On September 4, 2018 Google released an Android Security Bulletin containing details of security vulnerabilities affecting Android devices. Android security updates normally include two parts: general updates that affect most users and the updates affecting specific partners, such as hardware partners like NVIDIA, Broadcom and Qualcomm. Here we’ve summarized the general security updates on the Android Security bulletin from Security Patch level 2018-09-01.
- 4 Remote Code Execution Vulnerabilities: These types of vulnerabilities allow attackers to execute arbitrary code on user devices. One was found in the Android runtime, one in the system libraries, and two in the media framework. The media framework vulnerabilities are rated as critical, and the others as high severity.
- 7 Information Disclosure Vulnerability: These vulnerabilities allow malicious apps to access user data, and are all found in the system libraries. They are all rated as high severity.
- 10 Privilege Escalation Vulnerabilities: These types of vulnerabilities allow unprivileged processes, such as from third-party apps, to escalate privileges to the system level, bypassing the sandbox restrictions. Six are high severity and are found in the Android runtime, framework, media framework, and system libraries. The system libraries additionally have one moderate and one critical vulnerability of this type.
- 3 Denial of Service Vulnerabilities: These types of vulnerabilities disable users’ ability to use the phone or access certain services. Two moderate severity vulnerabilities are found in the media framework, and one high severity vulnerability is in the system libraries.
The 2018-09-05 Security Patch, described in the same bulletin, gives information on additional patched vulnerabilities:
- 2 Information Disclosure Vulnerabilities: Found in the Android framework and kernel, these are both rated as high severity.
- 33 Qualcomm Vulnerabilities: These are fixes by Qualcomm for vulnerabilities found in various components including the Video, WLAN Host, Boot, and WiredConnectivity systems. 27 of the 33 are in closed-source components. 2 vulnerabilities are moderate severity, 25 are high, and 6 are critical.
Appthority urges users to update their Android devices to the latest OS version which includes these security updates. We also recommend enterprise IT admins set strong policies against keeping outdated OS versions on their employees’ mobile devices.