With only four vulnerabilities marked Critical, the Android security bulletin has started to lose significant weight. That doesn’t mean it should be ignored, as there are still a number of issues marked High. But given the Critical issues continue to shrink, a conclusion could be drawn that the later iterations of the platform are finally enjoying a much-needed bump in security.

Let’s take a look at the issues marked Critical and High for Februrary.

Before we dive into what’s included with this month’s bulletin, it’s always good to know what security release is installed on your device. To no surprise, my daily driver, an Essential PH-1, is running the latest security patch (February 5, 2018). To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).

Figure A

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCE–Remote code execution
  • EoP–Elevation of privilege
  • ID–Information disclosure
  • DoS–Denial of service

2018-02-01 security patch level

Critical Issues

There are two issues marked Critical for February 01, both of which are of type RCE. These issues are both attached to the Media Framework and could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. Related bugs are:

High Issues

There are five issues, marked High, to be found in the February 01 patch level. All five issues are related to the Media Framework and, like the Critical Issues, could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. Related bugs are:

2018-02-05 security patch level

Critical Issues

The two remaining Critical issues for February are both centered around Qualcomm components (specifically WLan). Both Critial issues are type RCE and could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. Related bugs are:

High Issues

Every single one of the High issues are of type EoP. The first set effect the Kernel and could enable a local malicious application to execute arbitrary code within the context of a privileged process. The related bugs are:

  • A-67900971 (Alsa component)
  • CVE-2015-9016 (Multi-queue block IO)
  • CVE-2017-13273 (Kernel)

Next we have NVIDIA components. Each of these vulnerabilities effect the Media framework and could enable a local malicious application to execute arbitrary code within the context of a privileged process. Related bugs are:

  • CVE-2017-6279
  • CVE-2017-6258

We’re back to Qualcomm components, which make up the bulk of the issues marked as High. Each of these issues could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. Related bugs are:

The above issues are open source. There is one closed source Qualcomm component that has been affected by an issue marked High. This vulnerability is described in the Qualcomm AMSS security bulletin. That particular issue is A-62212114.

That’s it for the critical and high vulnerabilities found in the latest security patches for Android.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.