Android Security Bulletin March 2019: What you need to know

Another month is here and Android finds itself with a mixture of Critical and High vulnerabilities.

Image: Jack Wallen

The latest Android Security Bulletin brings to us yet another mixture of vulnerabilities marked Critical and High. This time around the System was the biggest winner, with sixteen issues, marked High. If you are of a mind for security you will certainly want to know what's happening to the Android platform—and the March Security Bulletin.

Before we dive into what's included with this month's Android Security Bulletin, it's always good to know what security release is installed on your device. As I've been testing the waters of the Android Q Beta (not recommended to be used by the general public), it should come as no surprise that my daily driver, a Pixel 3, is running a current security patch (March 5, 2018).

SEE: BYOD (bring-your-own-device) policy (Tech Pro Research)

To find out what patch level you are running, open Settings and go to About Phone. If you use Android Pie, that location changed to Settings | Security & Location | Security updated. Scroll down and tap the version of Android found on your device. The resulting window (Figure A) will reveal your security patch level.

Figure A

Figure A: Android's beta version of Q is all caught up.

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCE—Remote code execution
  • EoP—Elevation of privilege
  • ID—Information disclosure
  • DoS—Denial of service

And now, onto the issues.

03/01/2019 Security Patch Level

Critical Issues

There are only three critical issues found in this month's bulletin. The first two were found in the Media Framework, and are marked Critical because they could enable a remote attacker, using a malicious file, to launch arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

The only other Critical issue for the 03/01 security patch level was found in the System. This flaw was marked critical because it could enable a remote attacker, using a malicious transmission, to execute arbitrary code within the context of a privileged process. The related bug (listed by CVE, Reference, and Type) is:

High Issues

We go back to the Framework for four issues marked High. These vulnerabilities were marked as such because they could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

Next, we find three High issues found in the Media Framework. These vulnerabilities are marked as such because they could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

The System was hit pretty hard this month, with a total of sixteen vulnerabilities marked High. These issues were listed as such because they could enable a remote attacker, using a malicious transmission, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:

03/05/2019 Security Patch Level

Critical Issues

There were only four issues marked Critical in this patch level. All four issues were found in Qualcomm open-sourced components. Details for these issues can be found in the Qualcomm Security Bulletin. Related bugs (listed by CVE, Reference, Qualcomm Reference, and Component) are:

High Issues

This patch level had only six issues marked High. The first vulnerability, marked High, was found in the System, and was marked as such because it could enable a locally installed malicious application to execute arbitrary code within the context of a privileged application. The related bug (listed by CVE, Reference, and Type) is:

Next, we find three issues marked High in various Kernel components. These vulnerabilities were marked as such because they could enable a local attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, Type, and Component) are:

  • CVE-2018-10883 A-117311198 EoP ext4 filesystem
  • CVE-2019-2024 A-111761954 EoP em28xx driver
  • CVE-2019-2025 A-116855682 EoP Binder driver

Finally, there were two issues, marked High, found in the Qualcomm open-sourced components.

Details for these issues can be found in the Qualcomm Security Bulletin. Related bugs (listed by CVE, Reference, Qualcomm Reference, and Component) are:

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates but that you apply them as soon as they become available.

Also see