Stories
Slash Boxes
Comments

SoylentNews is people

Android Zero-Day Bug Does Not Make It On Google’s 'Fix' List

posted by janrinok on Sunday September 08 2019, @12:55AM   Printer-friendly

Arthur T Knackerbracket has found the following story:

[Google] rolled out security patches for the Android mobile operating system but did not include the fix for at least one bug that enables increasing permissions to kernel level.

Security flaws that enable privilege escalation can be exploited from a position with limited access to one with elevated access to critical files on the system. In order to utilize this, an attacker should have already compromised the device but have their actions restricted by insufficient permissions.

The Android Security Bulletin for September includes fixes for a couple of critical vulnerabilities in the media framework and a load of high-severity bugs. But vulnerability reported today is not on the list.

The vulnerability exists in the driver for the Video For Linux 2 (V4L2) interface used for video recording. It is estimated as a high-severity zero-day so it does not have an identification number yet.

"The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel."

The kernel is the part of the operating system with the highest privileges. This level of permissions can be used by a malicious application to run code that can lead to full system compromise.

Discovery of the vulnerability is credited to Lance Jiang and Moony Li of TrendMicro Research, who reported it through the Zero Day Initiative (ZDI) program. Google learned about it in March and acknowledged it. The company, though, said that a fix would become available but gave no date for delivering a patch.

Without an official solution for this security risk, mitigating it falls in the hands of the user. Brian Gorenc, director of Trend Micro’s ZDI program told BleepingComputer that users should be careful with the apps they install on their Android devices.

"They should only load known-good apps directly from the Google Play store and avoid side-loading apps from third parties."

Original Submission

 
This discussion has been archived. No new comments can be posted.
Android Zero-Day Bug Does Not Make It On Google’s 'Fix' List | Log In/Create an Account | Top | 3 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Informative) by canopic jug on Sunday September 08 2019, @04:05AM

    by canopic jug (3949) Subscriber Badge on Sunday September 08 2019, @04:05AM (#891175) Journal

    It's not a zero day. Fix the title. Google was informed about the bug back in March making it not a 0-day but a 180+day.

    Whatever. It did not catch them by surprise. They just have not deigned to patch it, spending their time on stupid stuff like more surveillance or migrating the world from HTTP on TCP to HTTP on UDP.

    --
    Money is not free speech. Elections should not be auctions.
    Starting Score:    1  point
    Moderation   +3  
       Informative=3, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5