Google released monthly security information on October 7, 2019, for Android and revealed the contents of security patches that fix vulnerabilities discovered so far. Google Project Zero (hereinafter referred to as Project Zero) researchers disclosed information and urged caution, as evidenced by the evidence that unresolved vulnerabilities in Google’s “Pixel 2” were being exploited.
Android’s monthly security patches are distributed to user devices via partners such as carriers and device manufacturers. From Android 10, the “Google Play System Update” (Project Mainline) function allows important codes to be delivered directly to the terminal from Google Play without going through the terminal manufacturer.
- Apple Safari browser will no longer accept new HTTPS Certificates with a validity period of more than 398 days
- The Shadow Brokers using Pakistani Cyber Security Software
- 5 WAYS to stand out in an Interview Job in the field of Information Security
- IT Specialist Copied Russian Railway Employees Data and Post It on Internet
- New York Police Department (NYPD) Networks Get Infected with Ransomware
The monthly patch for October follows the usual rules and consists of two sets of “2019-10-01” and “2019-10-05”. The patch level after “2019-10-05” is said to have fixed all the problems found so far.
Among them, the media framework component has three vulnerabilities classified as “Critical” with the highest risk level. If exploited, a remote attacker could execute arbitrary code using a specially crafted file.
On the other hand, Pixel 2’s vulnerability announced by researchers at Project Zero was confirmed to have been attacked in late September. There is information that is used and sold by the Israeli company NSO Group. NSO Group is said to be selling spyware products to government agencies in various countries.
According to the information posted on the Project Zero page, this vulnerability (CVE-2019-2215) was fixed in Android kernel versions 3.18, 4.4 and 4.9 in December 2017. However, after examining the source code, it was found that Pixel 2 (with Android 9 and Android 10 preview) with the latest patch still has vulnerabilities. In addition to Pixel 1 and 2, some models such as Huawei Technologies, Xiaomi, Motorola, and Samsung Electronics are also affected.
According to Google, this vulnerability has a high risk and can be exploited through malicious apps. It has been notified for Android partners and will provide patches through the Android Common Kernel, while Pixel 1 and 2 will be addressed in an October update.