Lenovo Security Bulletin: LEN-6421
Potential impact: Users with older versions of Android may be susceptible to remote code execution or UXSS attacks, and users with any version of Android may be susceptible to Intent Scheme attacks.
Importance: High
Summary description:
A vulnerability has been detected on the Android version of eggplant that is below the 3.5.98_WW version. Lenovo advises customers to update the latest version of the eggplant to avoid such vulnerabilities.
The Android version of the eggplant may be pre-installed on some of the Lenovo mobile devices, or it can be downloaded to non-Lenovo's Android device, which allows users to share the specified files and folders between smartphones, tablets, and personal computers.
Fixes include
1.Android version of Eggplant: When the operating system version of the user's Android device is earlier than 4.2, the version of the Android version below 3.5.98 is vulnerable to the following Android remote code execution vulnerability: cve-2012-6636, CVE-20 14-1939 or cve-2014-7224.
2.Android version of the Eggplant fast: version below 3.5.98 of the Android version of Eggplant fast transmission is susceptible to Intent Scheme URL attack. The issue has been confirmed as cve-2016-4782.
3.Android version of the Eggplant Express: When the user's Android device version of the operating system earlier than 4.4, version lower than 3.5.98 of the Android version of Eggplant fast transmission is vulnerable to UXSS attacks. The issue has been confirmed as cve-2016-4783.
Solution:
What measures should be taken to protect themselves:
Go to the Google Play store and download the latest available version to update the Android Eggplant Express to 3.5.98_ww or later: https://play.google.com/store/apps/details?id= com.lenovo.anyshare.gps&hl=en
Thanks:
Thanks to Nicky from Tencent Security Platform Department (cve-2016-4782, cve-2016-4783)
Additional information and references:
CVE id:cve-2016-4782, cve-2016-4783
Revision history:
Version: 1.0
Date: 2016.5.19
Description: Initial version