Critical vulnerabilities that have been fixed years ago are still present in many popular Android applications due to their developer’s failure to apply patches available for third-party components.
Researchers at Check Point have selected three critical arbitrary code execution vulnerabilities patched in 2014, 2015 and 2016 in widely used third-party libraries.
The company explained that mobile applications often rely on native libraries that are either derived from open source projects or use code fragments from open source software. If a vulnerability is found in these open source projects, their developer may implement a fix, but there is no way for them to ensure that the fix will also be added to other software relying on their code.
In June 2019, Check Point scanned Android applications present on Google Play in an effort to determine if they use vulnerable libraries.
One of the vulnerabilities they targeted is CVE-2014-8962, a buffer overflow in the libFLAC audio codec that can be exploited for arbitrary code execution or denial-of-service (DoS) attacks by convincing the targeted user to open a specially crafted FLAC audio file with an application that uses a vulnerable version of libFLAC.
Check Point’s analysis revealed that CVE-2014-8962 is still present in the LiveXLive music streaming app, the Moto Voice voice control app for Motorola phones, and various Yahoo apps. All of these applications have been downloaded millions or tens of millions of times from Google Play.
Another vulnerability analyzed by Check Point, CVE-2015-8271, affects the RTMPDump toolkit for RTMP streams and it c ..
Support the originator by clicking the read the rest link below.
