- The vulnerabilities impact the Android operating system’s framework, with one flaw allowing an attacker to exploit by using a specially crafted PNG file.
- These critical vulnerabilities impact Android versions 7.0 to 9.0. Security patch levels of 2019-02-05 or later address all of these issues
In the Android security bulletin for February 2019, Google disclosed that critical vulnerabilities in the Android operating system’s framework impact Android devices. These vulnerabilities impact Android versions 7.0 to 9.0. One critical vulnerability could allow an attacker to trigger exploit by using a specially crafted PNG file.
As per the security bulletin, security patch levels of 2019-02-05 or later address all of these issues.
How are the vulnerabilities exploited?
- In order to exploit the vulnerabilities, attackers need to send a specially crafted malicious Portable Network Graphic (.PNG) file to Android device users.
- Once users open the PNG file, the exploit is triggered.
- Attackers are then able to execute arbitrary code in the context of a privileged process or an unprivileged process depending on the vulnerabilities.
The most critical vulnerabilities
Google revealed that these three vulnerabilities (CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988) are the most critical bugs which could enable an attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process. However, Google declined to reveal the technical details of these vulnerabilities.
The security bulletin also listed the Remote Code Execution, Privilege Escalation and Information Disclosure security vulnerabilities impacting the Android library, system files, and Nvidia components.
Source code patches for the PNG file security issue, alongside other security issues detailed in the bulletin, have also been released to the Android Open Source Project (AOSP) repository.
Google, in its security bulletin, noted that these newly reported issues have not been exploited yet. “We have had no reports of active customer exploitation or abuse of these newly reported issues,” the security bulletin read.
Google stated that security enhancements in the newer version of the Android platform make exploitation of these vulnerabilities on Android difficult. Security patch levels of 2019-02-05 or later address all the vulnerabilities detailed in the February, 2019 security bulletin. Therefore, Google has requested its Android users to update to the latest version of Android.
“The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play,” Google said.