News for Admins

Tech News

An Image Can Compromise Your Android Device

Although most Android-related security holes are limited to 3rd party app installs from outside the official store, once in a while there are vulnerabilities in the OS itself.

Three newly-found vulnerabilities (CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988) can affect handsets running anything between Android 7.0 Nougat and current Android 9.0 Pie.

One of the three vulnerabilities allows a compromised PNG file to execute arbitrary code on unpatched Android devices.

According to Google, "The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed."

Google has already released a patch, but many Android vendors rarely patch their devices. If you are running Google devices, you surely have the patch; the same cannot be said for other Android phone vendors.

LibreOffice Vulnerable to Remote Code Execution Flaw

Security researcher Alex Inführ has discovered a vulnerability in OpenOffice and LibreOffice that allows remote code execution (https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html ).

In a blog post, Inführ wrote that he found a way to achieve remote code execution as soon as a user opens a malicious ODT file and moves their mouse over the document, without triggering a warning dialog.

He demonstrated proof of concept, in which he created a hyperlink and changed its color from the default blue to white so it would not raise suspicion. The link covered the whole page, increasing the chance of the user hovering the mouse over it. Remember, no clicking was needed, just hovering the mouse over the hyperlink was required to execute the payload.

The culprit here is the Python interpreter (pydoc.py) that comes with LibreOffice. It accepts commands and executes them via command line.

LibreOffice has already released a patch; a patch is also available for Windows versions of OpenOffice.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=