Playing a specially-crafted video on devices with the Android’s native video player application could allow attackers to compromise them due to a dangerous critical remote code execution flaw. The vulnerability, tracked as CVE-2019-2107, affected Android OS between version 7.0 and 9.0 (Nougat, Oreo, or Pie) potentially impacting over 1 billion devices.
The RCE flaw CVE-2019-2107 resides in the Android media framework.
Google already addressed the flaw with July 2019 Android Security Bulletin, but millions of devices still waiting for the patch to be released by their manufacturers.
“The most severe vulnerability in this section [media framework] could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” reads the security advisory
The Android developer Marcin Kozlowski has also published a proof-of-concept code to exploit this flaw.
However, it should be noted that if such malicious videos are received through an instant messaging app like WhatsApp or Facebook
“CVE-2019-2107 – looks scary. Still remember Stagefright and PNG bugs
To prevent the exploitation of this flaw, users have to update their Android versions by applying the latest security patches. Of course, they have to avoid downloading and playing videos from untrusted sources
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.