Jonathan Corbet
corbet
https://www.forbes.com/sites/zakdoffman/2025/02/03/google-warns-all-android-users-your-phone-is-now-at-risk/
This comes from Google's Android security bulletin for February:
https://source.android.com/docs/security/bulletin/2025-02-01
...which informs us that "There are indications that CVE-2024-53104 may be under limited, targeted exploitation". The vulnerability in question, though, is CVE-2024-53104:
https://lwn.net/ml/all/2024120232-CVE-2024-53104-d781@gregkh
...which is in the uvcvideo camera driver. Either I'm missing something badly, or the only way to exploit this would be to plug a malicious camera device into the phone. I can see why they would want to fix this, but I'm not sure it's a red-alert situation for most of us?
3
14
20
daniel:// stenberg://
bagder@mastodon.social@corbet just another lap in the crazy CVE merry-go-round. It's so bad it's even hard to giggle at it.
0
0
0
@corbet I’m surprised people give forbes the time of day, after the supermicro thing that went nowhere.
0
0
0
Jonas Köritz
jonas@social.jonaskoeritz.de@corbet I think you're right in your assessment. UVC video is nothing that would be easily exploitable remotely or something.
It *is* a risk for anyone plugging in devices at untrusted places and just accepts any USB connections, which is restricted heavily in modern-ish Android versions and requires user interaction and an unlocked screen in most cases.
1
0
0
Matija Nalis
mnalis@mastodon.online
@jonas
one needs to look at actual CVSS codes to know the details, e.g. "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" in this case. To view it in human readable form use e.g.: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Or you learn the codes by heart with time - AV:L in particular means "attack vector: local". It is not marked as "av:p(hysical)" though, so it would imply it can be exploited by locally installed malicious app without the need for physical access (e.g. plugging in malicious device)
1
0
0