Security

Android Security Bulletin August 2018: What you need to know

With a good balance of critical and high vulnerabilities, the Android Security Bulletin offers a well-balanced diet of bugs.

As the Summer draws near its end, Android vulnerabilities continue to be a part of the platform. Although August did see a few less Critical bugs, there were plenty of flaws marked High to balance out the sheet. Let's dive into those vulnerabilities and see what's what.

Before we take that dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device. To no surprise, my daily driver, an Essential PH-1, is running the a security patch that is now one month behind (July 5, 2018).

To find out what patch level you are running, open Settings and go to About Phone. If you're using Android Pie, that location has changed to Settings | Security & Location | Security updated. Scroll down until you see Android security patch level (Figure A).

SEE: Information security policy (Tech Pro Research)

Figure A

Figure A

The Essential PH-1, running Android Pie, is not usually out of date.

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCE—Remote code execution
  • EoP—Elevation of privilege
  • ID—Information disclosure
  • DoS—Denial of service

And now, onto the issues.

2018-08-01 security patch level

Critical issues

There are only three issues marked Critical for the 08-01 patch level. The first affects the Media Framework and could, via a malicious file, enable a remote attacker to execute arbitrary code within the context of a privileged process. The related bug is (listed by CVE, Reference, and Type):

The last two Critical flaws are found in the System and, via a malicious file, could enable a remote attacker to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

High issues

Vulnerabilities marked High comprise the vast majority of bugs for August. The first four are associated with the Framework and could, via a malicious application, bypass user interaction requirements to gain additional permissions. Related bugs are (listed by CVE, Reference, and Type):

The next two vulnerabilities marked High affect the Media framework and could, via a malicious file, enable a remote attacker to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

  • CVE-2018-9444 A-63521984 DoS
  • CVE-2018-9437A-78656554 DoS

The final vulnerabilities, marked High, affect the System and could, via a malicious file, enable a remote attacker to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

2018-08-05 security patch level

Critical vulnerabilities

There are only three Critical vulnerabilities in the 08-05 patch level, each of which affect closed source Qualcomm components. These issues are (listed by CVE and Reference):

  • CVE-2017-18296 A-78240731
  • CVE-2017-18305 A-78239838
  • CVE-2017-18310 A-62211308

Information on Qualcomm closed source issues must come directly from the manufacturer.

High vulnerabilities

The first set of vulnerabilities marked high affect Kernel components. This issues could enable a locally-installed malicious application to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, Type, and Component):

The next group of High vulnerabilities affect open source Qualcomm components and could lead to remote information disclosure. Related bugs are (listed by CVE, Reference, Qualcomm Reference, Type, and Component):

  • CVE-2018-5383 A-79421580 QC-CR#2209635 ID Bluetooth
  • CVE-2017-13077 A-78284758 QC-CR#2133033 ID WLAN
  • CVE-2017-18281 A-78242172 QC-CR#856388 ID Video
  • CVE-2018-11260 A-72997254 QC-CR#2204872 EoP WLAN

Finally, there are a number of vulnerabilities, marked High, that affect Qualcomm closed source components. To find out more about these issues, consult official Qualcomm channels. Related bugs are (listed by CVE and Reference:

  • CVE-2017-18295 A-78240386
  • CVE-2017-18283 A-78240411
  • CVE-2017-18294 A-78240247
  • CVE-2017-18293 A-78240316
  • CVE-2017-18292 A-78241027
  • CVE-2017-18298 A-78239976
  • CVE-2017-18299 A-78240418
  • CVE-2017-18304 A-78239975
  • CVE-2017-18303 A-78240396
  • CVE-2017-18301 A-78238455
  • CVE-2017-18302 A-78239233
  • CVE-2017-18300 A-78239508
  • CVE-2017-18297 A-78240275
  • CVE-2017-18280 A-78285512
  • CVE-2017-18282 A-78241591
  • CVE-2017-18309 A-73539064
  • CVE-2017-18308 A-73539310
  • CVE-2018-11305 A-72951032
  • CVE-2018-11258 A-72951054

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

Also See

Image: Jack Wallen

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox