Samsung Rolls Out Android Updates Fixing Critical Vulnerabilities

https://open.spotify.com/show/3Gmj15x6cGrgJEzmGnDTTj?si=nytzAjvSR4qBqTbLP6pgKA

Samsung Rolls Out Android Updates Fixing Critical Vulnerabilities

Samsung has started rolling out Android’s August security updates to mobile devices to fix critical security vulnerabilities in the operating system.

This week Android published their August 2020 security updates, which includes numerous security patches for critical vulnerabilities impacting the latest devices.

As observed by BleepingComputer, Samsung Galaxy devices are automatically pulling updates today, August 8, 2020. These updates include camera improvements and Wi-Fi optimizations, along with some pretty significant security fixes.

All vulnerabilities in this update have a rating of either either ‘High’ or ‘Critical’ severity, making this update a requirement for Android users so that their devices remain protected.

 

From RCE, to UI bypass: the most concerning vulnerabilities

Of all the patches, the winning candidate is a fix for CVE-2020-0240, a remote code execution vulnerability caused by an “integer overflow” bug in the Android operating system.

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process,” explained the advisory bulletin

If successfully exploited, this vulnerability would allow a remote attacker to take full control over your device.

Other concerning vulnerabilities include those that allow you to completely bypass user interaction to gain elevated permission. This vulnerability would allow an attacker to run code at higher permissions then it usually would.

If exploited, “the most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements to gain access to additional permissions,” the advisory bulletin states.

Also read: 9 Policies For Security Procedures Examples

 

Other notable vulnerabilities fixed in this update are categorized below:

Framework:

CVE	References	Type	Severity	Updated AOSP versions
CVE-2020-0240	A-150706594	RCE	High	10
CVE-2020-0238	A-150946634	EoP	High	8.0, 8.1, 9, 10
CVE-2020-0257	A-156741968	EoP	High	10
CVE-2020-0239	A-151095863	ID	High	9, 10
CVE-2020-0249	A-154719656	ID	High	8.0, 8.1, 9, 10
CVE-2020-0258	A-157598956	ID	High	10
CVE-2020-0247	A-156087409	DoS	High	8.0, 8.1, 10

 

Media Framework:

CVE	References	Type	Severity	Updated AOSP versions
CVE-2020-0241	A-151456667	EoP	High	8.0, 8.1, 9, 10
CVE-2020-0242	A-151643722	EoP	High	8.0, 8.1, 9, 10
CVE-2020-0243	A-151644303	EoP	High	8.0, 8.1, 9, 10

System:

CVE	References	Type	Severity	Updated AOSP versions
CVE-2020-0108	A-140108616 [2] [3] [4]	EoP	High	8.1, 9, 10
CVE-2020-0256	A-152874864	EoP	High	8.0, 8.1, 9, 10
CVE-2020-0248	A-154627439	ID	High	10
CVE-2020-0250	A-154934934	ID	High	10

A complete list of many more CVEs that were patched in different components has been provided in the bulletin. 

 

Some bugs may still be exploitable

On select Samsung Galaxy devices, the updates pushed this week have their latest “security patch level” dated “2020-08-01.” This implies the high severity Escalation of Privileges (EoP) vulnerabilities to be fixed by the “2020-08-05 security patch” are still exploitable.

Just one of these vulnerabilities, CVE-2020-0259, for example, can allow a locally present attacker to execute arbitrary code on an unpatched device by escalating privileges.

Users are advised to update their Android devices immediately to safeguard against these bugs, and ensure their devices have the “auto-update” settings enabled.

Also read: 7 Client Data Protection Tips to Keep Customers Safe

https://www.youtube.com/watch?v=30eI59FlBdk