Are you using an Android device?
Beware! You should be more careful while playing a video on your smartphone—downloaded anywhere from the Internet or received through email.
That’s because, a specially crafted innocuous-looking video file can compromise your Android smartphone—thanks to a critical remote code execution vulnerability that affects over 1 billion devices running Android OS between version 7.0 and 9.0 (Nougat, Oreo, or Pie).
The critical RCE vulnerability (CVE-2019-2107) in question resides in the Android media framework, which if exploited, could allow a remote attacker to execute arbitrary code on a targeted device.
To gain full control of the device, all an attacker needs to do is tricking the user into playing a specially crafted video file with Android’s native video player application.
Though Google already released a patch earlier this month to address this vulnerability, apparently millions of Android devices are still waiting for the latest Android security update that needs to be delivered by their respective device manufacturers.
“The most severe vulnerability in this section [media framework] could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google described the vulnerability in its July Android Security Bulletin.
images from Hacker News