Android Security Bulletin Feb 2019: What you need to know

The new year is already more than a month old. What does that mean for Android? Another year full of vulnerabilities and patches. This month there's a good mixture of issues marked Critical and High, and nothing should come as a surprise (as we've grown used to certain components being affected). Nonetheless, anyone with a mind for security will want to know what's happening to the Android platform—and the security bulletin du jour.

Before we dive into what's included with this month's Android Security Bulletin, it's always good to know what security release is installed on your device. To my surprise, my daily driver, a Pixel 3, is running a security patch that is one month out of date (Jane 5, 2018).

SEE: BYOD (bring-your-own-device) policy template download (Tech Pro Research)

To find out what patch level you are running, open Settings and go to About Phone. If you're using Android Pie, that location changed to Settings | Security & Location | Security updated. Scroll down and tap the version of Android found on your device. The resulting window (Figure A) will reveal your security patch level.

Figure A

Terminology

You will find different types of vulnerabilities listed. Possible types include:

• RCE—Remote code execution
• EoP—Elevation of privilege
• ID—Information disclosure
• DoS—Denial of service

And now, onto the issues.

02/01/2019 Security Patch Level

Critical Issues

There were five issues, marked Critical, for this patch level. The first three affected the Framework and were marked as such because it could enable a remote attacker, using a malicious PNG image file to execute arbitrary code within the context of a privileged process. Related bugs (listed by CVE, Reference, and Type) are:

• CVE-2019-1986A-117838472 RCE
• CVE-2019-1987A-118143775 RCE
• CVE-2019-1988A-118372692 RCE

The final two issues marked Critical are found in the System. These issues were marked as such because they could enable a remote attacker, using a malicious transmission, to execute arbitrary code within the context of a privileged process. Related bugs (listed by CVE, Reference, and Type) are:

• CVE-2019-1991A-110166268 RCE
• CVE-2019-1992A-116222069 RCE

High Issues

There are nine issues, marked High, for this patch level. The first three are found in the Library. These issues were marked as such because it could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of an unprivileged process. Related bugs (listed by CVE, Reference, and Type) are:

• CVE-2017-17760 A-78029030 RCE
• CVE-2018-5268 A-78029634 RCE
• CVE-2018-5269 A-78029727 RCE

The remaining six issues, marked High, are found in the System. These issues were marked as such because it could enable a remote attacker, using a malicious transmission, to execute arbitrary code within the context of a privileged process. Related bugs (listed by CVE, Reference, and Type) are:

• CVE-2019-1993A-119819889 EoP
• CVE-2019-1994A-117770924 EoP
• CVE-2019-1995A-32589229 ID
• CVE-2019-1996A-111451066 ID
• CVE-2019-1997A-117508900 ID
• CVE-2019-1998A-116055338 DoS

02/05/2019 Security Patch Level

Critical Issues

There were six issues, marked Critical for the 02/05/2019 patch level. The first issue is found in the NVIDIA components and was marked as such because it could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bug (listed by CVE, Reference, and Type) is:

• CVE-2018-6271 A-80198474 RCE

The next issue, marked Critical, was found in the Qualcomm open source components. The details for this issue are described in the appropriate Qualcomm security bulletin or security alert. The related bug (listed by CVE, Reference, Qualcomm Reference, and Component) is:

• CVE-2018-11262 A-76424945 QC-CR#2221192 bootloader

The remaining Critical issues were found in closed-source Qualcomm components. The details for this issue are described in the appropriate Qualcomm security bulletin or security alert. The related bugs (listed by CVE, Reference and Qualcomm Reference) are:

• CVE-2018-11289 A-109678453
• CVE-2018-11820 A-111089815
• CVE-2018-11938 A-112279482
• CVE-2018-11945 A-112278875

High Issues

There were 21 issues, marked High for the 02/05/2019 patch level. The first four were found in the kernel and marked as such because it could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. Related bugs (listed by CVE, Reference, Type, and Component) are:

• CVE-2018-10879 A-116406063 EoP ext4 filesystem
• CVE-2019-1999 A-120025196 EoP Binder driver
• CVE-2019-2000 A-120025789 EoP Binder driver
• CVE-2019-2001 A-117422211 ID iomem

The next three issues, marked high, were found in the NVIDIA components. These issues were marked as such because it could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. Related bugs (listed by CVE, Reference, Type, and Component) are:

• CVE-2018-6267 A-70857947 EoP libnvomx
• CVE-2018-6268 A-80433161 EoP libnvomx
• CVE-2016-6684 A-117423758 ID kernel log

The next four issues, marked High, were found in Qualcomm open source components. The details for these issues are described in the appropriate Qualcomm security bulletin or security alert. The related bugs (listed by CVE, Reference, Qualcomm Reference, and Component) are:

• CVE-2018-11280 A-109741776 QC-CR#2185061 Modem
• CVE-2018-11275 A-74409078 QC-CR#2221256 Bootloader
• CVE-2018-13900 A-119052051 QC-CR#2287499 Modem
• CVE-2018-13905 A-119052050 QC-CR#2225202 Graphics

The remaining High issues were found in closed-source Qualcomm components. The details for these issue are described in the appropriate Qualcomm security bulletin or security alert. The related bugs (listed by CVE, Reference and Qualcomm Reference) are:

• CVE-2018-11268 A-109678259
• CVE-2018-11845 A-111088838
• CVE-2018-11864 A-111092944
• CVE-2018-11921 A-112278972
• CVE-2018-11931 A-112279521
• CVE-2018-11932 A-112279426
• CVE-2018-11935 A-112279483
• CVE-2018-11948 A-112279144
• CVE-2018-5839 A-112279544
• CVE-2018-13904 A-119050566

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates but that you apply them as soon as they are available.

Mobile Enterprise Newsletter

BYOD, wearables, IoT, mobile security, remote support, and the latest phones, tablets, and apps IT pros need to know about are some of the topics we'll address. Delivered Tuesdays and Fridays

Sign up today

Also see

• Android Security Bulletin December 2018: What you need to know (TechRepublic)
• Android Security Bulletin November 2018: What you need to know (TechRepublic)
• Android Security Bulletin September 2018: What you need to know (TechRepublic)
• Android Security Bulletin August 2018: What you need to know (TechRepublic)
• WiFi firmware bug affects laptops, smartphones, routers, gaming devices (ZDNet)
• The 10 best smartphones of 2018 (ZDNet)
• Best mobile VPN services for 2018 (CNET)