Google released a security bulletin on April 1 and fixed 12 high-risk and major vulnerabilities. Among them, there are three critical remote code execution bugs that could let a remote hacker attack a vulnerable system simply by sending a malicious file.
In these security patches released in, CVE-2019-2027 and CVE-2019-2028 vulnerabilities are located in the Android media framework, allowing an attacker to transfer modified files and execute arbitrary remote code within the context of a privileged process. Therefore, these vulnerabilities are rated as a significant risk by Google researchers.
The Google team also patched 9 high-risk vulnerabilities, including 6 privilege escalation vulnerabilities. CVE-2019-2026 is located in the Android framework, and the other 5 items (CVE-2019-2030, CVE-2019-2031, CVE-2019-2033, CVE-2019-2034, and CVE-2019-2035) are located in the operating system. The vulnerabilities allow an attacker on authenticator system to gain higher privileges without user’s permission. Besides, within the operating system core, there are other three vulnerabilities that could cause information leak. They are CVE-2019-2038, CVE-2019-2039 and CVE-2019-2040, rated as high risk as well.
In addition to a few vulnerabilities, most of the vulnerabilities mainly affect Android 7.0 (7.1.1, 7.1.2), 8.0/8.1, and 9. Fortunately, Google said it has not received any report on the exploitation of the above vulnerability. Actually, the major Android vendors have been notified about the vulnerabilities at least a month ago, including Google Pixel and Nexus devices, Samsung, Sony, LG, HTC, Nokia and other brand mobile phone users.
Google is expected to release a second round of security patches on April 5 to fix another remote code execution vulnerability in the operating system, as well as two privilege updates and one information leak vulnerability. The April 5 update patch will resolve all of the above vulnerabilities. We encourage all users to update to the latest version of Android where possible.
Published by Emerson L. Sullivan & last updated on April 4, 2019 6:53 am