It's 2019, and a PNG file can pwn your Android smartphone or tablet: Patch me if you can

Malicious Bluetooth signals, too, it looks like


Google has emitted security fixes for Android that should be installed, should you get the chance, as they can be potentially exploited to hijack devices.

The worst vulnerability in the latest monthly batch, according to the ad giant, is one in which a maliciously crafted PNG image could execute code smuggled within the file, if an application views it. Thus an evil .PNG file opened by a chat app or email reader, say, could start running malware on the device with high-level privileges.

Two other bad holes we can see are in Android's handling of Bluetooth signals: a maliciously crafted transmission can execute arbitrary code on the device, according to Google.

"The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process," Team Google warned this week.

"We have had no reports of active customer exploitation or abuse of these newly reported issues."

Here's a summary of the security fixes in February's release bundle (bear in mind, only Android 7 to 9 receive security updates now):

Framework has three remote-code execution bugs, the worst of which can be pwned by a PNG file: CVE-2019-1986, affecting Android 9; CVE-2019-1987 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; and CVE-2019-1988 affecting version 8.0, 8.1, 9.

Library has four flaws, the worst allowing code to run in a hacker-sent file when parsed: CVE-2017-17760 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2018-5268 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2018-5269 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9; and CVE-2017-18009 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9.

All are remote-code execution holes, except CVE-2017-18009, which discloses information.

System has eight flaws, the worst involving remote-code execution with Bluetooth transmissions: CVE-2019-1991 affection versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1992 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1993 affecting versions 8.0, 8.1, and 9; CVE-2019-1994 affecting versions 8.0, 8.1, and 9; CVE-2019-1995 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1996 affecting versions affecting 8.0, 8.1, and 9; CVE-2019-1997 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; and CVE-2019-1998 affecting version 9.

CVE-2019-1991 and 1992 are remote-code execution flaws, 1993 and 1994 are elevation of privilege, 1995 to 1997 can be exploited to disclose sensitive information, and 1998 is a denial of service.

But wait, there's more

On top of this, there are four Linux kernel flaws in Android (CVE-2018-10879, CVE-2019-1999, CVE-2019-2000, CVE-2019-2001) that can at worst be exploited by a dodgy application to gain higher privileges and hijack the device.

Nvidia's drivers have four bugs (CVE-2018-6271, CVE-2018-6267, CVE-2018-6268, CVE-2016-6684) that can at worst be exploited by malicious programs commandeer a vulnerable device. And 19 security screw-ups in Qualcomm's drivers that range from high to critical severity.

If your Android device's security patch level is dated February 2019, then you're up to date. If not, then check for updates and install them – some may be available.

It's up to your device manufacturer, and mobile carrier if appropriate, to approve and pass on fixes. Certain Google devices, primarily Pixel and older Nexus devices, get them directly from the ad giant, and its Play services can in some cases push patches straight to gizmos.

Also, there are defenses built into Android, such as ASLR, that may thwart exploit attempts. So far, no malware or miscreants are said to be targeting the flaws. ®

Similar topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022