In its February security update, Google has disclosed that it has now fixed this PNG related vulnerability in the Android OS. While the company has fixed the problem, it did not go well with security experts. The tech giant is now being slammed for not recognising the flaw earlier and fixing it.
The PNG flaw was caused due to a modified Portable Network Graphics (PNG) image that affects devices running Android 7.0 Nougat and newer versions of the Android OS. The file format supports data compression through rasterisation of the graphics file. Cybersecurity experts have alleged that Google’s inability to analyse media content for security flaws has led to this situation.
The vulnerabilities codenamed CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988 are now fixed by Google. Most of the bugs were found on the latest Android versions. The first few phones that received the update were the Pixel, Pixel 2, and Pixel 3 models.
Affected Android versions
In a security update released on February 8, Google said that it has spent nearly $3.4 million (approx Rs 24.19 crores) to fix bugs in 2018. The company has various channels and vulnerability reward programs. These programs have paid out $15 million (approx Rs 106 crore) since its launch in November 2010.
Only Pixel devices protected
Another reason behind the media frustration is Android’s release system. Google’s security fix is available only for a handful of devices running stock OS. If you own an Android device that is not Pixel, you could still be at risk. OEM manufactures take too long to bundle Google’s security patch and push an update to their custom operating systems built on top of stock Android.