Google receives flak for not patching PNG vulnerability, researchers say millions of Android users still at risk

Google's February Security patch for phones included a fix for a critical PNG vulnerability. Security researchers slam Google for not patching the flaw earlier.

Published Date
11 - Feb - 2019
| Last Updated
11 - Feb - 2019
 
Google receives flak for not patching PNG vulnerability, research...

Highlights:

  • Google recently patched a PNG vulnerability.
  • The flaw could infect Android users and is still a cause of concern, as per security researchers.
  • Google’s frivolous approach to media parsing deemed root cause of the issue. 

 

Early this month, Google announced that its February security update is now available for Google Pixel series of smartphones. While the new patch addresses a wide range of vulnerabilities, Google has received flak from cybersecurity experts for not patching a flaw earlier that the company itself has deemed a critical security vulnerability in Framework. The bug in question enables a remote attacker to execute arbitrary code within the context of a privileged process using a specially crafted Portable Network Graphics (PNG) file. Android Headlines reports that a security expert from Tripwire computer security, Craig Young, calls the flaw “alarming” and suggests that the “root cause of the issue is a frivolous approach to media content parsing on Google's part.” 

One can be affected by the flaw by simply viewing a modified PNG image file that is infected. The primary issue here is that even though the flaw is being patched with the February security update, users can be exploited since the patch takes some time to make it to devices. Additionally, the problem is said to affect all devices running on Android 7.0 Nougat and above, and most smartphone makers might not even release a security patch for older devices. As per the report, Tim Erlin, Tripwire Product Management VP, is worried that "manufacturers may wait months to protect users from attackers" in this case, which is something that generally happens in the Android ecosystem. As of now, the only reasonable solution to this issue seems to be an expedited rollout process of the new February security patch. 

Speaking of cybersecurity, February 5 was Safer Internet Day and Google announced a bunch of new tools and products to help users secure their data. The company released a new Chrome extension called Password Checkup that works just like HaveIBeenPwned. It matches a user’s login credentials with its database of breached usernames and passwords and alerts them if it finds that the credentials were ever included in a data leak. In case the credentials match, the extension triggers an automatic warning and suggests that the user changes their password.

Google also announced new encryption called Adiantum, which is aimed at less powerful devices like entry-level smartphones and other smart devices like TVs and smartwatches. The new method is said to be designed such that there is no need to use specialised hardware for efficient encryption of locally stored data. 

Related Reads: 

Adiantum is Google’s latest security innovation to enable encryption on less powerful devices

Google’s new Password Checkup Chrome extension brings HaveIBeenPwned-like service to your browser

Digit NewsDeskDigit NewsDesk

The guy who answered the question 'What are you doing?' with 'Nothing'.