Simply viewing an image from any source – the Internet, text and the like – could hack an Android smartphone thanks to a trio of vulnerabilities fixed by Google in its February security updates.
“The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process,” according to Google’s latest security bulletin, detailing CVE-2019-1986, CVE-2019-1987 and CVE-2019-1988.
Google said it has no reports of the vulnerabilities being actively exploited or abused.
“It’s alarming to learn that modern Android OS still parses media files within a privileged context,” said Craig Young, computer security researcher for Tripwire’s VERT (Vulnerability and Exposure Research Team). “After Stagefright, a lot of work was done to insulate libStagefright and other media server components, but it seems that event did not lead to the Skia graphics library receiving this same treatment.”
Calling media processing “one of the highest risk activities,” Young said, “Automated media parsing should be kept to a minimum and it should always happen within an isolated execution environment,” a lesson “gradually learned” by Linux distributions “after a series of critical flaws in important packages like GStreamer, ImageMagick, and GhostScript put users and web sites at risk.”
Tim Erlin, vice president, product management and strategy at Tripwire, said these types of vulnerabilities “bring to light the disparate update strategies across Android phones.”
Users on Google devices “will receive timely security fixes,” but “other manufacturers may wait months to protect users from attackers. Of course, users have to actually apply updates to protect themselves.”