Microsoft has publicly disclosed a series of vulnerabilities in a mobile framework used in Android apps "with millions of downloads" that could have exposed their users to attacks.
The company says(Opens in a new window) it "uncovered high-severity vulnerabilities in a mobile framework owned by mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks."
The vulnerabilities have been identified as CVE-2021-42598(Opens in a new window), CVE-2021-42599(Opens in a new window), CVE-2021-42600(Opens in a new window), and CVE-2021-42601(Opens in a new window); Microsoft says the flaws have received Common Vulnerability Scoring System (CVSS) scores between 7.0-8.9 out of 10.
The company says that mce Systems' mobile framework includes a service that an attacker "could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device."
Microsoft says it discovered the security flaws in September 2021. It then informed mce Systems and "the affected mobile service providers" of the vulnerabilities and collaborated with those companies to mitigate the problems so the relevant apps couldn't be exploited by hackers.
"We worked closely with mce Systems’ security and engineering teams to mitigate these vulnerabilities," Microsoft says, "which included mce Systems sending an urgent framework update to the impacted providers and releasing fixes for the issues. At the time of publication, there have been no reported signs of these vulnerabilities being exploited in the wild."
The company also informed Google of these security flaws. Google reportedly responded by updating Google Play Protect(Opens in a new window), which Google says Android users can use to "help keep your apps safe and your data private," to detect vulnerabilities of this nature.
Recommended by Our Editors
But the full extent of these vulnerabilities isn't known. Microsoft says that "there could be additional providers still undiscovered that may be impacted" by these flaws, and notes that "several mobile phone repair shops" may have installed a vulnerable app on customers' devices. Android users have been advised to look for that app and remove it from their phones.
More information about the vulnerabilities—including the part of mce Systems' mobile framework affected, how they could have been exploited, and more—is available via Microsoft's report.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
"Android" - Google News
May 28, 2022 at 11:23PM
https://ift.tt/aoiclhO
Microsoft Details Severe Vulnerabilities in Pre-Installed Android Apps - PCMag
"Android" - Google News
https://ift.tt/uGBckDv
https://ift.tt/85s1paf
Bagikan Berita Ini
0 Response to "Microsoft Details Severe Vulnerabilities in Pre-Installed Android Apps - PCMag"
Post a Comment