Google has posted the February security updates for Android, including for a potentially serious remote code execution flaw in Bluetooth.
Designated CVE-2020-0022, the flaw was discovered and reported by researchers with German company ERNW who say a fix has been in the works since November.
"On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled," the team explained.
"No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address."
While they have yet to post technical details on the flaw, they report the vulnerability allows full remote code execution in older versions of Android (8, 8.1, and 9) but is slightly less dire for Android 10, as those devices merely crash. It should be pointed out that the bug is only exposed when the device has Bluetooth in discovery mode, i.e it's trying to find a device to pair with.
In the meantime, ERNW advises those worried about the flaw to switch to wired headphones and make sure their devices are not in discovery mode in public.
If Bluetooth pwnage isn't enough reason to patch your device, there are two dozen other bugs addressed this month for issues ranging from information disclosure to elevation of privilege. CVE-2020-0022 is the only flaw this month to allow remote code execution.
Here we go again: Software nasties slip into Google Play, exploit make-me-root Android flaw for maximum pwnageREAD MORE
Six of the CVE-listed vulnerabilities (including the Bluetooth bug) are said to exist in System components. They include two information disclosure flaws and two elevation of privilege issues. Versions 8-10 of Android are affected.
The Android Framework was host to seven flaws: three allowing information disclosure, three elevation of privilege, and one denial of service bug. The Kernel component were patched for two flaws, both allowing elevation of privilege attacks.
Qualcomm components were listed as the targets for the remaining 10 CVE-listed errors. These included four flaws that were listed as 'high' severity risks but not detailed as they involved closed-source components.
As ever, those running Google-branded devices can get the updates immediately, while those on other vendors and carriers will need to wait for those groups to get their updates out. ®