Samsung Fixes Critical Android Flaws With November 2020 Updates
This week Samsung has started rolling out Android’s November security updates to mobile devices to patch critical security vulnerabilities in the operating system and enhance overall features on the devices.
This comes after Android had published their November 2020 security updates bulletin, which includes patches for critical vulnerabilities impacting the latest devices.
As observed by BleepingComputer, Samsung Galaxy devices are automatically pulling updates released on November 9, 2020, this week.
These updates include numerous improvements related to Wi-Fi connectivity, Camera app, along with some pretty significant security fixes.
Also Read: Data Protection Authority GDPR: Everything You Need To Know
Source: BleepingComputer
Almost every vulnerability addressed by this update, has either a ‘High’ or ‘Critical’ severity, making this update a must for Android users so that their devices remain protected.
RCE, Privilege escalation, and Denial of Service (DoS)
There’s the high severity vulnerability, CVE-2020-0409 lurking in the Android runtime itself arising from an overflow, which has been fixed by this update.
The issue could have let a locally running app to bypass user interaction requirements and illicitly gain additional permissions. The fix commit shown below patches CVE-2020-0409.
Source: Google Git
Meanwhile, one of the most critical vulnerabilities CVE-2020-0451 is an overflow in the Media Framework component and allows for both Remote Code Execution and Information Disclosure.
Also Read: The Importance Of Knowing Personal Data Protection Regulations
“The most severe vulnerability in [the Media Framework] section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” explains the Android November 2020 security bulletin.
Whereas, most vulnerabilities in the Framework itself concerned the attackers being able to cause a “permanent” DoS condition via specially crafted messages.
Some other notable vulnerabilities fixed by this update, as listed in the security bulletin include:
Framework
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2020-0441 | A-158304295 | DoS | Critical | 8.0, 8.1, 9, 10, 11 |
| CVE-2020-0442 | A-147358092 | DoS | Critical | 8.0, 8.1, 9, 10, 11 |
| CVE-2020-0418 | A-153879813 | EoP | High | 10 |
| CVE-2020-0439 | A-140256621 [2] | EoP | High | 8.0, 8.1, 9, 10, 11 |
| CVE-2020-0454 | A-161370134 [2] | ID | High | 9 |
| CVE-2020-0443 | A-152410253 | DoS | High | 8.0, 8.1, 9, 10, 11 |
Media Framework
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2020-0451 | A-158762825 | ID | High | 10, 11 |
| RCE | Critical | 8.0, 8.1, 9 | ||
| CVE-2020-0452 | A-159625731 | RCE | High | 8.0, 8.1, 9, 10, 11 |
| CVE-2020-0438 | A-161812320 | EoP | High | 11 |
| EoP | Moderate | 10 |
System
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2020-0449 | A-162497143 | RCE | Critical | 8.0, 8.1, 9, 10, 11 |
| CVE-2020-12856 | A-157038281 [2] [3] [4] | EoP | High | 8.0, 8.1, 9, 10, 11 |
| CVE-2020-0424 | A-161362564 | ID | High | 9, 10, 11 |
| CVE-2020-0448 | A-153995334 | ID | High | 8.0, 8.1, 9, 10, 11 |
| CVE-2020-0450 | A-157650336 | ID | High | 8.0, 8.1, 9, 10, 11 |
| CVE-2020-0453 | A-159060474 | ID | High | 8.0, 8.1, 9 |
| CVE-2020-0437 | A-162741784 | DoS | High | 8.0, 8.1, 9, 10, 11 |
Some bugs remain still exploitable
On select Samsung Galaxy devices, the updates pushed this week have their latest “security patch level” dated “2020-11-01.”
This implies the high and critical severity vulnerabilities to be fixed by the “2020-11-05 security patch” could be still exploitable.
Users are advised to update their Android devices immediately to safeguard against these bugs, and ensure their devices have the “auto-update” settings enabled.
A full description of enhancements and optimizations this update brings is provided on Samsung’s website.
0 Comments