Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

A New Android Zero-Day Vulnerability Is Under Active Attack

March 23, 2021

Google has disclosed {that a} now-patched vulnerability affecting Android units that use Qualcomm chipsets is being weaponized by adversaries to launch focused assaults.

Tracked as CVE-2020-11261 (CVSS rating 8.4), the flaw concerns an “improper enter validation” situation in Qualcomm’s Graphics element that may very well be exploited to set off reminiscence corruption when an attacker-engineered app requests entry to an enormous chunk of the gadget’s reminiscence.

“There are indications that CVE-2020-11261 could also be beneath restricted, focused exploitation,” the search big said in an up to date January safety bulletin on March 18.

CVE-2020-11261 was found and reported to Qualcomm by Google’s Android Safety workforce on July 20, 2020, after which it was fastened in January 2021.

It is price noting that the entry vector for the vulnerability is “native,” that means that exploitation requires native entry to the gadget. In different phrases, to launch a profitable assault, the dangerous actor should both have bodily entry to the weak smartphone or use different means – e.g., a watering hole – to ship malicious code and set off the assault chain.

Whereas specifics in regards to the assaults, the identification of the attacker, and the focused victims haven’t been launched, it isn’t uncommon for Google to withhold sharing such data to forestall different risk actors from making the most of the vulnerability.

If something, the event as soon as once more underscores the necessity to promptly set up month-to-month safety updates as quickly as they’re out there to forestall Android units from being exploited. We have reached out to Google for remark and can replace this text if we hear again.

Posted in SecurityTags:
Write a comment