Time to Update your Android – Critical PNG Bug
Google have released a new security update for their Android OS after it was disclosed that devices were vulnerable to a number of flaws that include three critical remote code execution vulns.
The Android Security Bulletin for Feb 2019 includes a total of 42 CVE’s; 11 vulns were classed as Critical, 30 High, and 1 moderate, spanning Framework, System, Kernel, NVIDIA graphics, and Qualcomm network components.
Google consider the three PNG based critical flaws to be the most severe included in this month’s bulletin, which impacts millions of devices worldwide running Android v7.0 to v9. A PNG is a common type of image file format similar to bitmap (BMP) and JPEG.
These three critical vulns are identified as CVE-2019-1986, CVE-2019-1987 & CVE-2019-1988, exist due to the way that the Android OS handles PNG files. By sending a specially crafted PNG image file, a malicious actor can execute code remotely on the target device with privileged access.
This can be exploited by sending the malicious image via email or messaging app and is executed by the user simply open and viewing the image, resulting in device hijack and compromise.
It is understood that to date Google have had no reports of this vuln being exploited in the wild.
It is advised that all Android devices be updated with the latest security patch levels 2019-02-01 & 2019-02-05 ASAP, to fix the issues contained in this advisory. As Android is a multiple platform open source OS, an available update for your device may depend on a release from your specific manufacturer.
To check a device’s security patch level, please see Check and update your Android version.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailList
Ironshare – Security Simplified