Hello, welcome to the Thursday, February 7, 2019 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Google released its monthly update for Android, and among the vulnerabilities being addressed here,

there are three that sort of stick out

and Google actually also points them out in its advisory, CVE 2019, 1986, 87 and 88. These vulnerabilities

affect what they are calling the framework, the basic libraries that are coming with Android, and

particularly how PNGs are being displayed. Apparently, due to these vulnerabilities,

it is possible to execute arbitrary code on an Android phone if you are viewing a malicious PNG.

Since this is the basic PNG rendering library, this affects any software on Android that

does display PNGs.

So this could be exploited via SMS, via email, and via a web browser. So as usual, make sure that you upgrade quickly.

This affects Android 7,8, and 9. And talking about vulnerabilities in graphics libraries, Google's

Project Zero has a real neat blog post by Ivan Frederick,

where he goes into quite a bit of details in vulnerability that was recently discovered in the

Skiya graphics library. Now, Skiya, you may not have heard of it before. I haven't had

heard of it, but apparently this, the library being used by browsers,

for example, Chrome, Firefox, also Android uses this library.

So vulnerability in the Skiah library certainly could have quite substantial impact.

Now the neat thing about the blog post is that it really goes in depth into some of the algorithms being used

to draw different polygons and what kind of memory corruption issues can show up if this is not done right.

So great blog post but sadly a little bit too complex and too much to really do justice here in the podcast.

So I'll just refer you to the show notes for details.

...