Android Security Bulletin November 2018: What you need to know

The holiday season is upon us, and Android is no stranger to giving gifts. So how about a few vulnerabilities to celebrate a holiday or two? This time around, the Android Security Bulletin brings little in the way of surprises, with the Media Framework handing out a few Critical flaws. However, the number of vulnerabilities isn't nearly as bad as previous months. Let's talk about the vulnerabilities found on the latest Android Security patches.

Before we dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device. To no surprise, my daily driver, a Pixel 3, is running the a security patch that is up to date (November 5, 2018).

To find out what patch level you are running, open Settings and go to About Phone. If you're using Android Pie, that location changed to Settings | Security & Location | Security updated. Scroll down and tap the version of Android found on your device. The resulting window (Figure A) will reveal your security patch level.

Figure A

Terminology

You will find different types of vulnerabilities listed. Possible types include:

• RCE--Remote code execution
• EoP--Elevation of privilege
• ID--Information disclosure
• DoS--Denial of service

And now, onto the issues.

11/01/2018 Security Patch Level

Critical Issues

There were only four issues marked Critical in the November 1 patch level. Each of these issues were labeled as such, as they could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bugs are (listed by CVE, Reference, and Type):

• CVE-2018-9527A-112159345 RCE
• CVE-2018-9531A-112661641 RCE
• CVE-2018-9536A-112662184 EoP
• CVE-2018-9537A-112891564 EoP

High Issues

The first batch of issues marked High, hit the Framework. Each of these vulnerabilities could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. The related bugs are (listed by CVE, Reference, and Type):

• CVE-2018-9522A-112550251 EoP
• CVE-2018-9524A-34170870 EoP
• CVE-2018-9525A-111330641 EoP

The next section of issues marked High were found in the Media Framework. These vulnerabilities could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bugs are (listed by CVE, Reference, and Type):

• CVE-2018-9521A-111874331 RCE
• CVE-2018-9539A-113027383 EoP

Finally, there were five issues marked High in the System. These vulnerabilities could give a remote attacker access to data that should only be accessible to locally installed applications. The related bugs are (listed by CVE, Reference, and Type):

• CVE-2018-9540A-111450417 ID
• CVE-2018-9542A-111896861 ID
• CVE-2018-9543A-112868088 ID
• CVE-2018-9544A-113037220 ID
• CVE-2018-9545A-113111784 ID

11/05/2018 Security Patch Level

Critical Issues

The only issues marked Critical were found in Qualcomm closed-source components. These vulnerabilities are only detailed in the related Qualcomm AMSS security bulletin/alert. The related bugs are (listed by CVE and Reference):

• CVE-2017-18317 A-78244877
• CVE-2018-5912 A-79420111
• CVE-2018-11264 A-109677962

High Issues

The first group of issues marked High were found in the Framework. These issues could enable a locally-installed malicious application to execute arbitrary code within the context of a privileged process. The related bugs are (listed by CVE, Reference, and Type):

• CVE-2018-9523A-112859604 EoP
• CVE-2018-9526A-112159033 [2] [3] ID

The next group of issues marked High were found in Qualcomm open-sourced components. These vulnerabilities could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. The related bugs are (listed by CVE, Reference, Qualcomm Reference, and Component):

• CVE-2017-15818 A-68992408 QC-CR#2078580 EcoSystem
• CVE-2018-11995 A-71501677 QC-CR#2129639 Bootloader
• CVE-2018-11905 A-112277889 QC-CR#2090797 DSP_Services

Finally, a number of Qualcomm closed-source components were found to include a number of issues marked High. These vulnerabilities are only detailed in the related Qualcomm AMSS security bulletin/alert. The related bugs are (listed by CVE and Reference):

• CVE-2016-10502 A-68326808*
• CVE-2017-18316 A-78240714*
• CVE-2017-18318 A-78240675*
• CVE-2017-18315 A-78241957*
• CVE-2018-11994 A-72950294*
• CVE-2018-11996 A-74235967*
• CVE-2018-5870 A-77484722*
• CVE-2018-5877 A-77484786*
• CVE-2018-5916 A-79420492*
• CVE-2018-5917 A-79420096*
• CVE-2018-11269 A-109678529*

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

Also See

• Android Security Bulletin September 2018: What you need to know (TechRepublic)
• Android Security Bulletin August 2018: What you need to know (TechRepublic)
• Android Security Bulletin June 2018: What you need to know (TechRepublic)
• Android Security Bulletin April 2018: What you need to know (TechRepublic)
• Man-in-the-disk attacks: A cheat sheet (TechRepublic)
• The 10 best smartphones of 2018 (ZDNet)