If you play a video on Android device, you are in for a rude shock as it could be extremely perilous thanks to a serious CVE-2019-2107 RCE fault in Android OS between version 7.0 and 9.0.

The flaw, which resides in the Android media framework, was already addressed by Google, but millions of devices are still awaiting the patch to be released by their manufacturers.

“The most severe vulnerability in this section [media framework] could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” reads the security advisory.

To exploit the vulnerability, the Android developer Marcin Kozlowski has also published a proof-of-concept code that could allow an attacker to crash the media player. An attacker could potentially develop an exploit to remotely perform random code.

Nevertheless, it should be kept in mind that if such malicious videos are received through a prompt messaging app like WhatsApp or Facebook Messenger or uploaded on a service like YouTube or Twitter, the attack won’t work.

“CVE-2019-2107 – looks scary. Still remember Stagefright and PNG bugs vulns …. With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly “crafted” video (with tiles enabled – ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2)” wrote Kozlowski.

To avert the misuse of this fault, users have to update their Android versions by applying the latest security patches. Certainly, they have to avoid downloading and playing videos from unreliable sources.

Leave a Reply

Your email address will not be published. Required fields are marked *