Android Zero-Day Bug Does Not Make It On Google’s 'Fix' List
Arthur T Knackerbracket has found the following story:
[Google] rolled out security patches for the Android mobile operating system but did not include the fix for at least one bug that enables increasing permissions to kernel level.
Security flaws that enable privilege escalation can be exploited from a position with limited access to one with elevated access to critical files on the system. In order to utilize this, an attacker should have already compromised the device but have their actions restricted by insufficient permissions.
The Android Security Bulletin for September includes fixes for a couple of critical vulnerabilities in the media framework and a load of high-severity bugs. But vulnerability reported today is not on the list.
The vulnerability exists in the driver for the Video For Linux 2 (V4L2) interface used for video recording. It is estimated as a high-severity zero-day so it does not have an identification number yet.
"The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel."
Read more of this story at SoylentNews.