Do you have an Android device? 

...and is it built around a Qualcomm or MediaTek chipset?  If you answered yes to both of those questions, be aware that researchers at Check Point have recently discovered an issue which could put your device at risk.

The team discovered a flaw in the implementation of the ALAC (Apple Lossless Audio Codec) which was open-sourced back in 2011.  The flaw could allow remote code execution on your device and unfortunately, Qualcomm and MediaTek are two of the industry's largest chip manufacturers.

The good news is that both Qualcomm and MediaTek acted quickly, and this issue has already been resolved.  The problem involved three separate flaws tracked as CVE-2021-0674 (medium severity with a 5.5 score), CVE-2021-0675 (high severity with a 7.8 score), and CVE-2021-30351 (critical severity with a 9.8 score).


Qualcomm went public with the issue

While MediaTek did not release a formal statement about the matter, Qualcomm did.

"Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend the security researchers from Check Point Technologies for using industry-standard coordinated disclosure practices. Regarding the ALAC audio decoder issue they disclosed, Qualcomm Technologies made patches available to device makers in October 2021. We encourage end users to update their devices as security updates have become available."

If you haven't installed any security patches for your device since December of last year, grab the latest and install it at your earliest convenience and you'll be all set.  Until then, be sure not to open any audio files from unknown sources, which is good advice even after you've installed the patch.  One can never be too cautious.


My perspective

Kudos to the sharp-eyed researchers at Check Point and to both Qualcomm and MediaTek for their fast action here.  That's how it's done.


They were the first ones to say: "it's a trap!"


By Denis Wilson

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Thanks for reading this post. I always take into mind that your time and attention are precious. And these posts need to be timely, to the point, and short.

For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter

I am also a published author and speaker on cloud computing, work-at-home, and cybersecurity. I work extensively with business and professional associations to provide free small business technology education programs.


Contact me if you would like me to speak to your association