Samsung patched vulnerabilities in Galaxy Store app, update recommended.
Samsung Electronics Co. Ltd. has recently patched two vulnerabilities in its Galaxy Store app that could have allowed malicious actors to install any app on a targeted device without the user’s knowledge or consent. The first vulnerability, CVE-2023-21433, is an export function that does not safely handle incoming intents, allowing attackers to exploit existing applications installed on a device to automatically install any application available in the Galaxy Store app. The second vulnerability, CVE-2023-21434, is an improper input validation issue that could allow an attacker to execute JavaScript by launching a webpage. This issue is due to a filter in webview in the Galaxy Store app not being correctly configured, allowing webview to browse to an attacker-controlled domain.
Users are encouraged to install the latest update to the Galaxy Store app to fix these vulnerabilities. JT Keating, senior vice president of Strategic Initiatives at mobile security solutions provider Zimperium Inc., commented that “outside of mobile device management type apps, apps should not be able to install other apps on mobile”. Mike Parkin, senior technical engineer at enterprise cyber risk remediation company Vulcan Cyber Ltd., added that “though an attacker would have to get a victim to execute the hostile JavaScript and get their malicious application onto the Galaxy App Store to be downloaded, fortunately, Samsung has already patched the issues”.
To ensure the security of their devices, users should keep their apps up to date and be wary of malicious links. Additionally, they can join the Cube Club and Cube Event Community of experts, which includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts. This community provides support for mission-critical security initiatives.
In conclusion, Samsung has patched two vulnerabilities in its Galaxy Store app that could have allowed malicious actors to install any app on a targeted device without the user’s knowledge or consent. Users should install the latest update to the Galaxy Store app and be aware of malicious links. They can also join the Cube Club and Cube Event Community of experts for support on mission-critical security initiatives.
News Source