Samsung has started rolling out Android’s September security updates to mobile devices to fix critical security vulnerabilities in the operating system and enhance overall features on the devices.
This week Android published their September 2020 security updates, which includes numerous security patches for critical vulnerabilities impacting the latest devices.
As observed by BleepingComputer, Samsung Galaxy devices are automatically pulling updates today, September 9, 2020.
These updates include numerous improvements related to Wi-Fi connectivity, Samsung Keyboard, and the Messages app, along with some pretty significant security fixes. There are also optimizations made to the camera’s Pro Video feature.
All vulnerabilities addressed by this update, have either a ‘High’ or ‘Critical’ severity, making this update a requirement for Android users so that their devices remain protected.
One of the most critical vulnerabilities CVE-2020-0245, for example, impacts the Media Framework component and allows for both Remote Code Execution and Information Disclosure.
“The most severe vulnerability in [the Media Framework] section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” explains the Android September 2020 security bulletin.
Whereas, most vulnerabilities in the Framework itself concerned the attackers being able to bypass user interaction requirements, to gain extra permissions.
Other notable vulnerabilities fixed by this update, as listed in the security bulletin include:
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2020-0074 | A-146204120 | EoP | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0388 | A-156123285 | EoP | High | 10 |
| CVE-2020-0391 | A-158570769 | EoP | High | 9, 10 |
| CVE-2020-0401 | A-150857253 | EoP | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0382 | A-152944488 | ID | High | 10 |
| CVE-2020-0389 | A-156959408 | ID | High | 10 |
| CVE-2020-0390 | A-157598026 | ID | High | 10 |
| CVE-2020-0395 | A-154124307 | ID | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0397 | A-155092443 | ID | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0399 | A-153993591 | ID | High | 8.0, 8.1, 9, 10 |
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2020-0245 | A-152496149 | ID | High | 10 |
| RCE | Critical | 8.0, 8.1, 9 | ||
| CVE-2020-0392 | A-150226608 | EoP | High | 9, 10 |
| CVE-2020-0381 | A-150159669 | ID | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0383 | A-150160279 | ID | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0384 | A-150159906 | ID | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0385 | A-150160041 | ID | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0393 | A-154123412 | ID | High | 9, 10 |
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2020-0380 | A-146398979 | RCE | Critical | 8.0, 8.1, 9, 10 |
| CVE-2020-0396 | A-155094269 | ID | Critical | 8.0, 8.1, 9, 10 |
| CVE-2020-0386 | A-155650356 | EoP | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0394 | A-155648639 | EoP | High | 8.0, 8.1, 9, 10 |
| CVE-2020-0379 | A-150156492 | ID | High | 8.0, 8.1, 9, 10 |
Also read: PDPA For Companies: Compliance Guide For Singapore Business
On select Samsung Galaxy devices, the updates pushed this week have their latest “security patch level” dated “2020-09-01.” This implies the high severity Escalation of Privileges (EoP) vulnerabilities to be fixed by the “2020-09-05 security patch” are still exploitable.
Just one of these vulnerabilities, CVE-2020-0402, for example, can allow a locally present attacker to escalate privileges on unpatched devices due to a use-after-free flaw related to the “locks” implemented by the filesystem.
The fix commit authored by Linus Torvalds, the creator of the Linux OS, patches both the use-after-free flaw and the race condition that could’ve occurred because of it.
Users are advised to update their Android devices immediately to safeguard against these bugs, and ensure their devices have the “auto-update” settings enabled.
A full description of enhancements and optimizations this update brings is provided on Samsung’s website.
Also read: 10 Government Data Leaks In Singapore: Prevent Cybersecurity
Established in 2018, Privacy Ninja is a Singapore-based IT security company specialising in data protection and cybersecurity solutions for businesses. We offer services like vulnerability assessments, penetration testing, and outsourced Data Protection Officer support, helping organisations comply with regulations and safeguard their data.
Singapore
7 Temasek Boulevard,
#12-07, Suntec Tower One,
Singapore 038987
