Google has released the April edition of its monthly Android security updates, including fixes for three remote-code execution vulnerabilities in the mobile OS.
This month's batch – now out for Google-branded devices, at least: other Android device manufacturers and carriers push out updates on on their own – includes one batch of fixes for 11 CVE-listed vulnerabilities that everyone should apply, and a second batch for 44 flaws, that should be applied depending on your device's hardware and OS.
Generally speaking, all the updates should be installed as soon as possible, where necessary: some or all may be applied automatically via Google Play services, depending on your device, and some may be pushed to you in the form of an update from your gadget's carrier or manufacturer, and some may not be needed. And some unlucky devices may never see the updates at all. As usual, Android includes some defenses to thwart exploits, so patch if you can before miscreants find ways to leverage the bugs.
Of those 11 in the first patch batch, two are listed as critical fixes for remote code execution vulnerabilities. Both CVE-2019-2027 and CVE-2019-2028 are found in the seemingly endlessly problematic Android media framework and, if exploited by tricking someone into opening a dodgy message or video or what have you, would allow an attacker to execute malicious code with privileged process clearance on the victim's phone or gizmo.
The other nine flaws addressed by this base set of patches include one elevation-of-privilege flaw in the Android media framework that can be exploited by an rogue installed app, and eight flaws in the Android System - five elevation-of-privilege bugs, and three allowing unwanted information disclosure. All eight can be exploited by installed applications, such as dodgy apps or ones with malicious updates pushed to them. All nine of these vulnerabilities were classified as "high" security risks.
The second batch of updates from Google contains the third critical fix. That bug, CVE-2019-2029, is a remote-code execution flaw in the System component that can be exploited by getting a victim to open a specially crafted file. Also patched in System are two elevation-of-privilege flaws (CVE-2019-2032, CVE-2019-2041) and one information-leaking blunder (CVE-2019-2037).
Hey, what's Mandarin for 'WTF is going on?' Nokia phones caught spewing device IDs to ChinaREAD MORE
April's second batch includes in a fat set of bug fixes for open and closed-source Qualcomm drivers. Of those open-source component patches, one concerns a remote-code-execution flaw in WLAN Host that's a classic buffer-overflow screw-up. Of the other 29 open-source Qualcomm driver fixes, all but one are in WLAN Host, with the lone outlier being a high-level flaw in the Linux kernel. The closed-source fixes have no details associated with them.
The update comes eight days before Android, Adobe and SAP are due to deliver their own security fixes. It is hoped that among Microsoft's patch load will be a fix for an information disclosure flaw in IE and Edge that has reportedly gone unpatched for roughly 10 months.
James Lee, the researcher who discovered the flaw said that for the better part of a year he has been working with browser vendors to get the bug fixed, but with Redmond dragging its feet on a patch, he has decided to drop the flaw as a zero-day.
Meanwhile, Google has stopped selling the Pixel 2 and 2XL on its store. ®