Android’s December security bulletin arrived this week with another sizable crop of vulnerabilities to add to the patching list for devices running version 7.0 Nougat to version 9.0 Pie, including Google Pixel users.
Overall, December sees a total of 53 separate flaws and 21 assigned CVE numbers. (Qualcomm components add another 32 CVEs in mainly closed-source components.)
If there’s a theme this month, it’s probably remote code execution (RCE), which accounts for five of the 11 critical flaws listed, plus one flaw marked high.
Four of these were discovered in the Media Framework with another two in the core system, which could, in Google’s words:
Enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
This means that an attacker exploiting the flaws could remotely take over a vulnerable Android device – for example by sending you a booby-trapped image or talking you into clicking on a this-is-not-the-video-you-wanted-to-watch link.
Fortunately, according to Google, none of the listed flaws is being exploited in the wild.
Vendor-specific updates
Some third-party vendors also issue additional patches through their own updating systems.
Samsung’s maintenance release, for example, bundles 40 Samsung Vulnerabilities and Exposures (SVE) patches, including some that overlap with Google’s system updates.
Meanwhile, the latest patches for LG Vulnerabilities and Exposures (LVE) patches include three vulnerabilities rated high.
If you own a device from Nokia or Motorola, keep your eye on those companies’ websites for patch information as and when it becomes available.
When will devices get the updates?
If you own one of Google’s Pixel or Pixel XL smartphones, updates should be offered within days, with any specific fixes mentioned on the dedicated update page for those devices.
Beyond that, assuming you’re running a supported version of Android (effectively version 7.0 or later), it will depend on the device maker, model and possibly the network.
As we explained last month, Android updates are now denoted by one of two patch levels.
The latest update will appear as either ‘1 December 2018’ or ‘5 December 2018’ in Settings → About phone → Android security patch level.
If you see the first of the month, that means you have the Android updates up to that month but the vendor updates only up to the previous month (i.e. November).
However, if you’re lucky enough to see the fifth day of the month, that means you have updates from both Google and the device maker.
The chances are, unless you’re a Pixel owner, the date you’ll see for Android Patch Level here will be for August, September or October. December’s update may not be offered on your device until January or February 2019.
Tony Gore
OnePlus 6T is showing patch level “1 November 2018” which suggests that by keeping focused on a relatively clean version of Android, OnePlus are keeping fairly well up with Google on security. It’s a bit of a tightrope – push out releases too soon, and the risk of problems is higher; push out too late, and the risk of security issues and compromises is higher.
Tara
One of the reasons I love my Essential phone so much is the patching, they had a bit of a rough start but I have never been so happy with a smart phone. My phone is patched for December 5th, I had no idea about the 1st and the 5th of the month designation until I read this article, thank you for that!