This week Samsung has started rolling out Android’s December security updates to mobile devices to patch critical security vulnerabilities in the operating system and related components.
This comes after Android had published their December 2020 security updates bulletin, which includes patches for critical vulnerabilities impacting the latest devices.
As observed by BleepingComputer, Samsung Galaxy devices are automatically pulling updates released on December 7, 2020, this week.
These updates mainly comprise significant security fixes with possible device stability enhancements.
Every vulnerability addressed by this update, has either a ‘High’ or ‘Critical’ severity rating, making this update a must for Android users so that their devices remain protected.
Also Read: What Is A Governance Framework? The Importance And How It Works
There’s the high severity vulnerability, CVE-2020-0458 lurking in the Android Media Framework arising from a buffer overflow, which has been fixed by this update.
The vulnerability could let an attacker perform remote code execution (RCE) attacks using a specially crafted file within the context of a privileged process.
Other flaws impacting components like Framework and System could allow sensitive information disclosure and user interaction bypass, i.e. a malicious app can gain additional permissions on the vulnerable device without the user’s approval.
The list of vulnerabilities patched by this update includes:
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2020-0099 | A-141745510 | EoP | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0294 | A-154915372 | EoP | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0440 | A-162627132 [2] | EoP | High | 11 |
| CVE-2020-0459 | A-159373687 [2] [3] [4] [5] | ID | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0464 | A-150371903 [2] | ID | High | 10 |
| CVE-2020-0467 | A-168500792 | ID | High | 8.1, 9, 10, 11 |
| CVE-2020-0468 | A-158484422 | ID | High | 10, 11 |
| CVE-2020-0469 | A-168692734 | DoS | High | 11 |
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2020-0458 | A-160265164 [2] | RCE | Critical | 8.0, 8.1, 9, 10 |
| CVE-2020-0470 | A-166268541 | ID | High | 10, 11 |
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2020-0460 | A-163413737 | ID | High | 11 |
| CVE-2020-0463 | A-169342531 | ID | High | 8.0, 8.1, 9, 10, 11 |
| CVE-2020-15802 | A-158854097 | ID | High | 8.0, 8.1, 9, 10, 11 |
Also Read: Website Ownership Laws: Your Rights And What These Protect
On select Samsung Galaxy devices, the updates pushed this week have their latest “security patch level” dated “2020-12-01.”
This implies the high and critical severity vulnerabilities to be fixed by the “2020-12-05 security patch” could be still exploitable.
Users are advised to update their Android devices immediately to safeguard against these bugs, and ensure their devices have the “auto-update” settings enabled.
A full description of enhancements and optimizations this update brings is provided on Samsung’s website.
Established in 2018, Privacy Ninja is a Singapore-based IT security company specialising in data protection and cybersecurity solutions for businesses. We offer services like vulnerability assessments, penetration testing, and outsourced Data Protection Officer support, helping organisations comply with regulations and safeguard their data.
Singapore
7 Temasek Boulevard,
#12-07, Suntec Tower One,
Singapore 038987
