Google’s First Security Update For Android In 2020 Addresses Security Flaws With ‘High And Critical’ Severity Ratings

Google’s Android operating system for smartphones received its first-ever Security Update of the New Year. Google’s first security update of 2020 addressed seven Android flaws classified as high and critical. While the number and severity rating might appear concerning, the Android OS has been getting better at keeping hackers and malicious code writers away.

Google’s first Android Security Bulletin of 2020 included a patch for a critical flaw in the smartphone operating system. The flaw, if properly and successfully executed, could potentially allow a hacker to execute arbitrary,  unauthorized, and possibly malicious code. The security flaw, now patched, was remote executable. In other words, it didn’t require the hacker to be in physical possession of the Android device and didn’t require the attacker to be on the same network to execute the hack.

Google Android 2020 Security Update Patches Remote Coder Execution (RCE) Flaw:

Google issued this year’s first Security Patch Update for Android OS, and it contains protection against a Remote Coder Execution (RCE) flaw, which was one of seven critical- and high-severity vulnerabilities. The Google News Bulletin briefly mentions the vulnerabilities, but doesn’t offer details owing to security concerns,

“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.”

The search giant, who also develops and maintains the world’s most widely used smartphone operating system, noted that the RCE security flaw, officially tagged CVE-2020-0002, and marked as ‘Severe’, exists in Android’s Media framework. The framework includes support for playing a variety of common media types. Needless to add, this forms the very basis of smartphone multimedia usage and consumption as it allows users to listen to audio, and access video and images.

The CVE-2020-0002 RCE Security Flaw affects Android operating systems versions 8.0, 8.1 and 9. Although Google has specifically indicated, the latest Android version 10 appears to be largely immune to the flaw. In addition to the CVE-2020-0002 bug, Google also fixed high-severity Elevation of Privilege flaws (CVE-2020-0001, CVE-2020-0003).

The company also addressed a Denial of Service (DoS) flaw (CVE-2020-0004) in the Android framework, which “could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.” The remaining three security vulnerabilities, tagged CVE-2020-0006, CVE-2020-0007, CVE-2020-0008 could “could lead to remote information disclosure with no additional execution privileges needed.”

Apart from these flaws, Google also patched twenty-nine other vulnerabilities. Incidentally, they were majorly related to Qualcomm components.  The severity flaw, tagged as CVE-2019-17666, and flagged as ‘Critical’, existed in the Qualcomm Realtek “RTLWiFi driver”. It could lead to Remote Code Execution attack. The RTLWiFi driver allows certain Realtek Wi-Fi modules to communicate within and with the devices running Linux operating system.

The last Google Security Update of 2019 patched three vulnerabilities with critical-severity in the Android operating system. The December 2019 Android Security Bulletin deployed fixed a total of 15 vulnerabilities, which were spread under Critical, High and Medium severity ratings.


Tags

Alap Naik Desai


A B.Tech Plastics (UDCT) and a Windows enthusiast. Optimizing the OS, exploring software, searching and deploying solutions to strange and weird issues is Alap's main interest.
Close