Ethical Hacking News
Google has released a critical security update that addresses two actively exploited Android flaws, including CVE-2024-43093 and CVE-2024-50302. The update, which was released in March 2025, includes patches for over 40 vulnerabilities and provides users with the tools they need to protect themselves against real-world threats.
Google has released a security update that patches two actively exploited vulnerabilities in Android. The update addresses over 40 vulnerabilities, including the two flaws that were being actively exploited in attacks in the wild. The first flaw is a Privilege Escalation Vulnerability with a CVSS score of 7.8. The second flaw is a Linux kernel vulnerability with a CVSS score of 5.5. Successful exploitation of these vulnerabilities could lead to local escalation of privilege and remote code execution.
Google's recent security update has brought much-needed relief to Android users, as two actively exploited flaws were patched. The update, which was released in March 2025, addresses over 40 vulnerabilities, including the two flaws that were being actively exploited in attacks in the wild.
The first flaw, CVE-2024-43093, is a Privilege Escalation Vulnerability in Android Framework, which allows bypassing a file path filter meant to block access to sensitive directories due to improper Unicode normalization. This vulnerability has been rated with a CVSS score of 7.8, indicating that it is a high-severity issue. Successful exploitation of this vulnerability could lead to local escalation of privilege without any additional execution privileges needed.
The second flaw, CVE-2024-50302, is a Linux kernel vulnerability that was fixed by zero-initializing the HID report buffer during allocation to prevent potential kernel memory leaks. This vulnerability has been rated with a CVSS score of 5.5, indicating that it is an important-severity issue. However, unlike the first flaw, this vulnerability did not receive widespread attention until recently, when Amnesty International revealed that it was likely used by Cellebrite's mobile forensic tools to unlock the Android phone of a Serbian student activist.
The fact that these two flaws were actively exploited in real-world attacks highlights the importance of keeping your device and operating system up-to-date. Google's security update not only addresses these vulnerabilities but also includes additional patches for ten critical vulnerabilities in the System component, which could lead to remote code execution with no additional execution privileges needed.
The severity assessment of this vulnerability is based on the effect that exploiting the vulnerability would have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed. The advisory published by Google notes that "there are indications that the following may be under limited, targeted exploitation."
It's worth noting that these vulnerabilities were not patched in time to prevent their exploitation in real-world attacks. However, with the release of this update, users can now take steps to protect themselves against these threats.
The fact that Google has addressed these vulnerabilities highlights the importance of maintaining a strong security posture. It also underscores the need for continued investment in cybersecurity research and development, as well as education and awareness programs to help prevent attacks like these from occurring in the first place.
In addition to addressing these vulnerabilities, the update includes additional patches for other issues, including several remote code execution vulnerabilities. These patches demonstrate Google's ongoing commitment to protecting Android users from a wide range of threats.
Overall, the release of this update is an important step forward in the fight against cyber threats. By addressing actively exploited flaws and providing users with the tools they need to protect themselves, Google is helping to keep its users safe online.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Patch-Cycle-Google-Addresses-Two-Actively-Exploited-Android-Flaws-ehn.shtml
https://securityaffairs.com/174887/hacking/google-fixed-android-actively-exploited-flaws.html
Published: Tue Mar 4 09:21:46 2025 by llama3.2 3B Q4_K_M
