The Android Security Bulletin has undergone yet another change. This time around, Android has split off the Pixel and Nexus into their own listing. If you happen to own one of those devices, make sure to check out the Pixel/Nexus Security Bulletin. With that said, it seems the issues plaguing the standard Android Security Bulletin have calmed down quite a bit. Yes, you’ll find the usual suspects of Critical, High, and Moderate vulnerabilities, just not nearly as many. This drop in vulnerabilities could be due to the the separation of Android and Nexus/Pixel into their own bulletin. Regardless of why, let’s take a look at the issues that currently haunt Android.
Check the security release on your Android device
Before we dive into what’s included with this month’s bulletin, it’s always good to know what security release is installed on your device. To my surprise, my daily driver OnePlus 3 is still stuck with the August 1, 2017 security patch. To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).
And now, what’s up with the October Security Bulletin?
There are only five critical issues listed in the October bulletin. These issues are as follows:
The Android Security Bulletin wouldn’t be the same without the Media Framework being involved. There are three bugs marked Critical, each of which are of the Remote Code Execution (RCE) type. These are labeled as Critical, as they could enable a remote attacker, using a specially crafted malicious file, to execute arbitrary code within the context of a privileged process. Related bugs include:
There are two vulnerabilities marked as Critical, that affect Qualcomm components. These issues are also of the RCE variety and could enable an attacker, using a specially crafted malicious file, to execute arbitrary code within the context of a privileged process. Related bugs include:
Believe it or not, that’s it for Critical vulnerabilities.
There is an Elevation of Privilege (EoP) vulnerability found in the Android framework, that could enable a local malicious application to bypass user interaction requirements and gain access to additional privileges. The one related bug is:
The Media framework includes a single EoP issue, marked as high, which could enable a local malicious application to gain access to additional privileges. The related bug is:
Within the Android System, a single Remote Code Execution vulnerability has been marked High. This RCE issue could enable a proximate hacker to execute arbitrary code within the context of a privileged process. The related issue is:
There are two Elevation of Privilege issues found within the kernel. These two bugs are marked High, as they could enable a local malicious application to execute code within the context of a privileged process. The related bugs (both affecting the upstream kernel) are:
That’s all for Critical and High issues within the context of the October Android Security bulletin. It’s a slow month leading into a holiday season that will probably see a rise in Android device purchases. Here’s hoping that elevation of consumerism doesn’t equate to an elevation of vulnerabilities.
Upgrade and update
The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.