Android Security Bulletin June 2019: What you need to know

Another month is here, and Android finds itself with a mixture of critical and high vulnerabilities.

android-security-1.jpg

Jack Wallen

This month's Android Security Bulletin will seem a bit lean, compared to previous months. That's good news, as it means fewer issues were discovered. So give your security-minded brain a rest and take in the scant-few Critical and High vulnerabilities in the June Security Bulletin.

Before we dive into what's included with this month's Android Security Bulletin, it's always good to know what security release is installed on your device. As I've been testing the waters of the Android Q Beta 4 (not recommended for use by the general public), it should come as no surprise that my daily driver, a Pixel 3, is running a current security patch (June 5, 2018).

SEE: VPN usage policy (Tech Pro Research)

To find out what patch level you are running, open Settings and go to Security. Under Security update you'll find your security patch level (Figure A).

secpatchjune.jpg

Figure A: The Pixel 3 running the June 5 patch level

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCE—Remote code execution
  • EoP—Elevation of privilege
  • ID—Information disclosure
  • DoS—Denial of service

And now, onto the issues.

06/01/2019 Patch level

Surprisingly enough, there were very few vulnerabilities found in this particular patch level. Of those found, only four were marked as critical.

Critical flaws

The first three Critical vulnerabilities were found in the Media Framework. These were marked as Critical as they could enable a locally installed malicious application to bypass user interaction requirements in order to gain access to additional permissions. The related bugs (listed by CVE, Reference, and Type) are:

  • CVE-2019-2093 A-119292397 RCE
  • CVE-2019-2094 A-129068792 RCE
  • CVE-2019-2095 A-124232283 RCE

The final Critical vulnerability was found in the System. This was marked as Critical as it could enable a remote attacker using a malicious Proxy Auto Config (PAC) file to execute arbitrary code within the context of a privileged process.The related bug (listed by CVE, Reference, and Type) is:

  • CVE-2019-2097 A-117606285 RCE

High Flaws

There were three vulnerabilities, marked High, found in the Framework. These were marked as High as they could enable a locally installed malicious application to bypass user interaction requirements in order to gain access to additional permissions. The related bugs (listed by CVE, Reference, and Type) are:

  • CVE-2019-2090 A-128599183 EoP
  • CVE-2019-2091 A-128599660 EoP
  • CVE-2019-2092 A-128599668 EoP

The Media Framework was found to contain a single vulnerability marked High. This issue was marked as such as it could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bug (listed by CVE, Reference, and Type) is:

  • CVE-2019-2096 A-123237974 EoP

The System contains three vulnerabilities marked High. These were labeled as such because they could enable a remote attacker, using a malicious PAC file, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

  • CVE-2019-2102 A-128843052 EoP
  • CVE-2019-2098 A-128599467 EoP
  • CVE-2019-2099 A-123583388 EoP

06/05/2019

Critical flaws

There were four total vulnerabilities marked Critical for the June 5 patch level. All four of these vulnerabilities were found in Qualcomm components. The first two were found in open source components and are described in detail in the appropriate Qualcomm security bulletin. The related bugs are (listed by CVE, Reference, Qualcomm Reference, and Component):

The next two Critical vulnerabilities were found in Qualcomm closed source components. Again, these issues are described in detail in the appropriate Qualcomm security bulletin. The related bugs (listed by CVE and Reference) are:

  • CVE-2018-13924 A-120486477
  • CVE-2018-13927 A-120485121

High flaws

There were seven total vulnerabilities marked High for the June 5 patch level. The first of these issues was found in the Framework and was marked as such because it could lead to remote information disclosure with no additional execution privileges needed. The related bug is (listed by CVE, Reference, and Type) is:

  • CVE-2018-9526 A-112159033 ID

The next High vulnerability was found in a component of the Kernel and was marked as such because it could enable a locally-installed malicious application to bypass operating system protections that isolate application data from other applications. The related bug (listed by CVE, Reference, Type, and Component) is:

  • CVE-2019-2101 A-111760968 ID UVC driver

The next two vulnerabilities marked High were found in Qualcomm open sourced components. These issues are described in detail in the appropriate Qualcomm security bulletin. The related bugs (listed by CVE, Reference, Qualcomm Reference, and Component) are:

Finally, the last two vulnerabilities marked High were found in Qualcomm closed source components. Details about these issues can be found in the appropriate Qualcomm security bulletin. The related bugs (listed by CVE and Reference) are:

  • CVE-2018-13896 A-120487163
  • CVE-2019-2243 A-122473494
  • CVE-2019-2261 A-123998003

Upgrade and update

The developers will work diligently to patch vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but you apply them as soon as they become available.

Also see

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.