At the beginning of the month, Android relased two new security bulletins for December, with Google noting that Android users who can update this month should patch as soon as possible to receive mitigations and fixes for 47 vulnerabilities across all devices.
Starting this past October, Google began putting Pixel and Nexus security updates in their own supplemental bulletin, so these fixes should be applied in addition to the base Android monthly updates. Users of these devices have 48 additional fixes this month on top of the base December security update.
Ten of the base Android vulnerabilities were rated as critical, and as with past months’ updates many of the critical vulnerabilities affect the Android Media Framework. Google is, as usual, rather mum on the details of the vulnerabilities here, though it notes the worst of the Media Framework vulnerabilities this month could…
…enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
In plain English, that sounds like what’s often called “click-to-pwn”, where tricking a user into opening up an innocent-looking file could be enough to take over the device.
Similarly, the system-level critical bug would allow a…
…proximate attacker to execute arbitrary code within the context of a privileged process.
This sounds similar, but “proximate” usually translates to “within radio range”, meaning some sort of hole in Bluetooth or Wi-Fi. Once again, “privileged process” implies more than just taking over a single app. (Android apps generally run as if they were individual users, so that app X can’t read app Y’s data, whether by accident or design.)
If you’re noticing a pattern here, indeed remote code execution (RCE) seems to be the name of the game for most of the critical-rated vulnerabilities this month. In fact, nine of the ten are RCEs, with most of the high rated vulnerabilities resulting in elevated privileges or denial of service. (In the Pixel/Nexus bulletin, most of the vulnerabilities listed are moderate-rated, with just a few high.)
Most of the critical-rated vulnerabilities this month affect Android versions going back to Nougat, version 7 (the most recent release is Oreo, now at 8.1), and many of the high-rated vulnerabilities go back even further, to version 5.1.1. It’s not just the Google-originated components and code affected here, as a number of component vendors – including NVIDIA and Qualcomm – are included in the patches too.
If you bought your Android device directly from Google and haven’t patched yet, you should be able to – so please do.
For the rest of us, it’s the same old song – here’s hoping the phone carriers roll these out sooner rather than later.
Kurt S.
I read the final line in the above article “For the rest of us, it’s the same old song – here’s hoping the phone carriers roll these out sooner rather than later.” and winced in pain. It took until the middle of last month for my Motorola X Pure edition to be updated to Nougat….16 months. There isn’t a hope in H*ll that the security updates will be released or pushed any sooner.
Laurence Marks
Maria wrote “For the rest of us, it’s the same old song – here’s hoping the phone carriers roll these out sooner rather than later.”
Well, you didn’t name components but I got an update for Android System WebView and updates for several Google Apps (Docs, Photos, etc.) at 2300 EST (Z-5) last night. I assume Motorola (Lenovo) was right on the ball.
Could you name the updated components in the future?
j karna
Unfortunately the likes of Motorola owned by Lenovo and others do not provide updates.
Meer
Hey Maria,
I own OnePlus 3, and thankfully OnePlus is dedicated enough to provide monthly security updates. Thanks for sharing this article.
Have a nice day ahead.
Thomas Witten
Thanks for this useful rundown