Google just released its Android security patches for the month, addressing a total of 39 newly-discovered security vulnerabilities. Among those vulnerabilities is a zero-day flaw that, according to researchers, is already being exploited in the wild.
The named given to this zero-day vulnerability is CVE-2021-1048, and it is categorized as a use-after-free flaw that can be used for local privilege escalation. Bugs of the use-after-free are highly dangerous as they can be used to allow the attacked to access and reference freed memory on the attacked device, providing the threat actor with a write-what-where condition. This, in turn, can lead to the execution of arbitrary code that would give the threat actor control of the attacked system.
Google reports in its November advisory that the CVE-2021-1048 flaw could be getting exploited on the basis of limited, targeted exploitation. No further details about the weakness, the threat actors who may be exploiting it, or the nature of the attacks that can use this flaw have been revealed by the company.
Two other noteworthy flaws that this latest security patch from Google fixed are CVE-2021-0930 and CVE-2021-0918. Both of them are critical remote code execution (RCE) bugs that can potentially allow attackers to remotely execute malicious code within a privileged process on the targeted device through the use of a specially-crafted transmission sent to the victim’s device.
Another three critical vulnerabilities that got remedied with this patch are CVE-2021-1975, CVE-2021-1924, and CVE-2021-0889. The first two affect closed-source components from Qualcomm, with the third one being found in Android TV. The Android TV bug can give attackers, who are in close proximity to the targeted TV, the ability to secretly pair with it and execute arbitrary code without the need for having elevated privileges or direct interaction with the TV.
After this last set of Android security updates, the total number of Android zero-day flaws that Google has addressed this year is six. Here is a list of the other five zero-day vulnerabilities in addition to the one mentioned in this article:
- CVE-2020-11261 (CVSS score: 8.4) – Qualcomm Graphics component Improper input validation in vuln
- CVE-2021-1905 (CVSS score: 8.4) – Qualcomm Graphics component Use-after-free vuln
- CVE-2021-1906 (CVSS score: 6.2) – Qualcomm Graphics component detection of error condition without action vuln
- CVE-2021-28663 (CVSS score: 8.8) – Mali GPU Kernel Driver vuln that allows improper operations on GPU memory
- CVE-2021-28664 (CVSS score: 8.8) – Mali GPU Kernel Driver vuln that can be used to elevate CPU RO pages to writable