Google Patches Several Critical Bugs in its Android OS
As part of its February Security Bulletin, Google patched five critical bugs in its Android operating system. Two of the most serious flaws would have allowed remote code execution, the gold standard for hackers and threat actors; both were found in the Android media framework and system.
As part of a separate security bulletin, three additional critical Qualcomm bugs were reported by Google and patched by Qualcomm. One of those flaws (CVE-2020-11163) has a Common Vulnerability Scoring System (CVSS) rating of 9.8 out of 10. The bug is tied to the wireless local area network (WLAN) chip used for Wi-Fi communications.
In all, Google patched 22 vulnerabilities in the Android OS –15 of which included elevation-of-privilege (EOP) –class bugs. Another 22 security flaws were addressed by Qualcomm and impacted a range of device functions such as Wi-Fi radio, camera and device displays.
The most severe of the critical bugs in the Android OS is a security vulnerability in the Media Framework component that allows for remote code execution (RCE), enabling a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process, according to Google. The bug is tracked as CVE-2021-0325, and received a “critical” rating on Android 8.1 and 9 but a “high” rating on Android 10, 11 and 12, the company said.