Kwiprosesa yemifanekiso ye-Qmage ebonelelwe kwi-Samsung Android firmware, eyakhelwe kwinkqubo yokunikezela ngemizobo ye-Skia, (CVE-2020-8899), ekuvumela ukuba uququzelele ukuphunyezwa kwekhowudi xa ulungisa imifanekiso kwi-QM kunye ne-QG (".qmg") iifomati kuyo nayiphi na isicelo. Ukwenza uhlaselo, umsebenzisi akufuneki enze naziphi na izenzo; kwimeko elula, kwanele ukuthumela ixhoba i-MMS, i-imeyile, okanye umyalezo wengxoxo oqulethe umfanekiso owenziwe ngokukodwa.
Ingxaki ikholelwa ukuba ikhona ukususela kwi-2014, iqala nge-firmware esekelwe kwi-Android 4.4.4, eyongeza utshintsho lokusingatha iifomati ezongezelelweyo ze-QM, QG, ASTC kunye ne-PIO (i-PNG variant). Ukuba sesichengeni Π² I-firmware ye-Samsung ikhutshwe nge-6 kaMeyi. Iqonga eliphambili le-Android kunye ne-firmware evela kwabanye abavelisi abachatshazelwa yingxaki.
Ingxaki ichongiwe ngexesha lovavanyo lwe-fuzz yinjineli evela kuGoogle, ekwangqina ukuba sesichengeni akupheleliselwanga kwiingozi kwaye yalungiselela iprototype esebenzayo ye-exploit edlula ukhuseleko lwe-ASLR kwaye iqalise icalculator ngokuthumela uthotho lwemiyalezo ye-MMS kwi-Samsung. I-Galaxy Note 10+ ye-smartphone eqhuba iqonga le-Android 10.
Kumzekelo obonisiweyo, uxhatshazo oluyimpumelelo lufune malunga nemizuzu eli-100 ukuhlasela nokuthumela imiyalezo engaphezu kwe-120. I-exploit inamacandelo amabini - kwinqanaba lokuqala, ukudlula i-ASLR, idilesi yesiseko imiselwe kwiilayibrari ze-libskia.so kunye ne-libhwui.so, kwaye kwinqanaba lesibini, ukufikelela kude kwisixhobo kubonelelwa ngokusungula "umva". iqokobheβ. Ngokuxhomekeke kwimemori yoyilo, ukumisela idilesi yesiseko kufuna ukuthumela ukusuka kwi-75 ukuya kwi-450 imiyalezo.
Ukongezelela, kunokuqatshelwa Ngamana iseti yolungiso lokhuseleko lwe-Android, olulungise ubuthathaka obungama-39. Imiba emithathu yabelwe inqanaba elibalulekileyo lengozi (iinkcukacha azikachazwa):
- I-CVE-2020-0096 bubuthathaka bendawo obuvumela ukuphunyezwa kwekhowudi xa kusetyenzwa ifayile eyilwe ngokukodwa);
- I-CVE-2020-0103 bubuthathaka obukude kwinkqubo evumela ukuphunyezwa kwekhowudi xa kusetyenzwa ngokukhethekileyo idatha yangaphandle eyilwe ngokukodwa;
- I-CVE-2020-3641 bubuthathaka kumacandelo obunini be-Qualcomm).
umthombo: opennet.ru