Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Patches Critical Vulnerabilities in Android’s Media Framework

Google has released its April 2019 set of security patches for the Android platform, which fixes three Critical vulnerabilities, including two that affect the Media framework component. 

Google has released its April 2019 set of security patches for the Android platform, which fixes three Critical vulnerabilities, including two that affect the Media framework component. 

Tracked as CVE-2019-2027 and CVE-2019-2028, the two security flaws could be exploited remotely by attackers to execute code on vulnerable devices. Android versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9 are impacted. 

“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google’s advisory reads

Both bugs were addressed as part of the 2019-04-01 security patch level, along with one High severity flaw (elevation of privilege) in Framework and 8 High risk issues in System (5 elevation of privilege and 3 information disclosure). 

The second part of this month’s security fixes, included in the 2019-04-05 security patch level, addresses over 75 vulnerabilities in System and open and closed-source Qualcomm components.

The first of the four issues patched in System is a Critical remote code execution bug that impacts Android 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9, the same as the flaws in Media framework. The remaining three are High risk bugs (2 elevation of privilege and 1 information disclosure).

Another Critical vulnerability was addressed in Qualcomm components, along with 29 other High severity flaws. Of the 30 bugs, 29 impact WLAN HOST, and only one affects Kernel. 

Of the 44 vulnerabilities patched in Qualcomm closed-source components, 6 were rated Critical and 38 were rated High severity. 

No Pixel security fixes were included in the April 2019 Pixel Update Bulletin, but Google did release some functional patches for Pixel devices, to improve the functionality of assistant, Wi-Fi connectivity, and display functionality of Pixel 3 and Pixel 3 XL, and Bluetooth connectivity on Pixel and Pixel XL.

Related: Android Q Brings New Privacy and Security Features

Related: 18,000 Android Apps Violate Google’s Ad ID Policies: Analysis

Related: Google Patches Critical Vulnerability in Android

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.