Security Experts:

Google Patches Critical Remotely Exploitable Android Bug

Google’s March 2020 security updates for Android include fixes for over 70 vulnerabilities, including a critical flaw in media framework. 

The critical bug was patched as part of the 2020-03-01 security patch level, which addresses a total of 11 vulnerabilities in framework, media framework, and system. 

The critical vulnerability is a remote code execution flaw tracked as CVE-2020-0032, which impacts devices running Android 8.0, 8.1, 9, and 10. 

According to Google's advisory, the vulnerability "could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process."

Other two flaws were addressed in the media framework, both rated high severity, namely an elevation of privilege (CVE-2020-0033) and an information disclosure (CVE-2020-0034). The former impacts Android 8.0, 8.1, 9, and 10, while the latter only impacts Android 8.0 and 8.1.

One issue was addressed in framework this month, namely a high risk information disclosure tracked as CVE-2020-0031. Only devices running Android 10 are impacted. 

All the remaining 7 vulnerabilities addressed with the 2020-03-01 security patch level impact system and all feature a high severity rating. These include two elevation of privilege issues and five information disclosure bugs. 

The second part of this month’s set of patches arrives on devices as 2020-03-05 security patch level and includes reference to 60 vulnerabilities. The flaws impact system, kernel components, FPC, MediaTek, Qualcomm, and Qualcomm closed-source components.

The vulnerability in system is CVE-2019-2194, an elevation of privilege rated high severity and impacting Android 9. 

All four of the flaws impacting kernel components could lead to elevation of privilege. They impact USB, networking, and binder. 

Of the six vulnerabilities patched in FPC Fingerprint TEE, three are rated high risk and could lead to elevation of privilege, while the other three are rated moderate severity and could lead to information disclosure. 

All of the bugs fixed in Qualcomm components feature a high severity rating. They were found to impact USB, WLAN, Audio, and Graphics. 

A total of 40 vulnerabilities in Qualcomm closed-source components are referenced in the March 2020 Android security bulletin. Of them, 16 are rated critical severity, while the remaining are considered high risk. 

The last vulnerability patched as part of the 2020-03-05 security patch level is a high severity flaw in MediaTek components that could lead to elevation of privilege. Tracked as CVE-2020-0069, the issue resides in the Mediatek Command Queue driver. 

According to XDA-Developers, the vulnerability was initially disclosed in April 2019 and MediaTek released a patch for it the next month. The flaw apparently impacts all of the maker’s 64-bit chips and an exploit for it has existed for over a year, allowing users to obtain root on their devices. 

“This is a vulnerability within approximately two dozen MediaTek chipsets that are in millions of Android devices. Because this is a hardware vulnerability, it cannot be patched by Google with an over the air update to the Android operating system. If you have a device running a MediaTek chipset, you should add mobile security that detects when your device is rooted by a third party to protect from attacks using this vulnerability,” Lookout’s Chris Hazelton told SecurityWeek in an emailed comment.

“IT and security teams for organizations should identify Android devices with MediaTek chips that are vulnerable. If your organization has vulnerable devices used by employees, those devices should be monitored and eventually replaced,” Hazelton continued.

This month, Google also published a large security bulletin for Pixel devices, which describes over 50 additional vulnerabilities that are patched on Google devices running security patch levels of 2020-03-05 or later.

These include three vulnerabilities in framework, four in media framework, sixteen in system, twenty four in kernel components, four in Qualcomm components, and two in Qualcomm closed-source components. 

The addressed flaws include remote code execution, elevation of privilege, and information disclosure bugs, the vast majority of which are rated moderate severity. 

view counter