Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Patches Critical RCE Vulnerabilities in Android’s System Component

Google this week released the April 2020 set of security patches for the Android operating system to address over 50 vulnerabilities, including four critical issues in the System component.

Google this week released the April 2020 set of security patches for the Android operating system to address over 50 vulnerabilities, including four critical issues in the System component.

All of the four critical bugs addressed this month in Android’s System could lead to remote code execution, and all impact Android 8.0, 8.1, 9, and 10. Fixes for the flaws will be delivered to all devices running the 2020-04-01 security patch level or newer.

The vulnerabilities are tracked as CVE-2020-0070, CVE-2020-0071, CVE-2020-0072, and CVE-2020-0073.

“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes in an advisory.

Patches for eight other issues were included in the 2020-04-01 security patch level, namely six vulnerabilities in the Framework component (four high risk elevation of privilege, one high severity information disclosure, and one moderate risk information disclosure), and two in Media framework (both high severity elevation of privilege flaws).

The second part of Google’s April 2020 Android Security Bulletin will arrive on devices as 2020-04-05 security patch level, delivering patches for 43 vulnerabilities.

These include components such as Framework (one high severity information disclosure), Kernel components (three high risk elevation of privilege bugs), FPC components (a high risk elevation of privilege bug and two moderate severity information disclosure issues), Qualcomm components (one critical and five high severity), and Qualcomm closed-source components (eight critical and twenty-two high risk).

Google also released a new set of security patches for Pixel devices to address a total of 14 vulnerabilities: two in Kernel components, nine in Qualcomm components, and three in Qualcomm closed-source components. All of these bugs feature a moderate severity rating.

On Google devices, a security patch level of 2020-04-05 or later addresses all of the vulnerabilities included in the Android Security Bulletin—April 2020 and Pixel Update Bulletin—April 2020.

Related: Google Patches Critical Remotely Exploitable Android Bug

Related: ‘Cookiethief’ Android Malware Hijacks Facebook Accounts

Related: Android’s February 2020 Update Patches Critical System Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.