12 Android applications have security holes, users should update immediately

Mobile security company Oversecured has published an article revealing security vulnerabilities that have been discovered in Android applications and system components on Xiaomi phones, allowing thieves to access activities, Arbitrary services with system privileges, file theft…

12 Android apps are affected by security vulnerabilities, including:

1. Gallery (com.miui.gallery)
2. GetApps (com.xiaomi.mipicks)
3. Mi Video (com.miui.videoplayer)
4. MIUI Bluetooth (com.xiaomi.bluetooth)
5. Phone Services (com.android.phone)
6. Print Spooler (com.android.printspooler)
7. Security (com.miui.securitycenter)
8. Security Core Component (com.miui.securitycore)
9. Settings (com.android.settings)
10. ShareMe (com.xiaomi.midrop)
11. System Tracing (com.android.traceur), and
12. Xiaomi Cloud (com.miui.cloudservice)

Some notable bugs discovered in these 12 apps include bugs in the Settings app that could allow crooks to steal arbitrary files as well as leak device information, researchers said. Bluetooth, connected WiFi network and emergency contacts; shell command injection error affecting the System Tracing application.

The cause of the vulnerability is believed to be due to the Chinese phone manufacturer modifying legitimate components from the Android Open Source Project (AOSP) including Phone Services, Print Spooler, Settings and System Tracing.

In addition, researchers also discovered a memory corruption vulnerability, originating from an Android library called LiveEventBus that affects the GetApps application. Oversecured reported this vulnerability to project maintainers more than a year ago, but it has not been patched yet.

Oversecured said the issues have been reported to Xiaomi since April 25 and recommends that Xiaomi phone users update to the latest version to minimize potential threats.

13 popular applications have serious security vulnerabilities, users need to update immediately

Apple and The Citizen Lab have just discovered a serious security vulnerability, affecting a series of popular applications and millions of Internet users.

The discovered security vulnerability codenamed CVE-2023-4863 is related to heap buffer overflow in WebP due to programs and applications not managing memory well and allowing important system data to be overwritten.

If hackers successfully exploit the vulnerability, they can remotely take control of the system and launch larger-scale attacks.

This is a huge vulnerability because practically every software program or application that uses libwebp to display WebP images has problems.

The vulnerability affects a series of popular applications and OTT software such as Google Chrome, Mozilla Firefox, Microsoft Edge, Affinity, Gimp, Inkscape, LibreOffice, Thunderbird, ffmpeg, Honeyview, Telegram, Signal and 1Password.

In addition, the existence of WebP vulnerabilities also exists in many Android applications as well as cross-platform applications built with Flutter.

Google has confirmed the existence of the WebP vulnerability and has urgently released the Google Chrome 116 update to patch it.

Experts recommend that users who are using any of the applications mentioned in this article should update the software to the latest version immediately to keep their devices safer.

Apple's Security Architecture and Engineering (SEAR) team discovered and reported the WebP vulnerability in collaboration with The Citizen Lab on September 6, 2023.