Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Google Patches High-Risk Android Security Flaws

Google this week pushed out a security-themed Android update with fixes for more than 30 security flaws that expose mobile users to a range of malicious hacker attacks.

The latest Android update provides documentation on 33 security bugs, some serious enough to cause privilege escalation or information disclosure compromises.

Google this week pushed out a security-themed Android update with fixes for more than 30 security flaws that expose mobile users to a range of malicious hacker attacks.

The latest Android update provides documentation on 33 security bugs, some serious enough to cause privilege escalation or information disclosure compromises.

The most important of these is a bug in the Media framework that could lead to elevation of privilege on Android 8.1 and 9 devices, or information disclosure, on Android 10 and 11. The issue is tracked as CVE-2021-0519.

“The most severe of these issues is a high security vulnerability in the Media Framework component that could enable a local malicious application to bypass operating system protections that isolate application data from other applications,” according to a Google advisory.

The 2021-08-01 security patch level also includes fixes for three high severity elevation of privilege flaws in Framework, and a pair of elevation of privilege and three information disclosure bugs in System. All five are rated high severity.

The second part of this month’s security update, the 2021-08-05 security patch level, brings fixes for a total of 24 vulnerabilities affecting Kernel components, MediaTek components, Widevine DRM, Qualcomm components, and Qualcomm closed-source components.

The most severe of these issues is a use after free that may allow an attacker to execute arbitrary code with kernel privileges.

Advertisement. Scroll to continue reading.

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of a privileged process. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In addition to the vulnerabilities resolved with the August 2021 Android Security Bulletin, Google also fixed three medium-severity bugs specific to Google devices. These include an elevation of privilege in the Pixel component, and two other unspecified vulnerabilities in Qualcomm closed-source components.

All of these issues are fixed on Pixel devices running a patch level of 2021-08-05, Google notes.

Related: Android Updates for July 2021 Patch Tens of High-Severity Vulnerabilities

Related: Critical Vulnerabilities Patched in Android With June 2021 Security Updates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...