Millions of Android devices were vulnerable to a remote code execution attack due to flaws in an audio codec that Apple open-sourced years ago but which hasn’t been patched since.
Researchers at Check Point discovered a bug in Apple Lossless Audio Codec (ALAC), which is audio-compression technology that Apple open-sourced in 2011. After this, ALAC was embedded in Android devices and programs for audio playback.
The problem, as Check Point researchers note, is that while Apple updated and patched its proprietary version of ALAC, the open-source code for ALAC hasn’t been updated since 2011 and it contains a critical flaw that allows for remote code execution.
Read more…
Source: ZDNet