Google Advisory on Android Security Updates
A zero-day (0day) vulnerability is a security flaw for which there is no mitigation or fixes available at the time of press release or publication.
Existing software fixes cannot adequately fight against zero-day exploits, making such attacks a severe security concern for businesses.
An attack that uses a zero-day vulnerability is like a virus for which there is no vaccine.
November 2021 Android Security Updates Press Release
Google issued the periodical security fixes for Android devices detailing security vulnerabilities for Android devices and their severity. One month prior, Android partners got to know all potential concerns.
Google’s November 2021 advisory includes a link leading to the AOSP repository (Android Open-Source Project), where specific source code patches are available for security issues. Links to patches that are not from AOSP can also be found in the publication.
The Android security fixes for November 2021 bulletin noted that one of the patched weaknesses had been used in an attack.
Framework, Media Framework, and System Fixes
Google’s Android security patches for November 2021 fixed 18 issues in the framework and system components and 18 kernel and vendor parts flaws.
A kernel is the central part of an operating system, and it controls the whole system.
18 of the 39 patches released in November addressed problems in the framework and system components, while the remaining 18 addressed vulnerabilities in the kernel and vendor parts.
The bug was assigned the ID CVE-2021-1048. The tech company claimed it had been used in limited, directed attacks. According to Google, it’s a kernel problem that attackers can manipulate.
By utilizing a dangling pointer in dynamic memory, UAF flaws allow for code substitution. It can be used for local acceleration of privilege in this situation. When combined with a remote code execution (RCE) flaw, it may allow attackers to gain administrative access over a targetted system.
The assaults leveraging bug were kept under wraps by the internet behemoth. However, the nature of the attacks was steered in the direction of government-directed efforts to steal industry secrets.
It is the sixth Android manipulation of Androids systems flaws, according to Google data. In a malicious operation directed at Bangladesh earlier this year, Android smartphones were targeted in an espionage campaign that repurposed the LodaRAT, which is initially known for targeting Windows Systems, to target Android devices.
Attacks and Severity
The Android updates for November 2021 fix overall 39 weaknesses. The most serious of these upgrades address two significant remote code execution (RCE) vulnerabilities affecting system parts. It is identified as CVE-2021-0918 and CVE-2021-0930. By delivering a specially designed transmission to targeted devices, an attacker from afar in an advantaged procedure can run untrusted codes, according to Google.
According to the security update, the severity ranking is according to the potential consequence of manipulating the susceptibility on an infected system, say if the platform and use countermeasures are disabled for improvement purposes or if the vulnerability is effectively circumvented.
Another serious issue is the Android TV remote service, allowing Android phones and tablets to be used as remote controls for Android TVs. Another RCE has been identified as CVE-2021-0889. A close attacker who successfully exploits CVE-2021-0889 might creep up behind a TV, discreetly pair with it, and execute arbitrary code without requiring privileges or user involvement.
November 2021 fixes address two more significant security flaws: CVE-2021-1924 and CVE-2021-1975, all targeting Qualcomm components.
Extreme Severity Issues
Vulnerabilities impacting the System, Android TV, and Qualcomm components are assigned critical severity ratings. High severity flaws were outlined in the Framework component, and other outlined parts were updated to fix high-severity flaws. They were approximately 30 in total.
For the framework part, unauthorized users could get access in the absence of consumer interaction.
Google issued a separate security alert for Pixel smartphones devices. The Tech giant second advisory outlined the ten security flaws fixed for Pixel smartphones in November 2021.