- Joined
- Jan 5, 2006
- Messages
- 17,830 (2.67/day)
System Name | AlderLake / Laptop |
---|---|
Processor | Intel i7 12700K P-Cores @ 5Ghz / Intel i3 7100U |
Motherboard | Gigabyte Z690 Aorus Master / HP 83A3 (U3E1) |
Cooling | Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut Extreme + 5 case fans / Fan |
Memory | 32GB DDR5 Corsair Dominator Platinum RGB 6000MHz CL36 / 8GB DDR4 HyperX CL13 |
Video Card(s) | MSI RTX 2070 Super Gaming X Trio / Intel HD620 |
Storage | Samsung 980 Pro 1TB + 970 Evo 500GB + 850 Pro 512GB + 860 Evo 1TB x2 / Samsung 256GB M.2 SSD |
Display(s) | 23.8" Dell S2417DG 165Hz G-Sync 1440p / 14" 1080p IPS Glossy |
Case | Be quiet! Silent Base 600 - Window / HP Pavilion |
Audio Device(s) | Panasonic SA-PMX94 / Realtek onboard + B&O speaker system / Harman Kardon Go + Play / Logitech G533 |
Power Supply | Seasonic Focus Plus Gold 750W / Powerbrick |
Mouse | Logitech MX Anywhere 2 Laser wireless / Logitech M330 wireless |
Keyboard | RAPOO E9270P Black 5GHz wireless / HP backlit |
Software | Windows 11 / Windows 10 |
Benchmark Scores | Cinebench R23 (Single Core) 1936 @ stock Cinebench R23 (Multi Core) 23006 @ stock |
Vulnerable phones include 4 Pixel models, devices from Samsung, Motorola, and others.
Attackers are exploiting a zeroday vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night.
There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero member Maddie Stone said in a post. Exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.
“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Stone wrote. “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”
A “non-exhaustive list” of vulnerable phones include:
A member of Google’s Android team said in the same Project Zero thread that the vulnerability would be patched—in Pixel devices, anyway—in the October Android security update, which is likely to become available in the next few days. The schedule for other devices to be patched wasn’t immediately clear. Pixel 3 and Pixel 3a devices aren’t affected.
“This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation,” Tim Willis, another Project Zero member, wrote, citing Android team members. “Any other vectors, such as via web browser, require chaining with an additional exploit.”
Google representatives wrote in email: “Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days. Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue.”
The use after free vulnerability originally appeared in the Linux kernel and was patched in early 2018 in version 4.14, without the benefit of a tracking CVE. That fix was incorporated into versions 3.18, 4.4, and 4.9 of the Android kernel. For reasons that weren’t explained in the post, the patches never made their way into Android security updates. That would explain why earlier Pixel models are vulnerable and later ones are not. The flaw is now tracked as CVE-2019-2215.
Attackers are exploiting a zeroday vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night.
There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero member Maddie Stone said in a post. Exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.
“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Stone wrote. “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”
A “non-exhaustive list” of vulnerable phones include:
- Pixel 1
- Pixel 1 XL
- Pixel 2
- Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7
- Samsung S8
- Samsung S9
A member of Google’s Android team said in the same Project Zero thread that the vulnerability would be patched—in Pixel devices, anyway—in the October Android security update, which is likely to become available in the next few days. The schedule for other devices to be patched wasn’t immediately clear. Pixel 3 and Pixel 3a devices aren’t affected.
“This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation,” Tim Willis, another Project Zero member, wrote, citing Android team members. “Any other vectors, such as via web browser, require chaining with an additional exploit.”
Google representatives wrote in email: “Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days. Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue.”
The use after free vulnerability originally appeared in the Linux kernel and was patched in early 2018 in version 4.14, without the benefit of a tracking CVE. That fix was incorporated into versions 3.18, 4.4, and 4.9 of the Android kernel. For reasons that weren’t explained in the post, the patches never made their way into Android security updates. That would explain why earlier Pixel models are vulnerable and later ones are not. The flaw is now tracked as CVE-2019-2215.
Attackers exploit 0-day vulnerability that gives full control of Android phones
Vulnerable phones include 4 Pixel models, devices from Samsung, Motorola, and others.
arstechnica.com