Samsung Rolls Out Android Updates Fixing Critical Vulnerabilities
Samsung has started rolling out Android’s August security updates to mobile devices to fix critical security vulnerabilities in the operating system.
This week Android published their August 2020 security updates, which includes numerous security patches for critical vulnerabilities impacting the latest devices.
As observed by BleepingComputer, Samsung Galaxy devices are automatically pulling updates today, August 8, 2020. These updates include camera improvements and Wi-Fi optimizations, along with some pretty significant security fixes.
Source: BleepingComputer
All vulnerabilities in this update have a rating of either either ‘High’ or ‘Critical’ severity, making this update a requirement for Android users so that their devices remain protected.
From RCE, to UI bypass: the most concerning vulnerabilities
Of all the patches, the winning candidate is a fix for CVE-2020-0240, a remote code execution vulnerability caused by an “integer overflow” bug in the Android operating system.
“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process,” explained the advisory bulletin
If successfully exploited, this vulnerability would allow a remote attacker to take full control over your device.
Source: Google Git
Other concerning vulnerabilities include those that allow you to completely bypass user interaction to gain elevated permission. This vulnerability would allow an attacker to run code at higher permissions then it usually would.
If exploited, “the most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements to gain access to additional permissions,” the advisory bulletin states.
Also read: 9 Policies For Security Procedures Examples
Other notable vulnerabilities fixed in this update are categorized below:
Framework:
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2020-0240 | A-150706594 | RCE | High | 10 |
| CVE-2020-0238 | A-150946634 | EoP | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0257 | A-156741968 | EoP | High | 10 |
| CVE-2020-0239 | A-151095863 | ID | High | 9, 10 |
| CVE-2020-0249 | A-154719656 | ID | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0258 | A-157598956 | ID | High | 10 |
| CVE-2020-0247 | A-156087409 | DoS | High | 8.0, 8.1, 10 |
Media Framework:
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2020-0241 | A-151456667 | EoP | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0242 | A-151643722 | EoP | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0243 | A-151644303 | EoP | High | 8.0, 8.1, 9, 10 |
System:
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2020-0108 | A-140108616 [2] [3] [4] | EoP | High | 8.1, 9, 10 |
| CVE-2020-0256 | A-152874864 | EoP | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0248 | A-154627439 | ID | High | 10 |
| CVE-2020-0250 | A-154934934 | ID | High | 10 |
A complete list of many more CVEs that were patched in different components has been provided in the bulletin.
Some bugs may still be exploitable
On select Samsung Galaxy devices, the updates pushed this week have their latest “security patch level” dated “2020-08-01.” This implies the high severity Escalation of Privileges (EoP) vulnerabilities to be fixed by the “2020-08-05 security patch” are still exploitable.
Just one of these vulnerabilities, CVE-2020-0259, for example, can allow a locally present attacker to execute arbitrary code on an unpatched device by escalating privileges.
Users are advised to update their Android devices immediately to safeguard against these bugs, and ensure their devices have the “auto-update” settings enabled.
Also read: 7 Client Data Protection Tips to Keep Customers Safe
0 Comments