The new year is already more than a month old. What does that mean for Android? Another year full of vulnerabilities and patches. This month there’s a good mixture of issues marked Critical and High, and nothing should come as a surprise (as we’ve grown used to certain components being affected). Nonetheless, anyone with a mind for security will want to know what’s happening to the Android platform–and the security bulletin du jour.

Before we dive into what’s included with this month’s Android Security Bulletin, it’s always good to know what security release is installed on your device. To my surprise, my daily driver, a Pixel 3, is running a security patch that is one month out of date (Jan 5, 2018).

SEE: BYOD (bring-your-own-device) policy template download (Tech Pro Research)

To find out what patch level you are running, open Settings and go to About Phone. If you’re using Android Pie, that location changed to Settings | Security & Location | Security updated. Scroll down and tap the version of Android found on your device. The resulting window (Figure A) will reveal your security patch level.

Figure A

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCE–Remote code execution
  • EoP–Elevation of privilege
  • ID–Information disclosure
  • DoS–Denial of service

And now, onto the issues.

02/01/2019 Security Patch Level

Critical Issues

There were five issues, marked Critical, for this patch level. The first three affected the Framework and were marked as such because it could enable a remote attacker, using a malicious PNG image file to execute arbitrary code within the context of a privileged process. Related bugs (listed by CVE, Reference, and Type) are:

The final two issues marked Critical are found in the System. These issues were marked as such because they could enable a remote attacker, using a malicious transmission, to execute arbitrary code within the context of a privileged process. Related bugs (listed by CVE, Reference, and Type) are:

High Issues

There are nine issues, marked High, for this patch level. The first three are found in the Library. These issues were marked as such because it could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of an unprivileged process. Related bugs (listed by CVE, Reference, and Type) are:

  • CVE-2017-17760 A-78029030 RCE
  • CVE-2018-5268 A-78029634 RCE
  • CVE-2018-5269 A-78029727 RCE

The remaining six issues, marked High, are found in the System. These issues were marked as such because it could enable a remote attacker, using a malicious transmission, to execute arbitrary code within the context of a privileged process. Related bugs (listed by CVE, Reference, and Type) are:

02/05/2019 Security Patch Level

Critical Issues

There were six issues, marked Critical for the 02/05/2019 patch level. The first issue is found in the NVIDIA components and was marked as such because it could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bug (listed by CVE, Reference, and Type) is:

  • CVE-2018-6271 A-80198474 RCE

The next issue, marked Critical, was found in the Qualcomm open source components. The details for this issue are described in the appropriate Qualcomm security bulletin or security alert. The related bug (listed by CVE, Reference, Qualcomm Reference, and Component) is:

The remaining Critical issues were found in closed-source Qualcomm components. The details for this issue are described in the appropriate Qualcomm security bulletin or security alert. The related bugs (listed by CVE, Reference and Qualcomm Reference) are:

  • CVE-2018-11289 A-109678453
  • CVE-2018-11820 A-111089815
  • CVE-2018-11938 A-112279482
  • CVE-2018-11945 A-112278875

High Issues

There were 21 issues, marked High for the 02/05/2019 patch level. The first four were found in the kernel and marked as such because it could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. Related bugs (listed by CVE, Reference, Type, and Component) are:

  • CVE-2018-10879 A-116406063 EoP ext4 filesystem
  • CVE-2019-1999 A-120025196 EoP Binder driver
  • CVE-2019-2000 A-120025789 EoP Binder driver
  • CVE-2019-2001 A-117422211 ID iomem

The next three issues, marked high, were found in the NVIDIA components. These issues were marked as such because it could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. Related bugs (listed by CVE, Reference, Type, and Component) are:

  • CVE-2018-6267 A-70857947 EoP libnvomx
  • CVE-2018-6268 A-80433161 EoP libnvomx
  • CVE-2016-6684 A-117423758 ID kernel log

The next four issues, marked High, were found in Qualcomm open source components. The details for these issues are described in the appropriate Qualcomm security bulletin or security alert. The related bugs (listed by CVE, Reference, Qualcomm Reference, and Component) are:

The remaining High issues were found in closed-source Qualcomm components. The details for these issue are described in the appropriate Qualcomm security bulletin or security alert. The related bugs (listed by CVE, Reference and Qualcomm Reference) are:

  • CVE-2018-11268 A-109678259
  • CVE-2018-11845 A-111088838
  • CVE-2018-11864 A-111092944
  • CVE-2018-11921 A-112278972
  • CVE-2018-11931 A-112279521
  • CVE-2018-11932 A-112279426
  • CVE-2018-11935 A-112279483
  • CVE-2018-11948 A-112279144
  • CVE-2018-5839 A-112279544
  • CVE-2018-13904 A-119050566

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates but that you apply them as soon as they are available.