Home Security An Android Zero-Day Remains Unpatched For Six Months

An Android Zero-Day Remains Unpatched For Six Months

by ethhack

Researchers have caught up with a zero-day vulnerability in Android OS that allows an attacker to escalate user privileges. What’s more troublesome is that Google hasn’t patched the bug in their latest update.

Dangerous Android Zero-Day Flaw Discovered

Reportedly, researchers from Trend Micro’s Zero-Day Initiative have found a serious vulnerability in Android OS. The vulnerability existed in the Video for Linux (V4L2) driver which, upon exploit, can allow an attacker elevate privileges on target devices.

Stating about this Android zero-day flaw in their advisory, the researchers stated,

This vulnerability allows local attackers to escalate privileges on vulnerable installations of Google Android. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the v4l2 driver. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel.

Like most privilege escalation flaws, an adversary can easily exploit this flaw via malicious apps. When a user installs a malicious app bundled with malware, then the malware can exploit the flaw to gain root access to the device.

Patch Yet To Arrive

According to the timeline shared by the researchers in their advisory, ZDI found and informed Google of the flaw in March 2019. However, the vendors only acknowledged the flaw and assured a patch in late June 2019. And, despite knowing the flaw for six months, Google has not yet fixed the flaw. Consequently, researchers have now publicly disclosed the vulnerability.

While no patch is yet available, ZDI has suggested possible mitigation for the flaw.

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it.

Let us know your thoughts in the comments.

The following two tabs change content below.
Avatar
Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Source link

Related Articles

Leave a Comment