The Center for Internet Security (CIS) reported on Tuesday that several vulnerabilities have been discovered in the Google Android operating system, the most severe of which could allow elevation of privilege.
Security researchers said the February 7 CIS advisory amplifies the security updates released the previous day by Google.
CIS said that depending on the privileges associated with the exploited component, an attacker could install programs, view, modify or delete data, or create new accounts with full rights.
“Our advice is related to fixes that were announced yesterday by Google,” a CIS spokesperson said. “The risk associated with these vulnerabilities may vary depending on each organization’s policies regarding mobile devices. An organization that follows a BYOD policy that allows access to internal resources without a coercion mechanism to keep BYOD devices patched and updated will be at greater risk than others. Organizations that properly manage mobile devices and maintain reasonable compliance standards for patching will have a much lower risk profile.
JT Keating, senior vice president of strategic initiatives at Zimperium, said that while there are many levels of risk associated with vulnerabilities in mobile devices, these vulnerabilities are particularly dangerous because they can lead to elevated privileges that put the device completely at risk, including the ability to delete or modify data, install apps, and even create new accounts.
“Users should implement the patch to close these vulnerabilities as soon as their carrier provides it, and companies should follow the CIS recommendation to use capabilities to detect exploits,” Keating said.
Mike Parkin, senior technical engineer at Vulcan Cyber, added that vendors may find it difficult to quickly update their particular flavor of Android with the security pack released by Google, or how quickly vendors without fil deploy them to their clients.
“One of the challenges with Android devices is that there is sometimes a delay between Google releasing new patches for their Android operating system and the vendors integrating it into their many phone models,” said explained Parkin. “Fortunately, there is active protection for many of them in Google Play Protect, which is enabled on most modern Android devices.”