Site icon Sophos News

Patch now (if you can!): Latest Android update fixes clutch of RCE flaws

Android’s December security bulletin arrived this week with another sizable crop of vulnerabilities to add to the patching list for devices running version 7.0 Nougat to version 9.0 Pie, including Google Pixel users.
Overall, December sees a total of 53 separate flaws and 21 assigned CVE numbers. (Qualcomm components add another 32 CVEs in mainly closed-source components.)
If there’s a theme this month, it’s probably remote code execution (RCE), which accounts for five of the 11 critical flaws listed, plus one flaw marked high.
Four of these were discovered in the Media Framework with another two in the core system, which could, in Google’s words:

Enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

This means that an attacker exploiting the flaws could remotely take over a vulnerable Android device – for example by sending you a booby-trapped image or talking you into clicking on a this-is-not-the-video-you-wanted-to-watch link.
Fortunately, according to Google, none of the listed flaws is being exploited in the wild.

Vendor-specific updates

Some third-party vendors also issue additional patches through their own updating systems.
Samsung’s maintenance release, for example, bundles 40 Samsung Vulnerabilities and Exposures (SVE) patches, including some that overlap with Google’s system updates.
Meanwhile, the latest patches for LG Vulnerabilities and Exposures (LVE) patches include three vulnerabilities rated high.
If you own a device from Nokia or Motorola, keep your eye on those companies’ websites for patch information as and when it becomes available.

When will devices get the updates?

If you own one of Google’s Pixel or Pixel XL smartphones, updates should be offered within days, with any specific fixes mentioned on the dedicated update page for those devices.
Beyond that, assuming you’re running a supported version of Android (effectively version 7.0 or later), it will depend on the device maker, model and possibly the network.
As we explained last month, Android updates are now denoted by one of two patch levels.
The latest update will appear as either ‘1 December 2018’ or ‘5 December 2018’ in SettingsAbout phone → Android security patch level.
If you see the first of the month, that means you have the Android updates up to that month but the vendor updates only up to the previous month (i.e. November).
However, if you’re lucky enough to see the fifth day of the month, that means you have updates from both Google and the device maker.
The chances are, unless you’re a Pixel owner, the date you’ll see for Android Patch Level here will be for August, September or October. December’s update may not be offered on your device until January or February 2019.

Exit mobile version