Google has patched several bugs in its May 2020 Android security patch. These vulnerabilities are reported to pose high risk for consumers as well as business and government institutions – if exploited. The critical severity flaw CVE-2020-0103, in particular, could allow for remote code execution. It affects all Android OS builds utilising security patch levels issued prior to May 5. Centre for Internet Security (CIS) has listed a total of 39 high risk vulnerabilities in Google’s Android OS that were patched in recent update by Google. The organisation notes that fixes for all of these vulnerabilities have been rolled out by Google with May 2020 patch, but other OEMs are yet to roll it out to their phones.
CIS has listed 39 Android OS vulnerabilities in its blog post that pose high risk to small, medium, and large businesses and government organisations. The organisation notes that there are currently no reports of these vulnerabilities being exploited in the wild. The most severe of these vulnerabilities is CVE-2020-0103 which could allow for remote code execution.
The remote code execution vulnerability in CVE-2020-0103 was not detailed on the CVE Mitre site by NVD, but Google in its security bulletin on May 1 noted, “The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.”
CIS adds, “Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of a privileged process. These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files.” However the damage caused by these bugs varies based on the privileges associated with malicious apps. In the worst case scenario, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
“If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights,” CIS adds.
The latest Android Bulletin notes that all of these vulnerabilities have been patched with the latest May 2020 Android security patch dated May 5. Out of the 39 vulnerabilities, 36 were classified as high-severity, 1 was classified moderate, and 2 were classified as critical. Apart from CVE-2020-0103, the other critical-severity flaw (CVE-2020-3641) was in Qualcomm closed source component, and has not yet been detailed.
CIS advises OEMS to apply appropriate updates by Google or mobile carriers to vulnerable systems, immediately after appropriate testing. It also recommends users to download only trusted vendor apps via Google Play Store. Users should exercise caution and evaluate before visiting un-trusted websites or follow links provided by unknown or un-trusted sources. For those who are aware of best security practices must inform and educate others regarding threats posed by hypertext links contained in un-trusted emails or attachments.
As mentioned, Google has rolled out the May 2020 Android security patch to Pixel devices already.