Samsung this week released its May 2020 set of security updates for Android smartphones, which includes a patch for a critical vulnerability impacting all of its devices since 2014.
In addition to the fixes in the Android Security Bulletin – May 2020, the phone maker’s updates patch 19 vulnerabilities specific to Samsung smartphones. The most important of these are two critical flaws in secure bootloader and in Quram library with decoding qmg.
The first of the issues is a heap based buffer overflow that could allow for the bypass of secure boot and potentially result in arbitrary code execution. Samsung says it addressed the bug with proper validation, but does not provide further details on the vulnerability.
The second security flaw is memory overwrite issue that could result in the execution of arbitrary code remotely, and which resides in the Quram qmg library.
The bug appears to affect all Samsung smartphones released since 2014, when the company added support for the custom Qmage image format (.qmg) that was designed by Korean third-party company Quramsoft.
Discovered by Google Project Zero security researcher Mateusz Jurczyk, the vulnerability can be exploited through malicious MMS (multimedia) messages, without user interaction. A video demonstration of the 0-click MMS exploit proof-of-concept is now available (but not the exploit code).
[embedded content]
The researcher says that, since there are four major versions of Qmage, Samsung’s Android smartphones released since late 2014 / early 2015 are affected to different degrees. The most recent devices are likely impacted by the largest number of issues, given their included support for all versions of Qmage.
The resear ..
Support the originator by clicking the read the rest link below.
