vulnerabilities.

These include components such as Framework (one high severity information disclosure), Kernel components (three high risk elevation of privilege bugs), FPC components (a high risk elevation of privilege bug and two moderate severity information disclosure issues), Qualcomm components (one critical and five high severity), and Qualcomm closed-source components (eight critical and twenty-two high risk).

Google also released a new set of security patches for Pixel devices to address a total of 14 vulnerabilities: two in Kernel components, nine in Qualcomm components, and three in Qualcomm closed-source components. All of these bugs feature a moderate severity rating.

On Google devices, a security patch level of 2020-04-05 or later addresses all of the vulnerabilities included in the Android Security Bulletin—April 2020 and Pixel Update Bulletin—April 2020.

Related: Google Patches Critical Remotely Exploitable Android Bug

Related: 'Cookiethief' Android Malware Hijacks Facebook Accounts

Related: Android's February 2020 Update Patches Critical System Vulnerabilities

view counter