App
Moneycontrol AppAndroid AppiOS AppiPad AppAndroid TabBlackberryWindows AppWindows Tab
Subscription
Specials
Stocks
Feedback
Log In
Sign Up
Moneycontrol
Get App
Select Language
Subscription
Specials
you are here: HomeNewsTechnology
Last Updated : May 07, 2020 11:20 AM IST | Source: Moneycontrol.com

Samsung May 2020 security update patches bug that impacted all its smartphones sold since 2014

What’s worse about the bug is that the victim does not get any hint about the attack as it can be executed without triggering the notification sound on an Android smartphone.

Moneycontrol News @moneycontrolcom

Samsung has released a new security update for fixing a critical vulnerability that impacted all its smartphones sold since 2014.

The bug exploited the way in which Android’s graphics library Skia handles Samsung’s custom Qmage image format (.qmg). Mateusz Jurczyk, a security researcher with Google's Project Zero bug-hunting team, discovered the vulnerability in February and reported the issue to Samsung.

What was the bug and how did it work?

Close

Jurczyk noted that the Qmage bug could be exploited in a zero-click scenario, which means there is no need for user interaction. This is possible as Android redirects all images sent to a device to the Skia library for processing without the user’s knowledge.

related news

The security researcher developed a proof-of-concept demo exploiting the bug against the Samsung Messages app. He spammed a Samsung Galaxy Note 10+ running on Android 10 with multiple multimedia SMS, and each such message attempted to determine the position of the Skia library in the device’s phone memory. Once the Skia library was located in the device memory, the last MMS delivers the Qmage payload used for executing the exploit code.

As per Jurczyk, it requires up to 300 MMS messages to probe and bypass the Address Space Layout Randomisation (ASLR), which typically takes around 100 minutes.

What is worse about the bug is that the victim does not get any hint about the attack as it can be executed without triggering the notification sound on an Android smartphone.

In addition to the MMS exploit, Jurczyk states that there could be other possible ways to attack any app running on a Samsung device that supports Qmage and can receive images from a remote attacker.

After being informed in February, Samsung has fixed the vulnerability in its May 2020 security patch. The bug can be tracked as SVE-2020-16747 in Samsung’s security bulletin and CVE-2020-8899 in the Mitre CVE database.

It is presumed that other smartphones have not been affected by the bug as only Samsung appears to have modified the Android OS to support the custom Qmage format that it has been using on its smartphones since 2014.


Moneycontrol Ready Reckoner
Now that payment deadlines have been relaxed due to COVID-19, the Moneycontrol Ready Reckoner will help keep your date with insurance premiums, tax-saving investments and EMIs, among others.
Download a copy


First Anniversary Offer: Subscribe to Moneycontrol PRO’s annual plan for ₹1/- per day for the first year and claim exclusive benefits worth ₹20,000. Coupon code: PRO365

First Published on May 7, 2020 11:20 am

tags #gadgets #Samsung #smartphones

Latest Updates : Coronavirus Outbreak

Arvind Kejriwal announces Rs 1 crore ex gratia for constable who died of COVID-19

Arvind Kejriwal announces Rs 1 crore ex gratia for constable who died of COVID-19

Coronavirus lockdown | 70% Indian firms still have cash to pay employees for next 2 months: EY report

Coronavirus lockdown | 70% Indian firms still have cash to pay employees for next 2 months: EY report

Joy turns to despair? NRIs, looking to fly out, look for ways to reach airports in metros

Joy turns to despair? NRIs, looking to fly out, look for ways to reach airports in metros

most popular

Drop airlines! Here are top 10 stocks based on Warren Buffett's investment methodology

Drop airlines! Here are top 10 stocks based on Warren Buffett's investment methodology

Vizag Gas Leak LIVE Updates: Andhra CM reaches Vishakhapatnam, to visit those affected

Vizag Gas Leak LIVE Updates: Andhra CM reaches Vishakhapatnam, to visit those affected

Gilead in talks to expand global supply of COVID-19 drug remdesivir

Gilead in talks to expand global supply of COVID-19 drug remdesivir

Sections
Desktop Version »
Follow us on
Facebook Twitter Instagram
Available On
Download from Google PlayDownload from App StoerDownload from Windows Phone
Disclaimer | Terms & Conditions | Privacy Policy | Cookie Policy | FAQs | Sitemap | Feedback
Network 18 Sites: News18 | Firstpost | CNBC TV18 | In.com | Cricketnext | Overdrive |Topper Learning

Copyright © e-Eighteen.com Ltd All rights resderved. Reproduction of news articles, photos, videos or any other content in whole or in part in any form or medium without express writtern permission of moneycontrol.com is prohibited.