There are new Android security patches that fix critical bugs, Google officials said. The security patches resolve 55 vulnerabilities in Android: 8 rated critical, 30 high risk, and 17 moderate. After Google said they were “Hardening the media stack” by changing the compiler settings it seems like we have yet MORE vulnerabilities similar to StageFright.
Eight were rated critical by Google because of the possibility of remote code execution. Off the top, Google fixed the two remaining unpatched Quadrooter vulnerabilities in Qualcomm chips, identified as CVE 2016-3861, as well as a critical bug , cataloged as CVE-2016-3862, in the jhead library that could exploited by a single specially crafted jpeg file.
CVE 2016-3861, allowed attackers to execute malware or escalate local privileges on vulnerable phones. Mark Brand, a researcher with Google’s Project Zero security team, warned that it’s “an extremely serious bug” because it can be exploited in a large variety of ways. It’s not even very hard to detect he said signaling chances that other researchers already knew about it. According to the report published on Arstechnica, this affects most of the recent android versions.
CVE-2016-3862, can be exploited by sending a maliciously formatted jpeg image. When sent through Gmail or Google Talk, the malicious code is concealed inside Exif data embedded in the image. The target doesn’t need to click on anything to become compromised. Arstechnica reports that to an advanced hacker, this jpeg vulnerability was relatively easy to find and exploit. This would give the attacker access to anything the app has access to or even gain root access.
These vulnerabilities were made public the same week that researchers at Checkpoint Security pointed out the Dresscode malware and the affected apps (collectively downloaded 2.5 million times) on the Google Playstore.
This is all so disappointing as an Android fan, it was a bad week. But its not just that one week, this has been going on from the last 6 years and will perhaps go on for 6 or 16 more. Not even the Nexus 5X is reported to be receiving these updates yet and its a Nexus. These vulnerabilities are now out in the open inviting any attackers to exploit them and yet, most of the devices wouldn’t be getting any updates. Not even the so called flagships.
Its kind of given now that the moment you unbox your shiny new Android, remember its already vulnerable to some sort of security loophole or bug. Make sure to check out the arstechnica report, in case i missed something. Its a short one.
How do you feel, as an android fan, when reports of such vulnerabilities surface? Sure most of them are nothing serious but when Google’s own security team says its a major bug, you’ve got to believe it. Right?
Source : Arstechnica