Android Security Bulletin December 2018: What you need to know
by in Security on December 6, 2018, 7:49 AM PST

Another month where Android finds itself with a mixture of Critical and High vulnerabilities. Jack Wallen offers highlights.

Image: Jack Wallen

Before we dive into what's included with this month's Android Security Bulletin, it's always good to know what security release is installed on your device. To no surprise, my daily driver, a Pixel 3, is running a security patch that is up to date (December 5, 2018).

More about cybersecurity

To find out what patch level you are running, open Settings and go to About Phone. If you're using Android Pie, that location changed to Settings | Security & Location | Security updated. Scroll down and tap the version of Android found on your device. The resulting window (Figure A) will reveal your security patch level.

SEE: Mobile device computing policy (Tech Pro Research)

Figure A

Figure A

The December 5 Security patch on a Pixel 3.

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCE--Remote code execution
    EoP--Elevation of privilege
    ID--Information disclosure
    DoS--Denial of service

And now, onto the issues.

12/01/2018 Security Patch Level

Critical Issues

The Media Framework is the first area listed with Critical vulnerabilities. These flaws are marked as such because they could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

The only other issues marked Critical are found in the System. These flaws are marked as such because they could enable a remote attacker, using a specially crafted attack, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

High Issues

We head to the Framework for the first round of issues marked High. These flaws are marked as such because they could enable a locally installed, malicious application to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

We now head back to the Media Framework, to find three issues marked High. These flaws are marked as such because they could enable a remote attacker, using a specially crafted attack, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

Our last collection of issues marked High are found in the System. These flaws are marked as such because they could enable a remote attacker, using a specially crafted attack, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

SEE: Mobile app development policy (Tech Pro Research)

12/05/2018 Security Patch Level

Critical Issues

Surprisingly, only five critical flaws are found in this patch level. Not so surprising is that they all affect Qualcomm closed-source components. The details of these issues can be found in the Qualcomm security bulletin (which is quite lengthy). The related bugs (listed by CVE and Reference) are:

  • CVE-2017-8248 A-78135902
  • CVE-2017-11004 A-66913713
  • CVE-2017-18141 A-67712316
  • CVE-2018-5913 A-79419833
  • CVE-2018-11279 A-109678200

High Issues

The first issue marked High is found in the System. This flaw is marked as such because it could lead to information disclosure, without requiring additional execution privileges. The related bug (listed by CVE, Reference, Type, and Component) is:

  • CVE-2018-9565 A-16680558 ID OMA-DM

Another High issue was found in HTC Components. The flaw is marked as such because it could enable an attacker to bypass user interaction requirements to gain access to higher permissions. The related bug (listed by CVE, Reference, Type, and Component) is:

  • CVE-2018-9567 A-65543936 EoP Bootloader

The Kernel was hit with two issues marked High. These are marked as such because they could enable an attacker to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, Type, and Component) are:

  • CVE-2018-10840 A-116406508 EoP ext4 filesystem
  • CVE-2018-9568 A-113509306 EoP network

Three open source Qualcomm components were found with issues marked High. The details for these flaws can be found in the Qualcomm Security Bulletin. The related bugs (listed by CVE, Reference, Qualcomm Reference, and Component) are:

Finally, the last group of issues marked High affect Qualcomm closed-source components. The details for these flaws can be found in the Qualcomm Security Bulletin. The related bugs (listed by CVE and Reference) are:

  • CVE-2017-18319 A-78284753
  • CVE-2017-18321 A-78283451
  • CVE-2017-18322 A-78285196
  • CVE-2017-18323 A-78284194
  • CVE-2017-18324 A-78284517
  • CVE-2017-18327 A-78240177
  • CVE-2017-18331 A-78239686
  • CVE-2017-18332 A-78284545
  • CVE-2017-18160 A-109660689
  • CVE-2017-18326 A-78240324
  • CVE-2017-8276 A-68141338
  • CVE-2017-18328 A-78286046
  • CVE-2017-18329 A-73539037
  • CVE-2017-18330 A-73539235
  • CVE-2018-3595 A-71501115
  • CVE-2017-18320 A-33757308
  • CVE-2018-11999 A-74236942
  • CVE-2018-5867 A-77485184
  • CVE-2018-5868 A-77484529
  • CVE-2018-5869 A-33385206
  • CVE-2017-5754 A-79419639
  • CVE-2018-5915 A-79420511
  • CVE-2018-11267 A-109678338
  • CVE-2018-11922 A-112279564

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates but that you apply them as soon as they are available.

Also see

Editor's Picks

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic, The New Stack, and Linux New Media. He's covered a variety of topics for over twenty years and is an avid promoter of open source. For more news about Jack Wallen, visit his website jackwallen....

Related Topics:
Security Android Software CXO Hardware Mobility Data Centers Security on ZDNet
Show Comments