October security patch fixes serious vulnerability affecting a few Samsung phones

SamMobile

SamMobile
SamMobile
Earlier this week, Google’s Project Zero security analysis team revealed that cyber-attackers are exploiting a bug within Android OS, which affects 18 known phone models including three Samsung devices, namely the
Please, Log in or Register to view URLs content!
,
Please, Log in or Register to view URLs content!
, and
Please, Log in or Register to view URLs content!
. The issue stems from a local privilege escalation vulnerability which can give attackers full control over an affected device.

Google’s Project Zero team labeled it a “high severity vulnerability,” but the good news is that a fix has already been devised and will roll out along with the
Please, Log in or Register to view URLs content!
. The need for secrecy might be why Google has yet to detail the October 2019 security patch in an official changelog. Either way, the company said its Pixel 1 and 2 will no longer be vulnerable after the update, adding that a patch has also been made available to partners to make sure that the problem doesn’t spread throughout the Android ecosystem.

Samsung already rolling out the October patch


The severity of the bug could also be the reason why Samsung already launched the October security patch for several Galaxy devices, even as the changelog was missing. So far, Samsung released the October 2019 security patch for the
Please, Log in or Register to view URLs content!
, the
Please, Log in or Register to view URLs content!
, Galaxy
Please, Log in or Register to view URLs content!
, as well as the
Please, Log in or Register to view URLs content!
.

Interestingly, all of these phones sans the Galaxy S10 5G follow the quarterly
Please, Log in or Register to view URLs content!
, and none of them have been mentioned by the Project Zero team as being vulnerable. Then again,
Please, Log in or Register to view URLs content!
shared in
Please, Log in or Register to view URLs content!
isn’t final and there could be more phones that are or have been open to attacks.

The vulnerability is reportedly being exploited by the NSO Group


According to Project Zero, the vulnerability can be exploited either when a user installs an untrusted app, or via a web browser by combining it with another exploit residing in the code that determines how content is being rendered in Chrome.

Project Zero member, Maddie Stone, said there are reasons to believe the vulnerability is being exploited by the NSO Group or its clients. This is an Israel-based exploit developer and is known to sell its malicious product to various governmental bodies. A few years ago the same group was responsible for developing the “Pegasus” spyware for mobile devices, which was designed to jailbreak or root iOS / Android phones and expose private data.

How to keep safe


Because the vulnerability requires either an additional app to open up the exploit or a second exploit within the Chrome web browser for it to work, it shouldn’t be difficult to keep your phone safe even if you haven’t received the October 2019 security patch yet. Just be mindful of what third-party apps you install and refrain from installing apps from untrusted sources. Likewise, you might want to use a different mobile web browser instead of Chrome, at least until the vulnerability will be fully patched.

The post
Please, Log in or Register to view URLs content!
appeared first on
Please, Log in or Register to view URLs content!
.

Please, Log in or Register to view URLs content!
 

Users who are viewing this thread

Top