- Joined
- May 15, 2016
- Messages
- 14,530
- Likes
- 2,645
- Points
- 1,730
The RCE vulnerability, fixed in the July Android update, allows using a specially prepared video file to cause a crash in the regular media player of the system or run malicious code.
Billion-proof video
Critical vulnerability in Android versions 7.0-9.0 allows you to hack a device using a video file.
The vulnerability index CVE-2019-2107 potentially affects about a billion devices worldwide.
A “bug” is present in the Android media framework; thanks to him, an attacker using a specially prepared video file to run arbitrary code in the context of a process with high privileges in the system.
Programmer Marcin Kozlowski introduced a trial exploit that could cause the Android built-in media player to crash. However, the developer claims that this is the most harmless option for using the "bug". A similar exploit can also be used to run arbitrary code.
Encoding issue
However, according to the expert, the video file will need to be transferred directly to the device: if you upload to Youtube or Twitter and send via WhatsApp or Facebook Messenger, the attack cannot be implemented, since the video file is transcoded in these resources and a potentially malicious code fragment is lost. ]
Using a specially prepared video file, you can cause a crash in the regular Android media player or run malicious code
“This mitigates the threat of attack,” said Mikhail Zaitsev, information security expert at SEC Consult Services. - Direct sending of a video file in conditions when uploading video to specialized hosting or social networks is considered the norm is already a rather suspicious phenomenon. Another thing is that with the help of simple social engineering it is possible to make the average user open and run something much less harmless than a video file. ”
Corrections in Android were made back in the July update of the operating system, however, millions of devices have not yet received updates from the manufacturer, so the threat remains.
Billion-proof video
Critical vulnerability in Android versions 7.0-9.0 allows you to hack a device using a video file.
The vulnerability index CVE-2019-2107 potentially affects about a billion devices worldwide.
A “bug” is present in the Android media framework; thanks to him, an attacker using a specially prepared video file to run arbitrary code in the context of a process with high privileges in the system.
Programmer Marcin Kozlowski introduced a trial exploit that could cause the Android built-in media player to crash. However, the developer claims that this is the most harmless option for using the "bug". A similar exploit can also be used to run arbitrary code.
Encoding issue
However, according to the expert, the video file will need to be transferred directly to the device: if you upload to Youtube or Twitter and send via WhatsApp or Facebook Messenger, the attack cannot be implemented, since the video file is transcoded in these resources and a potentially malicious code fragment is lost. ]
Using a specially prepared video file, you can cause a crash in the regular Android media player or run malicious code
“This mitigates the threat of attack,” said Mikhail Zaitsev, information security expert at SEC Consult Services. - Direct sending of a video file in conditions when uploading video to specialized hosting or social networks is considered the norm is already a rather suspicious phenomenon. Another thing is that with the help of simple social engineering it is possible to make the average user open and run something much less harmless than a video file. ”
Corrections in Android were made back in the July update of the operating system, however, millions of devices have not yet received updates from the manufacturer, so the threat remains.