EVGA

Update your Android: Google patches two zero-day vulnerabilities

Author
Cool GTX
EVGA Forum Moderator
  • Total Posts : 31127
  • Reward points : 0
  • Joined: 2010/12/12 14:22:25
  • Location: Folding for the Greater Good
  • Status: online
  • Ribbons : 123
2024/11/11 12:16:38 (permalink)
Update your Android: Google patches two zero-day vulnerabilities

https://www.malwarebytes.com/blog/news/2024/11/update-your-android-google-patches-two-zero-day-vulnerabilities?utm_source=iterable&utm_medium=email&utm_campaign=b2c_pro_oth_20241111_novemberweeklynewsletter_v2_173106636238&utm_content=update_your_android_google_patches
(excerpt /page)Posted: November 6, 2024 by Pieter Arntz

Google has announced patches for several high severity vulnerabilities. In total, 51 vulnerabilities have been patched in November’s updates, two of which are under limited, active exploitation by cybercriminals.


If your Android phone shows patch level 2024-11-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 12, 12L, 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.


You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.


For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.
Keeping your device as up to date as possible protects you from known vulnerabilities that have been fixed, and helps you to stay safe.
Technical details
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws.

The CVEs that look the most important are:


CVE-2024-43047: a high-severity use-after-free issue in closed-source Qualcomm components within the Android kernel that elevates privileges. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Qualcomm disclosed the vulnerability in October as a problem in its Digital Signal Processor (DSP) service. The vulnerability is flagged as under limited, targeted exploitation and could allow an attacker to escalate privileges on targeted devices.


CVE-2024-43093: a high-severity escalation of privilege vulnerability impacting the Android Framework and the Google Play system updates. This is the second vulnerability that is flagged as under limited, targeted exploitation.


CVE-2024-43091: a high severity Remote Code Execution (RCE). By exploiting this vulnerability in the System component an attacker could remotely execute code on a device with no additional execution privileges needed.


CVE-2024-38408: is the only vulnerability listed as critical in this update. The problem is described as a “cryptographic issue when a controller receives an LMP start encryption command under unexpected conditions.” LMP stands for Link Manager Protocol, which is a communication system used in Bluetooth technology to set up and manage connections between devices. The “start encryption command” is a special instruction that tells Bluetooth devices to begin scrambling their communications. The issue was patched by Qualcomm, which published a long list of affected chipsets.
 
---------------------(end excerpt) ---------------------------------
 
I had my patches, just wanted to make sure our community members are aware of this issue
 

Learn your way around the EVGA Forums, Rules & limits on new accounts Ultimate Self-Starter Thread For New Members

I am a Volunteer Moderator - not an EVGA employee

Older RIG projects RTX Project  Nibbler


 When someone does not use reason to reach their conclusion in the first place; you can't use reason to convince them otherwise!
#1

1 Reply Related Threads

    bdary
    Omnipotent Enthusiast
    • Total Posts : 10556
    • Reward points : 0
    • Joined: 2008/04/25 14:08:16
    • Location: Florida
    • Status: offline
    • Ribbons : 118
    Re: Update your Android: Google patches two zero-day vulnerabilities 2024/11/12 07:26:39 (permalink)
    Thanks for the info.   I believe my phone is all up to date, but will check it out to be sure.


     
     
     
     
     
     
     
     
     
     
     
    #2
    Jump to:
  • Back to Mobile