Los investigadores Revelar sin parches Android de día cero
CYBER NOTICIAS

Los investigadores Revelar sin parches Android de día cero

1 Star2 Stars3 Stars4 Stars5 Stars (1 votos, promedio: 5.00 de 5)
Cargando ...

Una nueva vulnerabilidad de día cero se ha descubierto en Android. Si se explota, la falla podría dar a un atacante local escalada de privilegios en el dispositivo comprometido. De acuerdo con investigadores de la Iniciativa Día Cero de TrendMicro lanza Jiang y Li Moony, the flaw is located within the v4l2 driver (Video4Linux 2) in Android.




Highly Critical Zero-Day Vulnerability in Android

When exploited, this component doesn’t validate the existence of an object prior to performing operations on the same object. A local attacker could exploit the vulnerability for privilege escalation in the kernel. Finalmente, this could grant the attacker full access and control over the Android device. This makes the vulnerability highly severe, especially when it’s being disclosed publicly without a patch.

The vulnerability was first reported to Google on March 13, 2019. El miércoles, the coordinated advisory was released to the public. It should be noted that when the company was first contacted by ZDI, it confirmed the issue and said it could be fixed, but without clarifying when a patch could be released.

Relacionado: Google se negó a Parche de una vulnerabilidad en Chrome para Android 3 Años

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it,” el asesor dijo.

The vulnerability is made public at the same time when Google released its September Android Security Bulletin. The bulletin addresses two critical remote code execution bugs in the media framework. The zero-day in question, sin embargo, is disclosed separately and is not part of the bulletin.

It is curious to note that a couple of days ago Zerodium updated its pricelist and is currently offering bigger bounties for Android vulnerabilities. This happens for the first time ever, as iOS flaws have always been on the top of the mobile exploits list. From now, an Android zero-click exploit chain that requires no user interaction could get researchers a payout of up to $2.5 millones, whereas the same exploit chain in iOS is estimated at $2 millones.

avatar

Milena Dimitrova

Un escritor inspirado y gestor de contenidos que ha estado con SensorsTechForum de 4 año. Disfruta ‘Sr.. Robot’y miedos‘1984’. Centrado en la privacidad de los usuarios y el desarrollo de malware, ella cree firmemente en un mundo donde la seguridad cibernética juega un papel central. Si el sentido común no tiene sentido, ella estará allí para tomar notas. Esas notas pueden convertirse más tarde en artículos!

Más Mensajes

Dejar un comentario

Su dirección de correo electrónico no será publicada. Los campos necesarios están marcados *

Se agotó el tiempo límite. Vuelve a cargar de CAPTCHA.

Compartir en Facebook Compartir
Cargando ...
Compartir en Twitter Pío
Cargando ...
Compartir en Google Plus Compartir
Cargando ...
Compartir en Linkedin Compartir
Cargando ...
Compartir en Digg Compartir
Compartir en Reddit Compartir
Cargando ...
Compartir en Stumbleupon Compartir
Cargando ...