Researchers Disclose Unpatched Android Zero-Day

Researchers Disclose Unpatched Android Zero-Day

1 Star2 Stars3 Stars4 Stars5 Stars (1 stemmer, gennemsnit: 5.00 ud af 5)
Loading ...

A new zero-day vulnerability has been discovered in Android. Hvis udnyttet, the flaw could give a local attacker escalated privileges on the compromised device. According to TrendMicro’s Zero Day Initiative researchers Lance Jiang and Moony Li, the flaw is located within the v4l2 driver (Video4Linux 2) in Android.

Highly Critical Zero-Day Vulnerability in Android

When exploited, this component doesn’t validate the existence of an object prior to performing operations on the same object. A local attacker could exploit the vulnerability for privilege escalation in the kernel. Til sidst, this could grant the attacker full access and control over the Android device. This makes the vulnerability highly severe, especially when it’s being disclosed publicly without a patch.

The vulnerability was first reported to Google on March 13, 2019. På onsdag, the coordinated advisory was released to the public. It should be noted that when the company was first contacted by ZDI, it confirmed the issue and said it could be fixed, but without clarifying when a patch could be released.

Relaterede: Google Nægtede at lappe en sårbarhed i Android Chrome til 3 år

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it,” det rådgivende sagde.

The vulnerability is made public at the same time when Google released its September Android Security Bulletin. The bulletin addresses two critical remote code execution bugs in the media framework. The zero-day in question, dog, is disclosed separately and is not part of the bulletin.

It is curious to note that a couple of days ago Zerodium updated its pricelist and is currently offering bigger bounties for Android vulnerabilities. This happens for the first time ever, as iOS flaws have always been on the top of the mobile exploits list. From now, an Android zero-click exploit chain that requires no user interaction could get researchers a payout of up to $2.5 millioner, whereas the same exploit chain in iOS is estimated at $2 millioner.


Milena Dimitrova

En inspireret forfatter og indhold leder, der har været med SensorsTechForum for 4 år. Nyder ’Mr. Robot’og frygt’1984’. Fokuseret på brugernes privatliv og malware udvikling, hun tror stærkt på en verden, hvor cybersikkerhed spiller en central rolle. Hvis almindelig sund fornuft giver ingen mening, hun vil være der til at tage noter. Disse noter senere kan blive til artikler!

Flere indlæg

Efterlad en kommentar

Din e-mail-adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Frist er opbrugt. Venligst genindlæse CAPTCHA.

Del på Facebook Del
Loading ...
Del på Twitter Tweet
Loading ...
Del på Google Plus Del
Loading ...
Del på Linkedin Del
Loading ...
Del på Digg Del
Del på Reddit Del
Loading ...
Del på Stumbleupon Del
Loading ...