HackDig : Dig high-quality web security articles for hackers

Samsung fixes critical Android flaws with November 2020 updates

2020-11-11 08:12

This week Samsung has started rolling out Android's November security updates to mobile devices to patch critical security vulnerabilities in the operating system and enhance overall features on the devices.

This comes after Android had published their November 2020 security updates bulletin, which includes patches for critical vulnerabilities impacting the latest devices.

As observed by BleepingComputer, Samsung Galaxy devices are automatically pulling updates released on November 9, 2020, this week.

These updates include numerous improvements related to Wi-Fi connectivity, Camera app, along with some pretty significant security fixes.

Samsung Galaxy Android November 2020 updates
Samsung Galaxy receiving Android November 2020 updates this week
Source: BleepingComputer

Almost every vulnerability addressed by this update, has either a 'High' or 'Critical' severity, making this update a must for Android users so that their devices remain protected.

RCE, Privilege escalation, and Denial of Service (DoS)

There's the high severity vulnerability, CVE-2020-0409 lurking in the Android runtime itself arising from an overflow, which has been fixed by this update.

The issue could have let a locally running app to bypass user interaction requirements and illicitly gain additional permissions. The fix commit shown below patches CVE-2020-0409.

fix commit for CVE-2020-0409 android flaw
Fix made for CVE-2020-0409 to patch an overflow in Android runtime
Source: Google Git

Meanwhile, one of the most critical vulnerabilities CVE-2020-0451 is an overflow in the Media Framework component and allows for both Remote Code Execution and Information Disclosure.

"The most severe vulnerability in [the Media Framework] section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process," explains the Android November 2020 security bulletin

Whereas, most vulnerabilities in the Framework itself concerned the attackers being able to cause a "permanent" DoS condition via specially crafted messages.

Some other notable vulnerabilities fixed by this update, as listed in the security bulletin include:

Framework

CVEReferencesTypeSeverityUpdated AOSP versions
CVE-2020-0441A-158304295DoSCritical8.0, 8.1, 9, 10, 11
CVE-2020-0442A-147358092DoSCritical8.0, 8.1, 9, 10, 11
CVE-2020-0418A-153879813EoPHigh10
CVE-2020-0439A-140256621 [2]EoPHigh8.0, 8.1, 9, 10, 11
CVE-2020-0454A-161370134 [2]IDHigh9
CVE-2020-0443A-152410253DoSHigh8.0, 8.1, 9, 10, 11

Media Framework

CVEReferencesTypeSeverityUpdated AOSP versions
CVE-2020-0451A-158762825IDHigh10, 11
RCECritical8.0, 8.1, 9
CVE-2020-0452A-159625731RCEHigh8.0, 8.1, 9, 10, 11
CVE-2020-0438A-161812320EoPHigh11
EoPModerate10

System

CVEReferencesTypeSeverityUpdated AOSP versions
CVE-2020-0449A-162497143RCECritical8.0, 8.1, 9, 10, 11
CVE-2020-12856A-157038281 [2] [3] [4]EoPHigh8.0, 8.1, 9, 10, 11
CVE-2020-0424A-161362564IDHigh9, 10, 11
CVE-2020-0448A-153995334IDHigh8.0, 8.1, 9, 10, 11
CVE-2020-0450A-157650336IDHigh8.0, 8.1, 9, 10, 11
CVE-2020-0453A-159060474IDHigh8.0, 8.1, 9
CVE-2020-0437A-162741784DoSHigh8.0, 8.1, 9, 10, 11

Some bugs remain still exploitable

On select Samsung Galaxy devices, the updates pushed this week have their latest "security patch level" dated "2020-11-01."

This implies the high and critical severity vulnerabilities to be fixed by the "2020-11-05 security patch" could be still exploitable.

Users are advised to update their Android devices immediately to safeguard against these bugs, and ensure their devices have the "auto-update" settings enabled.

A full description of enhancements and optimizations this update brings is provided on Samsung's website.


Source: 02-rebmevon-htiw-swalf-diordna-lacitirc-sexif-gnusmas/ytiruces/swen/moc.retupmocgnipeelb.www

Read:382 | Comments:0 | Tags:Security Mobile Technology android

“Samsung fixes critical Android flaws with November 2020 updates”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud