Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Android devices could be hacked by playing a video due to CVE-2019-2107 flaw

Watch out! Playing a video on Android devices could be a dangerous operation due to a critical CVE-2019-2107 RCE flaw in Android OS between version 7.0 and 9.0. Playing a specially-crafted video on devices with the Android’s native video player application could allow attackers to compromise them due to a dangerous critical remote code execution […]

CVE-2019-2107

Watch out! Playing a video on Android devices could be a dangerous operation due to a critical CVE-2019-2107 RCE flaw in Android OS between version 7.0 and 9.0.

Playing a specially-crafted video on devices with the Android’s native video player application could allow attackers to compromise them due to a dangerous critical remote code execution flaw. The vulnerability, tracked as CVE-2019-2107, affected Android OS between version 7.0 and 9.0 (Nougat, Oreo, or Pie) potentially impacting over 1 billion devices.

The RCE flaw CVE-2019-2107 resides in the Android media framework.

Google already addressed the flaw with July 2019 Android Security Bulletin, but millions of devices still waiting for the patch to be released by their manufacturers.

“The most severe vulnerability in this section [media framework] could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” reads the security advisory.

The Android developer Marcin Kozlowski has also published a proof-of-concept code to exploit this flaw.

The PoC code, an HEVC encoded video, could allow an attacker to crash the media player. Potentially an attacker could develop an exploit to remotely execute arbitrary code.

However, it should be noted that if such malicious videos are received through an instant messaging app like WhatsApp or Facebook Messenger or uploaded on a service like YouTube or Twitter, the attack won’t work.

“CVE-2019-2107 – looks scary. Still remember Stagefright and PNG bugs vulns …. With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly “crafted” video (with tiles enabled – ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2)” wrote Kozlowski.

CVE-2019-2107

To prevent the exploitation of this flaw, users have to update their Android versions by applying the latest security patches. Of course, they have to avoid downloading and playing videos from untrusted sources

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CVE-2019-2107, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]