Published on September 9th, 2019 📆 | 6431 Views ⚑0
An Android Zero-Day Remains Unpatched For Six Months
Researchers have caught up with a zero-day vulnerability in Android OS that allows an attacker to escalate user privileges. What’s more troublesome is that Google hasn’t patched the bug in their latest update.
Dangerous Android Zero-Day Flaw Discovered
Reportedly, researchers from Trend Micro’s Zero-Day Initiative have found a serious vulnerability in Android OS. The vulnerability existed in the Video for Linux (V4L2) driver which, upon exploit, can allow an attacker elevate privileges on target devices.
Stating about this Android zero-day flaw in their advisory, the researchers stated,
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Google Android. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the v4l2 driver. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel.
Like most privilege escalation flaws, an adversary can easily exploit this flaw via malicious apps. When a user installs a malicious app bundled with malware, then the malware can exploit the flaw to gain root access to the device.
Patch Yet To Arrive
According to the timeline shared by the researchers in their advisory, ZDI found and informed Google of the flaw in March 2019. However, the vendors only acknowledged the flaw and assured a patch in late June 2019. And, despite knowing the flaw for six months, Google has not yet fixed the flaw. Consequently, researchers have now publicly disclosed the vulnerability.
While no patch is yet available, ZDI has suggested possible mitigation for the flaw.
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it.
Let us know your thoughts in the comments.