Security

Android Security Bulletin November 2018: What you need to know

Another month where Android finds itself with a mixture of Critical and High vulnerabilities. Jack Wallen offers highlights.

Image: Jack Wallen

The holiday season is upon us, and Android is no stranger to giving gifts. So how about a few vulnerabilities to celebrate a holiday or two? This time around, the Android Security Bulletin brings little in the way of surprises, with the Media Framework handing out a few Critical flaws. However, the number of vulnerabilities isn't nearly as bad as previous months. Let's talk about the vulnerabilities found on the latest Android Security patches.

Before we dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device. To no surprise, my daily driver, a Pixel 3, is running the a security patch that is up to date (November 5, 2018).

To find out what patch level you are running, open Settings and go to About Phone. If you're using Android Pie, that location changed to Settings | Security & Location | Security updated. Scroll down and tap the version of Android found on your device. The resulting window (Figure A) will reveal your security patch level.

Figure A

Figure A

Pixel 3 and the November 5 security patch level.

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCE—Remote code execution
  • EoP—Elevation of privilege
  • ID—Information disclosure
  • DoS—Denial of service

And now, onto the issues.

11/01/2018 Security Patch Level

Critical Issues

There were only four issues marked Critical in the November 1 patch level. Each of these issues were labeled as such, as they could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bugs are (listed by CVE, Reference, and Type):

High Issues

The first batch of issues marked High, hit the Framework. Each of these vulnerabilities could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. The related bugs are (listed by CVE, Reference, and Type):

The next section of issues marked High were found in the Media Framework. These vulnerabilities could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bugs are (listed by CVE, Reference, and Type):

Finally, there were five issues marked High in the System. These vulnerabilities could give a remote attacker access to data that should only be accessible to locally installed applications. The related bugs are (listed by CVE, Reference, and Type):

11/05/2018 Security Patch Level

Critical Issues

The only issues marked Critical were found in Qualcomm closed-source components. These vulnerabilities are only detailed in the related Qualcomm AMSS security bulletin/alert. The related bugs are (listed by CVE and Reference):

  • CVE-2017-18317 A-78244877
  • CVE-2018-5912 A-79420111
  • CVE-2018-11264 A-109677962

High Issues

The first group of issues marked High were found in the Framework. These issues could enable a locally-installed malicious application to execute arbitrary code within the context of a privileged process. The related bugs are (listed by CVE, Reference, and Type):

The next group of issues marked High were found in Qualcomm open-sourced components. These vulnerabilities could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. The related bugs are (listed by CVE, Reference, Qualcomm Reference, and Component):

Finally, a number of Qualcomm closed-source components were found to include a number of issues marked High. These vulnerabilities are only detailed in the related Qualcomm AMSS security bulletin/alert. The related bugs are (listed by CVE and Reference):

  • CVE-2016-10502 A-68326808*
  • CVE-2017-18316 A-78240714*
  • CVE-2017-18318 A-78240675*
  • CVE-2017-18315 A-78241957*
  • CVE-2018-11994 A-72950294*
  • CVE-2018-11996 A-74235967*
  • CVE-2018-5870 A-77484722*
  • CVE-2018-5877 A-77484786*
  • CVE-2018-5916 A-79420492*
  • CVE-2018-5917 A-79420096*
  • CVE-2018-11269 A-109678529*

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

Also See

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox