Samsung patched this month a critical bug discovered by Google security researchers.
South Korean smartphone vendor Samsung released this week a security update to fix a critical vulnerability impacting all smartphones sold since 2014.
The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014.
The perfect 10 critical vulnerability to your Samsung Galaxy smartphone explained
When a security issue is given a perfect 10 risk rating under the common vulnerability scoring system (CVSS), then you know it’s about as dangerous as things can be. Those perfect 10 scores aren’t typical, but they do crop up now and then. On this occasion, it’s for a vulnerability that was uncovered by researchers working at Google’s Project Zero. A critical vulnerability that exists within Samsung’s handling of the Qmage image format under Android. A critical vulnerability, therefore, that has been around since late 2014 when Samsung started supporting the .qmg format in all its Galaxy smartphone devices.
Mateusz Jurczyk, a security researcher with Google’s Project Zero bug-hunting team, discovered a way to exploit how Skia (the Android graphics library) handles Qmage images sent to a device.
BUG CAN BE EXPLOITED WITHOUT USER INTERACTION
Jurczyk says the Qmage bug can be exploited in a zero-click scenario, without any user interaction. This happens because Android redirects all images sent to a device to the Skia library for processing — such as generating thumbnail previews — without a user’s knowledge.
The researcher developed a proof-of-concept demo exploiting the bug against the Samsung Messages app, included on all Samsung devices and responsible for handling SMS and MMS messages.
Jurczyk said he exploited the bug by sending repeated MMS (multimedia SMS) messages to a Samsung device. Each message attempted to guess the position of the Skia library in the Android phone’s memory, a necessary operation to bypass Android’s ASLR (Address Space Layout Randomization) protection.
Jurczyk says that once the Skia library was located in memory, a last MMS delivers the actual Qmage payload, which then executed the attacker’s code on a device.
The Google researcher says the attack usually needs between 50 and 300 MMS messages to probe and bypass the ASLR, which usually takes around 100 minutes, on average.
Furthermore, Jurczyk says that while the attack might look noisy, it can also be modified to execute without alerting the user.
“I have found ways to get MMS messages fully processed without triggering a notification sound on Android, so fully stealth attacks might be possible,” the Google researcher says.
In addition, Jurczyk says that while he did not test exploiting the Qmage bug through other methods outside MMS and the Samsung Messages app, exploitation is theoretically possible against any app running on a Samsung phone that can receive Qmage images from a remote attacker.
BUG PATCHED THIS WEEK
The researcher discovered the vulnerability in February and reported the issue to Samsung. The South Korean phone maker patched the bug in its May 2020 security updates.
The bug is tracked as SVE-2020-16747 in the Samsung security bulletin and CVE-2020-8899 in the Mitre CVE database.
Other smartphones don’t appear to be impacted as only Samsung appears to have modified the Android OS to support the custom Qmage image format — developed by South Korean company Quramsoft.
This bug report is part of Project Zero’s recent focus on the zero-click attack surface in modern operating systems, and especially in their graphics processing code. Previously Google researchers also disclosed 14 zero-click bugs in Image I/O, Apple’s image parsing framework.
Jurczyk’s technical report on the Qmage bug is available here.The Google researcher says the attack usually needs between 50 and 300 MMS messages to probe and bypass the ASLR, which usually takes around 100 minutes, on average.
Furthermore, Jurczyk says that while the attack might look noisy, it can also be modified to execute without alerting the user.
“I have found ways to get MMS messages fully processed without triggering a notification sound on Android, so fully stealth attacks might be possible,” the Google researcher says.
In addition, Jurczyk says that while he did not test exploiting the Qmage bug through other methods outside MMS and the Samsung Messages app, exploitation is theoretically possible against any app running on a Samsung phone that can receive Qmage images from a remote attacker.
How to Update Your Samsung Device?
Please do UPDATE your Samsung Devices now!
- Go to settings on your Samsung Device
- Search “update” – download
- Install the latest updates!
The good news is that, by the Google researchers working with Samsung and disclosing this critical vulnerability, it has now been patched. Well, a patch is included in the May 2020 security update that started circulating last week. The patch “adds the proper validation to prevent memory overwrite,” according to the update notes. You are advised to apply this update as a matter of urgency now that the existence of this vulnerability is known by potential threat actors.UPDA
0 Comments