Android Security Bulletin December 2018: What you need to know

Before we dive into what's included with this month's Android Security Bulletin, it's always good to know what security release is installed on your device. To no surprise, my daily driver, a Pixel 3, is running a security patch that is up to date (December 5, 2018).

To find out what patch level you are running, open Settings and go to About Phone. If you're using Android Pie, that location changed to Settings | Security & Location | Security updated. Scroll down and tap the version of Android found on your device. The resulting window (Figure A) will reveal your security patch level.

SEE: Mobile device computing policy (Tech Pro Research)

Figure A

Terminology

You will find different types of vulnerabilities listed. Possible types include:

• RCE—Remote code execution
  EoP—Elevation of privilege
  ID—Information disclosure
  DoS—Denial of service

And now, onto the issues.

12/01/2018 Security Patch Level

Critical Issues

The Media Framework is the first area listed with Critical vulnerabilities. These flaws are marked as such because they could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

• CVE-2018-9549A-112160868 RCE
• CVE-2018-9550A-112660981 RCE
• CVE-2018-9551A-112891548 RCE
• CVE-2018-9552A-113260892 ID

The only other issues marked Critical are found in the System. These flaws are marked as such because they could enable a remote attacker, using a specially crafted attack, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

• CVE-2018-9555A-112321180 RCE
• CVE-2018-9556A-113118184 RCE

High Issues

We head to the Framework for the first round of issues marked High. These flaws are marked as such because they could enable a locally installed, malicious application to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

• CVE-2018-9547A-114223584 EoP
• CVE-2018-9548A-112555574 ID

We now head back to the Media Framework, to find three issues marked High. These flaws are marked as such because they could enable a remote attacker, using a specially crafted attack, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

• CVE-2018-9553A-116615297 RCE
• CVE-2018-9538 A-112181526 EoP
• CVE-2018-9554A-114770654 ID High

Our last collection of issues marked High are found in the System. These flaws are marked as such because they could enable a remote attacker, using a specially crafted attack, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

• CVE-2018-9557 A-35385357* EoP
• CVE-2018-9558A-112161557 EoP
• CVE-2018-9559A-112731440 EoP
• CVE-2018-9560A-79946737 EoP
• CVE-2018-9562A-113164621 ID
• CVE-2018-9566A-74249842 ID

SEE: Mobile app development policy (Tech Pro Research)

12/05/2018 Security Patch Level

Critical Issues

Surprisingly, only five critical flaws are found in this patch level. Not so surprising is that they all affect Qualcomm closed-source components. The details of these issues can be found in the Qualcomm security bulletin (which is quite lengthy). The related bugs (listed by CVE and Reference) are:

• CVE-2017-8248 A-78135902
• CVE-2017-11004 A-66913713
• CVE-2017-18141 A-67712316
• CVE-2018-5913 A-79419833
• CVE-2018-11279 A-109678200

High Issues

The first issue marked High is found in the System. This flaw is marked as such because it could lead to information disclosure, without requiring additional execution privileges. The related bug (listed by CVE, Reference, Type, and Component) is:

• CVE-2018-9565 A-16680558 ID OMA-DM

Another High issue was found in HTC Components. The flaw is marked as such because it could enable an attacker to bypass user interaction requirements to gain access to higher permissions. The related bug (listed by CVE, Reference, Type, and Component) is:

• CVE-2018-9567 A-65543936 EoP Bootloader

The Kernel was hit with two issues marked High. These are marked as such because they could enable an attacker to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, Type, and Component) are:

• CVE-2018-10840 A-116406508 EoP ext4 filesystem
• CVE-2018-9568 A-113509306 EoP network

Three open source Qualcomm components were found with issues marked High. The details for these flaws can be found in the Qualcomm Security Bulletin. The related bugs (listed by CVE, Reference, Qualcomm Reference, and Component) are:

• CVE-2018-11960 A-114042002 QC-CR#2264832 HWEngines
• CVE-2018-11961 A-114040881 QC-CR#2261813 GPS_AP_LINUX
• CVE-2018-11963 A-114041685 QC-CR#2220770 Automotive Multimedia

Finally, the last group of issues marked High affect Qualcomm closed-source components. The details for these flaws can be found in the Qualcomm Security Bulletin. The related bugs (listed by CVE and Reference) are:

• CVE-2017-18319 A-78284753
• CVE-2017-18321 A-78283451
• CVE-2017-18322 A-78285196
• CVE-2017-18323 A-78284194
• CVE-2017-18324 A-78284517
• CVE-2017-18327 A-78240177
• CVE-2017-18331 A-78239686
• CVE-2017-18332 A-78284545
• CVE-2017-18160 A-109660689
• CVE-2017-18326 A-78240324
• CVE-2017-8276 A-68141338
• CVE-2017-18328 A-78286046
• CVE-2017-18329 A-73539037
• CVE-2017-18330 A-73539235
• CVE-2018-3595 A-71501115
• CVE-2017-18320 A-33757308
• CVE-2018-11999 A-74236942
• CVE-2018-5867 A-77485184
• CVE-2018-5868 A-77484529
• CVE-2018-5869 A-33385206
• CVE-2017-5754 A-79419639
• CVE-2018-5915 A-79420511
• CVE-2018-11267 A-109678338
• CVE-2018-11922 A-112279564

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates but that you apply them as soon as they are available.

Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Sign up today

Also see

• Android Security Bulletin November 2018: What you need to know (TechRepublic)
• Android Security Bulletin September 2018: What you need to know (TechRepublic)
• Android Security Bulletin August 2018: What you need to know (TechRepublic)
• Android Security Bulletin June 2018: What you need to know (TechRepublic)
• Man-in-the-disk attacks: A cheat sheet (TechRepublic)
• Most consumers have cyber security concerns, but a fraction take action (ZDNet)
• Your smartphone's security might be compromised from the moment of purchase (ZDNet)