Latest news with #AndroidSecurityBulletin
Daily Record
07-05-2025
- Daily Record
Android users placed on red alert - you must check your settings 'immediately'
A worrying new Android bug has been discovered and is already being used to target devices. Android phone users have been warned to make sure their settings are fully up to date, due to a worrying bug targeting them. The stark warning from security experts after the bug has been found hiding within this hugely popular operating system. Google has now fixed the error, but not before it was handed the dreaded zero-day stamp. That tag basically means the glitch has already been spotted by hackers and is being actively exploited in the wild. That's why it's so vital everyone makes a quick check without delay, reports the Mirror. Senior Security Strategy Manager EMEIA at firm Jamf, Adam Boynto said: 'The latest Android Security Bulletin contains a fix for an actively exploited vulnerability, CVE-2025-27363, therefore we advise all Android users to update their devices immediately." Google always releases monthly patches, which usually fix minor bugs and glitches. However, sometimes the problems are a little more serious and that's why it's vital all phone users make sure they keep on top of installing updates. 'The fixed bug is an out-of-bounds memory vulnerability in the FreeType software,' Jamf's Boynton explained. 'FreeType is a core component of Android devices because it renders fonts and is therefore an attractive target for cybercriminals. Exploiting the vulnerability could allow an attacker to gain control of the entire system without requiring elevated privileges. 'Although this is a targeted attack, most likely targeting high-value individuals, we strongly recommend that all users update their Android OS. The bug has been exploited since March, and its zero-click nature means that criminals can exploit the vulnerability without the user even being aware.' Google usually rolls out its updates to Pixel devices first with other manufacturers such as Samsung, OnePlus and Honor following soon after the initial release. No matter what phone you have in your pocket. It's a good idea to head to the settings menu this week and make sure things are fully updated. Join the Daily Record WhatsApp community! Get the latest news sent straight to your messages by joining our WhatsApp community today. You'll receive daily updates on breaking news as well as the top headlines across Scotland. No one will be able to see who is signed up and no one can send messages except the Daily Record team. All you have to do is click here if you're on mobile, select 'Join Community' and you're in! If you're on a desktop, simply scan the QR code above with your phone and click 'Join Community'. We also treat our community members to special offers, promotions, and adverts from us and our partners. If you don't like our community, you can check out any time you like. To leave our community click on the name at the top of your screen and choose 'exit group'. If you're curious, you can read our Privacy Notice. It comes as an urgent alert was issued to all Gmail users to be aware of a new and sophisticated scam that could compromise their personal data. Last month, an alarming rise in attacks aimed at stealing sensitive information was recorded as hackers target users. Security experts from Malwarebytes have now stepped in with their warning about this menacing online threat from cybercriminals who are exploiting Google's infrastructure, crafting emails that convincingly seem to be sent directly from the tech firm. The aim of these online crooks is to trick people into divulging their Google account credentials. Users are urged to exercise caution when checking their email accounts to avoid being deceived. You can read more here.
Daily Mirror
07-05-2025
- Daily Mirror
All Android users placed on red alert - you must check your settings 'immediately'
A worrying new Android bug has been discovered and is already being used to target devices. Anyone with an Android phone in their possession must be on high alert and make sure their settings are fully up to date. That's the latest warning from security experts after a worrying bug has been found hiding within this hugely popular operating system. Google has now fixed the glitch, but not before it was handed the dreaded zero-day stamp. That tag basically means the glitch has already been spotted by hackers and is being actively exploited in the wild. That's why its so vital everyone makes a quick check without delay. Explaining more, Adam Boynton, Senior Security Strategy Manager EMEIA at security firm Jamf, said: 'The latest Android Security Bulletin contains a fix for an actively exploited vulnerability, CVE-2025-27363, therefore we advise all Android users to update their devices immediately." Google always releases monthly patches, which usually fix minor bugs and glitches. However, sometimes the problems are a little more serious and that's why it's vital all phone users make sure they keep on top of installing updates. So what happens if you are targeted by the latest issue? 'The fixed bug is an out-of-bounds memory vulnerability in the FreeType software,' Jamf's Boynton explained. 'FreeType is a core component of Android devices because it renders fonts and is therefore an attractive target for cybercriminals. Exploiting the vulnerability could allow an attacker to gain control of the entire system without requiring elevated privileges. 'Although this is a targeted attack, most likely targeting high-value individuals, we strongly recommend that all users update their Android OS. The bug has been exploited since March, and its zero-click nature means that criminals can exploit the vulnerability without the user even being aware.' Google usually rolls out its updates to Pixel devices first with other manufacturers such as Samsung, OnePlus and Honor following soon after the initial release. No matter what phone you have in your pocket. It's a good idea to head to the settings menu this week and make sure things are fully updated.
Yahoo
17-04-2025
- Yahoo
The reason you don't have to worry about Android security almost went dark
When you buy through links on our articles, Future and its syndication partners may earn a commission. Most users of technology don't have to consciously think about security vulnerabilities on their most-used devices, including Android-based products, very often. As long as you update your phone as soon as new security patches are available, you're usually covered. However, there's an intricate government-supported program operating to make that all possible, and it almost went dark today. After roughly 24 hours of uncertainty, the U.S. Cybersecurity and Infrastructure Agency (CISA) announced that it would continue funding the Common Vulnerabilities and Exposures (CVE) on the day its previous contract was set to expire. Today, April 16, a spokesperson for the CISA told The Verge that the agency "executed the option period on the contract to ensure there will be no lapse in critical CVE services." But it went down to the wire in a move that could've sent the entire globe into a tech security nightmare. It all has to do with the CVE program, which identifies and tracks security issues in public view, from the point a potential problem is identified to the time when a proper fix is issued. It has nearly 500 partners that include security researchers, open-source developers, and major companies — including big ones like Google, Microsoft, and Apple. If the CVE program sounds familiar, that's probably because you've seen a CVE code mentioned in an article (like one of the many CVE-related ones on Android Central) or the release notes of an update. They're also a major part of monthly releases on the Android Security Bulletin. These codes, like CVE-2024-53104, start with CVE followed by the year and a number, and create a universal database to track security flaws across devices, platforms, and companies. The CVE program has been active for 25 years, beginning in 1999. It has become invaluable to the security community, serving as a universal way for researchers, developers, companies, and the public to work together to discover and patch crucial vulnerabilities. More importantly, it publicly states whether a vulnerability is believed to have been actively exploited by bad actors. Leading security researchers have pointed out the consequences of the CVE program shutting down, like Lukasz Olejnik on X (formerly Twitter). "The consequence will be a breakdown in coordination between vendors, analysts, and defense systems — no one will be certain they are referring to the same vulnerability," wrote Olejnik, a scholar with advanced degrees in computer science and information technology law with specializations in privacy. "Total chaos, and a sudden weakening of cybersecurity across the board." Luckily, it appears that the crisis has been avoided, as the federal government will continue to fund the CVE program for at least the near future. However, the decision coming down to the wire as the Trump administration slashes federal funding across the board puts the CVE program in a more uncertain position now than at any point in its 25-year history. "The CVE Program is invaluable to the cyber community and a priority of CISA," the spokesperson said in a statement to The Verge. "We appreciate our partners' and stakeholders' patience." But that final green light didn't come quick enough, as the security world already started making plans to keep the CVE program up and running — even without federal funding. CVE board members created the CVE Foundation, a nonprofit planned for in secret for the past year that would ensure the CVE mission continues. "CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself," said Kent Landfield, an officer of the CVE Foundation, in a press release. "Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work, from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats." The foundation explains that it is concerned that having a single government sponsor could create "a single point of failure in the vulnerability management ecosystem." The CVE program is a critical part of Android security, and it should be relevant to every single person who touches an Android-based device. Although government funding has been acquired for now, the moves that have been set in motion by the last-minute decision may not be reversed. The CVE Foundation is here, and it might be here to stay. There's no word on whether the CVE Foundation will continue to operate now that the CVE program has retained U.S. government funding, but the foundation said more information will be released "over the coming days." The immediate U.S. government funding doesn't solve the long-term problem the CVE Foundation has identified — the possibility of having a single point of failure — so there still may be a reason for it to exist. Regardless of how this all plays out, the decision to fund the CVE program should've never come this close to ending a crucial global security program. Most of us have the luxury to not think about device security that often, and it's programs like the CVE that allow us that privilege.
