Google has fixed two critical vulnerabilities in June patches update for Android OS that allows remote code execution on Android devices.
These two critical vulnerabilities (CVE-2020-0117 and CVE-2020-8597) found in the Android system area grant attackers with custom-built transference to execute arbitrary code within the backdrop of a privileged process. Only Android version 8 to 10 are affected by these vulnerabilities.
According to Multi-State Information Sharing and Analysis Center (MS-ISAC), “the successful exploitation of both vulnerabilities could grant access to remote code execution in the context of a privileged process,” “Exploiting the vulnerabilities become possible through multiple methods like web browsing, email, and MMS when processing media files.”
June 2020 Android Patches
Two other patches were released by Google this June for high-severity issues in the Android system susceptible to exploitation for information disclosure but found to only affect Android 10.
Other system vulnerabilities that received patches as part of the 2020-06-01 security patch release are two high-severity bugs in Media framework (one information disclosure and one elevation of privilege (EoP)) and three high-risk issues in Framework (one information disclosure and two elevation of privilege.)
About 24 more received fixes as part of the 2020-06-05 security patches released, notable ones are two elevation of privilege (EoP), one elevation of privilege in System, one information disclosure in Framework, and one information disclosure in Kernel components, with 20 more unspecified vulnerabilities in Qualcomm closed-source components, and Qualcomm components.
An update was done by Google to the advisories for two older vulnerabilities – CVE-2019-2219, which affects Framework for Android 8 to Android 10, enables a local malicious application to bypass OS protections that shields application data from other applications, and an Elevation of Privilege (EoP) vulnerability in System which enables a remote attacker to bypass user interaction requirements to gain access to additional permissions.
Finally, there were also patches released this week to patch multiple vulnerabilities in Qualcomm closed-source and general components used in Android devices. Among these vulnerabilities, two are critical and can be remotely exploited by hackers. Both can be found in the data-modem area of Qualcomm’s mobile chips.