At the beginning of the month, Android relased two new security bulletins for December, with Google noting that Android users who can update this month should patch as soon as possible to receive mitigations and fixes for 47 vulnerabilities across all devices.
Starting this past October, Google began putting Pixel and Nexus security updates in their own supplemental bulletin, so these fixes should be applied in addition to the base Android monthly updates. Users of these devices have 48 additional fixes this month on top of the base December security update.
Ten of the base Android vulnerabilities were rated as critical, and as with past months’ updates many of the critical vulnerabilities affect the Android Media Framework. Google is, as usual, rather mum on the details of the vulnerabilities here, though it notes the worst of the Media Framework vulnerabilities this month could…
…enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
In plain English, that sounds like what’s often called “click-to-pwn”, where tricking a user into opening up an innocent-looking file could be enough to take over the device.
Similarly, the system-level critical bug would allow a…
…proximate attacker to execute arbitrary code within the context of a privileged process.
This sounds similar, but “proximate” usually translates to “within radio range”, meaning some sort of hole in Bluetooth or Wi-Fi. Once again, “privileged process” implies more than just taking over a single app. (Android apps generally run as if they were individual users, so that app X can’t read app Y’s data, whether by accident or design.)
If you’re noticing a pattern here, indeed remote code execution (RCE) seems to be the name of the game for most of the critical-rated vulnerabilities this month. In fact, nine of the ten are RCEs, with most of the high rated vulnerabilities resulting in elevated privileges or denial of service. (In the Pixel/Nexus bulletin, most of the vulnerabilities listed are moderate-rated, with just a few high.)
Most of the critical-rated vulnerabilities this month affect Android versions going back to Nougat, version 7 (the most recent release is Oreo, now at 8.1), and many of the high-rated vulnerabilities go back even further, to version 5.1.1. It’s not just the Google-originated components and code affected here, as a number of component vendors – including NVIDIA and Qualcomm – are included in the patches too.
If you bought your Android device directly from Google and haven’t patched yet, you should be able to – so please do.
For the rest of us, it’s the same old song – here’s hoping the phone carriers roll these out sooner rather than later.