Samsung fixes critical Android bugs in December 2020 updates
This week Samsung has started rolling out Android’s December security updates to mobile devices to patch critical security vulnerabilities in the operating system and related components.
This comes after Android had published their December 2020 security updates bulletin, which includes patches for critical vulnerabilities impacting the latest devices.
As observed by BleepingComputer, Samsung Galaxy devices are automatically pulling updates released on December 7, 2020, this week.
These updates mainly comprise significant security fixes with possible device stability enhancements.
Samsung Galaxy Android December 2020 updates being rolled out today
Source: BleepingComputer
Every vulnerability addressed by this update, has either a ‘High’ or ‘Critical’ severity rating, making this update a must for Android users so that their devices remain protected.
Mục lục bài viết
RCE, Privilege escalation, and Denial of Service (DoS)
There’s the high severity vulnerability, CVE-2020-0458 lurking in the Android Media Framework arising from a buffer overflow, which has been fixed by this update.
The vulnerability could let an attacker perform remote code execution (RCE) attacks using a specially crafted file within the context of a privileged process.
Fix commit for RCE flaw in Media Framework (CVE-2020-0458)
Other flaws impacting components like Framework and System could allow sensitive information disclosure and user interaction bypass, i.e. a malicious app can gain additional permissions on the vulnerable device without the user’s approval.
The list of vulnerabilities patched by this update includes:
Framework
CVE
References
Type
Severity
Updated AOSP versions
CVE-2020-0099
A-141745510
EoP
High
8.0, 8.1, 9, 10
CVE-2020-0294
A-154915372
EoP
High
8.0, 8.1, 9, 10
CVE-2020-0440
A-162627132 [2]
EoP
High
11
CVE-2020-0459
A-159373687 [2] [3] [4] [5]
ID
High
8.0, 8.1, 9, 10
CVE-2020-0464
A-150371903 [2]
ID
High
10
CVE-2020-0467
A-168500792
ID
High
8.1, 9, 10, 11
CVE-2020-0468
A-158484422
ID
High
10, 11
CVE-2020-0469
A-168692734
DoS
High
11
Media Framework
CVE
References
Type
Severity
Updated AOSP versions
CVE-2020-0458
A-160265164 [2]
RCE
Critical
8.0, 8.1, 9, 10
CVE-2020-0470
A-166268541
ID
High
10, 11
System
CVE
References
Type
Severity
Updated AOSP versions
CVE-2020-0460
A-163413737
ID
High
11
CVE-2020-0463
A-169342531
ID
High
8.0, 8.1, 9, 10, 11
CVE-2020-15802
A-158854097
ID
High
8.0, 8.1, 9, 10, 11
Some bugs may still be exploitable
On select Samsung Galaxy devices, the updates pushed this week have their latest “security patch level” dated “2020-12-01.”
This implies the high and critical severity vulnerabilities to be fixed by the “2020-12-05 security patch” could be still exploitable.
Users are advised to update their Android devices immediately to safeguard against these bugs, and ensure their devices have the “auto-update” settings enabled.
A full description of enhancements and optimizations this update brings is provided on Samsung’s website.