This Week in Security: Android Bluetooth RCE, Windows VMs, and HTTPS Everywhere

This Week in Security: Android Bluetooth RCE, Windows VMs, and HTTPS Everywhere

Android has released it’s monthly round of security updates, and there is one patched bug in particular that’s very serious: CVE-2021-0316. Few further details are available, but a bit of sleuthing finds the code change that fixes this bug.


Fix potential OOB write in libbluetoothCheck event id if of register notification command from remote to avoid OOB write.


It’s another Bluetooth issue, quite reminiscent of BleedingTooth on Linux. In fact, in researching this bug, I realized that Google never released their promised deep-dive into Bleedingtooth. Why? This would usually mean that not all the fixes have been rolled out, or that a significant number of installations are unpatched. Either way, the details are withheld until the ramifications of releasing them are minimal. This similar Bluetooth bug in Android *might* be why the BleedingTooth details haven’t yet been released. Regardless, there are some serious vulnerabilities patched this in this Android update, so make sure to watch for the eventual rollout for your device.


HTTPS Everywhere


Google and Firefox are continuing their push toward a web based on HTTPS. Some of the changes, particularly by Google, have been viewed with some skepticism. However, this upcoming Chromium change looks like a welcome one. Put simply, when a user types in a URL without specifying HTTP or HTTPS, Chrome will try to load the website over HTTPS first. This change has been spotted in the Chromium source, ..