HomeCyber SecurityGoogle warns: These four Android flaws are now under attack

Google warns: These four Android flaws are now under attack

Three weeks after Google released the May 2021 Android security update, the Google Project Zero team has revealed that four of the vulnerabilities patched were already under attack.

“There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation,” Google said in a note on its May 2021 bulletin, which was published on May 1.

Google Project Zero security researcher Maddie Stone flagged that these were zero-day or previously unknown flaws in a tweet.

The four flaws affect Qualcomm’s GPU (CVE-2021-1905, CVE-2021-1906) and the Arm Mali GPU (CVE-2021-28663, CVE-2021-28664).

Android has updated the May security with notes that 4 vulns were exploited in-the-wild.

Qualcomm GPU: CVE-2021-1905, CVE-2021-1906
ARM Mali GPU: CVE-2021-28663, CVE-2021-28664https://t.co/mT8vE2Us74

— Maddie Stone (@maddiestone) May 19, 2021

As Project Zero notes in its “0day ‘in the wild'” spreadsheet, the Arm bugs allow an attacker to write to read-only memory in the Mail GPU and a use-after-free memory flaw in the GPU. The Qualcomm bugs include improper error handling and a use-after-free flaw in the GPU.

Google copped flack from security reporter Dan Goodin for saying the bugs “may be under limited, targeted exploitation” because it was “vague to the point of being meaningless”.

Shane Huntley from Google’s Threat Analysis Group (TAG), who in November revealed three zero-day flaws in Apple’s iOS, defended Google’s phrasing, highlighting that Google doesn’t always have the information at hand to say whether a vulnerability is under attack. TAG also discovered and disclosed the zero-day flaws in Apple’s WebKit browser that prompted Apple to issue the emergency iOS 14.4.2 update in March. Apple even updated older iOS devices to version 12.5.2 to address those issues.

Google I/O 2021

“I understand the frustration sometimes that people aren’t always getting the IOCs and details they want but I can maybe shed a little more light here,” he wrote, referring to indicators of compromise (IOC).

“Firstly not all “In The Wild” reports mean that we know exactly the target set. “In The Wild” could mean that the exploit was discovered on the black market or a hacker forum or reported to us from a source that wished to remain anonymous. In those cases the IOCs or targeting isn’t available or known.

“We strongly believe that there’s a difference between exploits found ourselves or reported through coordinated disclosure and ones we know to be in the hands of attackers. Flagging the latter helps with prioritization.

“We are working to provide more information where possible on what we observe but it is a trade-off and sometimes either don’t have the details or can’t reveal all the info that some people want. We still think there’s value releasing what we can.”

Qualcomm says in its advisory that CVE-2021-1905 was reported to on 17 November 2020 and rates it as a high-severity flaw. CVE-2021-1906 is a medium-severity flaw reported to it on 7 December 2020.

The flaws affect an enormous number of Qualcomm chipsets but require local access to be exploited, according to the chipmaker.

Samsung only yesterday started rolling out the May 2021 Android security patch to flagship Galaxy S21 phones, as Sammobile reports. But Samsung’s hugely popular A-series smartphones have not received this update yet.

By ZDNet Source Link

Technology For You
Technology For Youhttps://www.technologyforyou.org
Technology For You - One of the Leading Online TECHNOLOGY NEWS Media providing the Latest & Real-time news on Technology, Cyber Security, Smartphones/Gadgets, Apps, Startups, Careers, Tech Skills, Web Updates, Tech Industry News, Product Reviews and TechKnowledge...etc. Technology For You has always brought technology to the doorstep of the Industry through its exclusive content, updates, and expertise from industry leaders through its Online Tech News Website. Technology For You Provides Advertisers with a strong Digital Platform to reach lakhs of people in India as well as abroad.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

spot_img

CYBER SECURITY NEWS

TECH NEWS

TOP NEWS