Android’s April update just landed and this month the headline story is two critical CVE-level patches among a total of 11 affecting anyone with handsets running versions 7, 8, and 9.
The good news is that as far as Google knows, none of this month’s flaws are being exploited. That could change, of course, which is why getting the updates should be a priority as soon as they become available from this week.
The first two criticals are identified as CVE-2019-2027 and CVE-2019-2028, affecting all versions 7.x, 8.x, and 9.0 of the core AOSP, the part of the OS that is universal to anything running Android.
Both are Remote Code Execution (RCE) vulnerabilities in the oft-patched media framework, either of which could allow an attacker to “execute arbitrary code within the context of a privileged process.”
The final critical bug is CVE-2019-2029, another RCE affecting all versions from 7.x and up that will be shipped to users on the 2019-04-05 patch level (see below for an explanation of what that means).
The other eight AOSP flaws are all marked high priority, including six elevation of privilege (EoP) flaws and three information disclosure.
Qualcomm
As usual, Qualcomm gets a small blizzard of fixes, 30 of which are in open-source components and another 44 in proprietary software. The first group includes one critical along with others rated high. The second includes six criticals with the rest marked high priority.
This is what’s good about Android’s now-monthly patch update – users applying it are fixing a lot of important security problems that might once have lingered for months or years.
Android’s confusing patching system
Assuming you’re running Android 7 or later, the latest update will appear as either ‘1 April 2019’ or ‘5 April 2019’ in Settings > About phone >Android security patch level.
Although announced this week, when they become available to download depends on which Android handset you own.
If it’s one of Google’s Pixel smartphones, the patches should be available almost immediately. For other vendors, it could take from weeks to a month or two.
For example, a handset I use for testing runs Android 8.1 but as of April 2019, its patch level is still set to 1 December 2018. Because vendors now have the job of offering updates, this isn’t Google’s doing.
What’s the difference between the two patch dates?
If your device’s security patch level is set to the first day of the month (i.e. 1 April), that means you have the Android updates up to that month but the vendor updates only up to the previous month (i.e. March).
If you’re lucky enough to see the fifth day of the month (5 April), that means you have updates from both Google and the device maker.
From a security perspective, being on the first of these tracks isn’t as much of a disadvantage as it sounds because the most valuable flaws attackers look for are always ones applying to all handsets, not simply those from a specific vendor. The important thing is to receive the updates as frequently, and soon, as possible.